Security Tip: Disallowing Functions with PHPStan!
[Tip #94] Just like we can detect insecure functions with Pest, we can use PHPStan extensions to find and disallow insecure functions!
In the last Security Tip, we looked at the Pest Security Preset, which defines a set of security related expectations for your application to follow - at the moment this means preventing insecure functions, such as md5, from being used in your code.
After sending out that email, Shane Niebergall (one of my wonderful subscribers) reached out to let me know that the same behaviour can be implemented in PHPStan, using extensions. Shane pointed me towards the Disallowed calls for PHPStan extension, which has a bunch of rules that make it easy to check for insecure functions you don't wish to allow in your apps.
To test out the PHPStan extension, I installed it on Chirped, the vulnerable app I was using in my Pentesting Laravel series, and configured it with all of the options.
composer require --dev spaze/phpstan-disallowed-callsparameters:
customRulesetUsed: true
includes:
- vendor/spaze/phpstan-disallowed-calls/extension.neon
- vendor/spaze/phpstan-disallowed-calls/disallowed-dangerous-calls.neon
- vendor/spaze/phpstan-disallowed-calls/disallowed-execution-calls.neon
- vendor/spaze/phpstan-disallowed-calls/disallowed-loose-calls.neon
- vendor/spaze/phpstan-disallowed-calls/disallowed-insecure-calls.neonphpstan.neon
$ ./vendor/bin/phpstan analyse app/
Note: Using configuration file /home/valorin/dev/chirped/phpstan.neon.
25/25 [..........] 100%
------ -------------------------------
Line Models/User.php
------ -------------------------------
56 Calling rand() is forbidden, it is not a cryptographically secure generator, use random_int() instead.
------ -------------------------------
[ERROR] Found 1 error
Output running phpstan using the extension, showing 1 error.
As we would expect, it's flagging the user of the rand() function, which is insecure and should not be used. 👍
Check out the repo for the full details for how to configure it, as it appears to be quite customisable.
So if you're not a Pest user, but you do use PHPStan, then you can enable these checks on your codebase too!
Found this security tip helpful? Don't forget to subscribe to receive new Security Tips each week, and upgrade to a premium subscription to receive monthly In Depth articles, or toss a coin in the tip jar.
Reach out if you're looking for a Laravel Security Audit and Penetration Test or a budget-friendly Security Review, and find me on the various socials through Pinkary. Finally, don't forget to check out Practical Laravel Security, my interactive security course.
