HPB-4006 prevent unsafe request data

.github/workflows/tests.yml

@@ -11,9 +11,15 @@
       strategy:
         fail-fast: true
         matrix:
-          php: [8.2, 8.3]
-          laravel: [^10, ^11]
-          stability: [prefer-lowest, prefer-stable]
+          php:
+            - 8.2
+            - 8.3
+          laravel:
+            - ^10
+            - ^11
+          stability:
+            - prefer-lowest
+            - prefer-stable
 
       name: PHP ${{ matrix.php }} - Laravel ${{ matrix.laravel }} - ${{ matrix.stability }}
 
@@ -31,7 +37,7 @@
 
         - name: Install dependencies
           run: |
-            composer require "illuminate/support:${{ matrix.laravel }}" --no-interaction --no-update
+            composer require "laravel/framework:${{ matrix.laravel }}" --no-interaction --no-update
             composer update --${{ matrix.stability }} --prefer-dist --no-interaction
 
         - name: Run tests

composer.json

@@ -6,7 +6,8 @@
     "license": "MIT",
     "autoload": {
         "psr-4": {
-            "Hihaho\\PhpstanRules\\": "src/"
+            "Hihaho\\PhpstanRules\\": "src/",
+            "App\\": "tests/stubs/App/"
         }
     },
     "autoload-dev": {
@@ -23,20 +24,16 @@
     "minimum-stability": "stable",
     "require": {
         "php": "^8.2",
-        "phpstan/phpstan": "^1.10.55",
         "illuminate/support": "^10|^11",
-        "laravel/pint": "^1.13.9"
+        "phpstan/phpstan": "^1.12"
     },
     "require-dev": {
         "phpunit/phpunit": "^11.0",
         "nikic/php-parser": "^5.0",
         "spatie/invade": "^2.0",
-        "illuminate/http": "^10|^11",
-        "illuminate/console": "^10|^11",
-        "illuminate/mail": "^10|^11",
-        "illuminate/notifications": "^10|^11",
-        "illuminate/routing": "^10|^11",
-        "roave/security-advisories": "dev-latest"
+        "roave/security-advisories": "dev-latest",
+        "laravel/framework": "^10|^11",
+        "laravel/pint": "^1.18"
     },
     "scripts": {
         "test": "phpunit",

extension.neon

@@ -1,4 +1,31 @@
+parametersSchema:
+	scoperequestvalidatemethods: structure([
+		allowedRequestMethods: arrayOf(string()),
+	])
+
+parameters:
+	scoperequestvalidatemethods:
+		allowedRequestMethods:
+			- collect
+			- all
+			- only
+			- except
+			- input
+			- get
+			- keys
+			- string
+			- str
+			- integer
+			- float
+			- boolean
+
 services:
+    -
+        class: Hihaho\PhpstanRules\Rules\Validation\ScopeRequestValidateMethods
+        arguments:
+        	allowedRequestMethods: %scoperequestvalidatemethods.allowedRequestMethods%
+        tags:
+            - phpstan.rules.rule
     -
         class: Hihaho\PhpstanRules\Rules\NoInvadeInAppCode
         tags:

