Security Tip: Pest's Security Preset & Strict Equality
[Tip #93] Test suites aren't just for raw code expectations, it turns out you can also use them to encourage secure coding practices!
Most Laravel developers will have heard of Pest, a new testing framework that's built on top of PHPUnit and provides a fluent API, plus a number of extra features and types beyond the basic text-expectation flow we're traditionally used to.
One of the cool aspects of Pest is being able to set expectations regarding code architecture rules - ensuring your code is built in a specific way to keep it consistent and maintainable, as well as checking for common weaknesses and potentially vulnerable code in certain areas.
Security Preset
My favourite Pest feature is the Security Preset, which defines a set of security related expectations your application needs to follow.
Using the preset is trivial:
arch()->preset()->security();Pest security preset
At the time of writing, the preset blocks a number of insecure functions from being used in your application:
$this->expectations[] = expect([
'md5',
'sha1',
'uniqid',
'rand',
'mt_rand',
'tempnam',
'str_shuffle',
'shuffle',
'array_rand',
'eval',
'exec',
'shell_exec',
'system',
'passthru',
'create_function',
'unserialize',
'extract',
'parse_str',
'mb_parse_str',
'dl',
'assert',
])->not->toBeUsed();
https://github.com/pestphp/pest/blob/3.x/src/ArchPresets/Security.php
This list should look pretty familiar, and these are common functions I flag all the time during security audits. If you enable this in your app, it'll force you to use proper hashing and secure randomness, which is always going to be a good thing, as well as encouraging you to use wrappers around commands and encoding, which should help avoid bigger issues.
While you're at it, check out the PHP Preset, which blocks the use of debugging and depreciated functions. These debugging functions have security implications, so it's worth preventing their use too.
Strict Equality
Alongside the Presets, you can also set general expectations, such as toUseStrictEquality(), which prevents you from using loose comparisons (== & !=) in your code.
arch('models')
->expect('App')
->toUseStrictEquality();https://pestphp.com/docs/arch-testing#content-tousestrictequality
This is another topic I go on about, so it should come as no surprise to see it here (although it was only added to Pest in v3.2.0 last week). There are very few downsides to using strict comparisons everywhere, given PHP still has fun type juggling rules, so try and enable this one if you can.
Alright, that's my two recommendations for Pest's architecture tests! I must admit that I haven't had a chance to use them directly myself though, so please let me know if I've missed any, or if you have any other expectations you recommend.
Found this security tip helpful? Don't forget to subscribe to receive new Security Tips each week, and upgrade to a premium subscription to receive monthly In Depth articles, or toss a coin in the tip jar.
Reach out if you're looking for a Laravel Security Audit and Penetration Test or a budget-friendly Security Review, and find me on the various socials through Pinkary. Finally, don't forget to check out Practical Laravel Security, my interactive security course.