src/Rules/Validation/ScopeRequestValidateMethods.php

@@ -0,0 +1,65 @@
+<?php declare(strict_types=1);
+
+namespace Hihaho\PhpstanRules\Rules\Validation;
+
+use Illuminate\Http\Request as IlluminateRequest;
+use PhpParser\Node;
+use PhpParser\Node\Expr\MethodCall;
+use PHPStan\Analyser\Scope;
+use PHPStan\Rules\RuleErrorBuilder;
+use PHPStan\ShouldNotHappenException;
+use ReflectionException;
+
+final class ScopeRequestValidateMethods extends ScopeValidationMethods
+{
+    public function __construct(array $allowedRequestMethods)
+    {
+        $this->allowedRequestMethods = array_unique($allowedRequestMethods);
+    }
+
+    public function getNodeType(): string
+    {
+        return MethodCall::class;
+    }
+
+    /**
+     * @phpstan-param MethodCall $node
+     * @throws ShouldNotHappenException | ReflectionException
+     */
+    public function processNode(Node $node, Scope $scope): array
+    {
+        if ($this->hasValidNamespace($scope->getNamespace())) {
+            return [];
+        }
+
+        if (! $this->hasIlluminateRequestClass($scope)) {
+            return [];
+        }
+
+        if ($this->usesValidMethod(varName: $this->nodeName($node->var), methodName: $this->nodeName($node))) {
+            return [];
+        }
+
+        return [
+            RuleErrorBuilder::message(
+                'Usage of unvalidated request data is not allowed outside of App\\Http\\Requests'
+            )
+                ->nonIgnorable()
+                ->addTip('Use $request->safe() / $request->validated() to use request data')
+                ->addTip(sprintf('Current checking: variable %s, method %s', $this->nodeName($node->var), $this->nodeName($node)))
+                ->identifier('hihaho.request.unsafeRequestData')
+                ->build(),
+        ];
+    }
+
+    /** @throws ReflectionException */
+    private function hasIlluminateRequestClass(Scope $scope): bool
+    {
+        return collect($this->getClassMethods($scope))
+            ->map(fn (array $method) => $this->getMethodParameterClassnames($method)
+                ->filter(static fn (?string $fqn) => $fqn !== null)
+                ->filter(static fn (string $fqn) => $fqn === IlluminateRequest::class)
+            )
+            ->isNotEmpty();
+    }
+}

src/Rules/Validation/ScopeValidationMethods.php

@@ -0,0 +1,156 @@
+<?php declare(strict_types=1);
+
+namespace Hihaho\PhpstanRules\Rules\Validation;
+
+use Illuminate\Support\Collection;
+use Illuminate\Support\Stringable;
+use PhpParser\Node;
+use PhpParser\Node\Expr;
+use PhpParser\Node\Expr\CallLike;
+use PhpParser\Node\Expr\PropertyFetch;
+use PhpParser\Node\Expr\Variable;
+use PhpParser\Node\Identifier;
+use PhpParser\NodeAbstract;
+use PHPStan\Analyser\Scope;
+use PHPStan\Node\AnonymousClassNode;
+use PHPStan\Rules\Rule;
+use PHPStan\Type\ObjectType;
+use ReflectionClass;
+use ReflectionException;
+use ReflectionIntersectionType;
+use ReflectionMethod;
+use ReflectionNamedType;
+use ReflectionParameter;
+use ReflectionUnionType;
+
+/**
+ * @implements \PHPStan\Rules\Rule<\PhpParser\Node\Expr\MethodCall>
+ */
+abstract class ScopeValidationMethods implements Rule
+{
+    protected array $allowedRequestMethods = [];
+
+    abstract public function getNodeType(): string;
+
+    abstract public function processNode(Node $node, Scope $scope): array;
+
+    /**
+     * @phpstan-return ReflectionMethod[]
+     */
+    protected function getClassMethods(Scope $scope): array
+    {
+        if (! $className = $scope->getClassReflection()?->getName()) {
+            return [];
+        }
+
+        $type = new ObjectType(className: $className, classReflection: $scope->getClassReflection());
+        /** @var ReflectionMethod[] $methods */
+        $methods = array_map(static function (string $className): array {
+            try {
+                return (new ReflectionClass($className))->getMethods();
+            } catch (ReflectionException) {
+                // @phpstan-ignore phpstanApi.constructor
+                return (new AnonymousClassNode($className))->getMethods();
+            }
+        }, $type->getObjectClassNames());
+
+        return $methods;
+    }
+
+    protected function getMethodParameterClassnames(array $method): Collection
+    {
+        return collect($method)
+            ->map(fn (ReflectionMethod $method) => $method->getParameters())
+            ->map(fn (array $parameter) => array_map(
+                static fn (ReflectionParameter $parameter) => $parameter->getType(), $parameter)
+            )
+            ->flatten()
+            ->filter()
+            ->filter(fn ($type) => method_exists($type, 'getName'))
+            ->map(fn (ReflectionNamedType|ReflectionUnionType|ReflectionIntersectionType $type) => $type->getName());
+    }
+
+    protected function nodeName(CallLike|Expr|NodeAbstract $var): string
+    {
+        if (! property_exists($var, 'name')) {
+            return '';
+        }
+
+        if ($var->name instanceof Stringable) {
+            return $var->name->toString();
+        }
+
+        if ($var->name instanceof Identifier) {
+            if (method_exists($var->name, 'toString')) {
+                return $var->name->toString();
+            }
+
+            return $var->name->name;
+        }
+
+        if ($var->name instanceof Variable) {
+            return $var->name->name;
+        }
+
+        if ($var->name instanceof Node\Expr\BinaryOp\Concat) {
+            if (method_exists($var->name, 'toString')) {
+                return $var->name->toString();
+            }
+
+            return '';
+        }
+
+        if ($var->name instanceof PropertyFetch) {
+            if (method_exists($var->name, 'toString')) {
+                return $var->name->toString();
+            }
+
+            return $var->name->name->toString();
+        }
+
+        if ($var instanceof PropertyFetch) {
+            return $var->name->toString();
+        }
+
+        if (method_exists($var->name, 'toString')) {
+            return $var->name->toString();
+        }
+
+        return $var->name ?? '';
+    }
+
+    protected function hasValidNamespace(?string $namespace): bool
+    {
+        if (! $namespace) {
+            return false;
+        }
+
+        return str_starts_with($namespace, 'App\\Http\\Request');
+    }
+
+    protected function usesValidMethod(string $varName, string $methodName): bool
+    {
+        if (! in_array($varName, ['request', 'safe', 'validated'], true)) {
+            return true;
+        }
+
+        if ($varName === 'request' && ($methodName === 'validated' || $methodName === 'validate')) {
+            return true;
+        }
+
+        if ($varName === 'request' && $methodName === 'safe') {
+            return true;
+        }
+
+        if ($varName === 'safe') {
+            return $this->isValidateMethod($methodName);
+        }
+
+        return ! $this->isValidateMethod($methodName);
+    }
+
+    protected function isValidateMethod(string $methodName): bool
+    {
+        return in_array($methodName, $this->allowedRequestMethods, strict: true);
+    }
+}

tests/Rules/Validation/ScopeRequestValidateMethodTest.php

@@ -0,0 +1,61 @@
+<?php declare(strict_types=1);
+
+namespace Rules\Validation;
+
+use Hihaho\PhpstanRules\Rules\Validation\ScopeRequestValidateMethods;
+use PHPStan\Analyser\Error;
+use PHPStan\Rules\Rule;
+use PHPStan\Testing\RuleTestCase;
+use PHPUnit\Framework\Attributes\Test;
+
+/**
+ * @extends RuleTestCase<ScopeRequestValidateMethods>
+ */
+final class ScopeRequestValidateMethodTest extends RuleTestCase
+{
+    protected function getRule(): Rule
+    {
+        return new ScopeRequestValidateMethods([
+            'collect',
+            'all',
+            'only',
+            'except',
+            'input',
+            'get',
+            'keys',
+            'string',
+            'str',
+            'integer',
+            'float',
+            'boolean',
+        ]);
+    }
+
+    #[Test]
+    public function illuminate_http_request_does_not_use_unvalidated_methods_outside_app_http_requests_namespace(): void
+    {
+        /** @var Error[] $errors */
+        $errors = $this->gatherAnalyserErrors([__DIR__ . '/../../stubs/App/Http/Controllers/PeopleControllerStub.php']);
+        $validErrors = array_filter(
+            $errors,
+            static fn (Error $error): bool => $error->getIdentifier() === 'hihaho.request.unsafeRequestData'
+        );
+
+        self::assertCount(6, $validErrors);
+
+        foreach ($validErrors as $key => $error) {
+            self::assertStringContainsString('Usage of unvalidated request data is not allowed outside of App\\Http\\Requests', $error->getMessage());
+            self::assertFalse($error->canBeIgnored());
+            self::assertStringContainsString('Use $request->safe() / $request->validated() to use request data', $error->getTip());
+            self::assertStringContainsString('Current checking: variable request, method', $error->getTip());
+            match($key) {
+                0 => self::assertSame(13, $error->getNodeLine()),
+                1 => self::assertSame(14, $error->getNodeLine()),
+                2 => self::assertSame(15, $error->getNodeLine()),
+                3 => self::assertSame(16, $error->getNodeLine()),
+                4 => self::assertSame(18, $error->getNodeLine()),
+                5 => self::assertSame(21, $error->getNodeLine()),
+            };
+        }
+    }
+}