render callback rule (#217)

Process render callbacks to ensure they care callable and trusted.

For #197

Author: mglaman

extension.neon

@@ -329,3 +329,7 @@ services:
 	-
 		class: mglaman\PHPStanDrupal\Rules\Deprecations\StaticServiceDeprecatedServiceRule
 		tags: [phpstan.rules.rule]
+
+	-
+		class: mglaman\PHPStanDrupal\Rules\Drupal\RenderCallbackRule
+		tags: [phpstan.rules.rule]

src/Rules/Drupal/RenderCallbackRule.php

@@ -0,0 +1,138 @@
+<?php declare(strict_types=1);
+
+namespace mglaman\PHPStanDrupal\Rules\Drupal;
+
+use PhpParser\Node;
+use PHPStan\Analyser\Scope;
+use PHPStan\Broker\Broker;
+use PHPStan\Reflection\Php\PhpFunctionReflection;
+use PHPStan\Reflection\ReflectionProvider;
+use PHPStan\Rules\Rule;
+use PHPStan\Rules\RuleErrorBuilder;
+use PHPStan\TrinaryLogic;
+use PHPStan\Type\ClosureType;
+use PHPStan\Type\Constant\ConstantArrayType;
+use PHPStan\Type\Constant\ConstantArrayTypeAndMethod;
+use PHPStan\Type\Constant\ConstantIntegerType;
+use PHPStan\Type\Constant\ConstantStringType;
+use PHPStan\Type\ObjectType;
+use PHPStan\Type\VerbosityLevel;
+
+final class RenderCallbackRule implements Rule
+{
+
+    protected ReflectionProvider $reflectionProvider;
+
+    public function __construct(ReflectionProvider $reflectionProvider)
+    {
+        $this->reflectionProvider = $reflectionProvider;
+    }
+
+    public function getNodeType(): string
+    {
+        return Node\Expr\ArrayItem::class;
+    }
+
+    public function processNode(Node $node, Scope $scope): array
+    {
+        assert($node instanceof Node\Expr\ArrayItem);
+        $key = $node->key;
+        if (!$key instanceof Node\Scalar\String_) {
+            return [];
+        }
+        // @see https://www.drupal.org/node/2966725
+        $keysToCheck = ['#pre_render', '#post_render', '#lazy_builder', '#access_callback'];
+        $keySearch = array_search($key->value, $keysToCheck, true);
+        if ($keySearch === false) {
+            return [];
+        }
+        $keyChecked = $keysToCheck[$keySearch];
+
+        $value = $node->value;
+        if (!$value instanceof Node\Expr\Array_) {
+            return [
+                RuleErrorBuilder::message(sprintf('The "%s" render array value expects an array of callbacks.', $keyChecked))
+                    ->line($node->getLine())->build()
+            ];
+        }
+        if (count($value->items) === 0) {
+            return [];
+        }
+
+        $trustedCallbackType = new ObjectType('Drupal\Core\Security\TrustedCallbackInterface');
+        $errors = [];
+        foreach ($value->items as $pos => $item) {
+            if (!$item instanceof Node\Expr\ArrayItem) {
+                continue;
+            }
+            $errorLine = $item->value->getLine();
+            $type = $scope->getType($item->value);
+
+            if ($type instanceof ConstantStringType) {
+                if (!$type->isCallable()->yes()) {
+                    $errors[] = RuleErrorBuilder::message(
+                        sprintf("%s callback %s at key '%s' is not callable.", $keyChecked, $type->describe(VerbosityLevel::value()), $pos)
+                    )->line($errorLine)->build();
+                    continue;
+                }
+                // We can determine if the callback is callable through the type system. However, we cannot determine
+                // if it is just a function or a static class call (MyClass::staticFunc).
+                if ($this->reflectionProvider->hasFunction(new \PhpParser\Node\Name($type->getValue()), null)) {
+                    $errors[] = RuleErrorBuilder::message(
+                        sprintf("%s callback %s at key '%s' is not trusted.", $keyChecked, $type->describe(VerbosityLevel::value()), $pos)
+                    )->line($errorLine)
+                        ->tip('Change record: https://www.drupal.org/node/2966725.')
+                        ->build();
+                    continue;
+                }
+                // @see \PHPStan\Type\Constant\ConstantStringType::isCallable
+                preg_match('#^([a-zA-Z_\\x7f-\\xff\\\\][a-zA-Z0-9_\\x7f-\\xff\\\\]*)::([a-zA-Z_\\x7f-\\xff][a-zA-Z0-9_\\x7f-\\xff]*)\\z#', $type->getValue(), $matches);
+                if ($matches === null) {
+                    throw new \PHPStan\ShouldNotHappenException('Unable to get class name from ConstantStringType value: ' . $type->describe(VerbosityLevel::value()));
+                }
+                if (!$trustedCallbackType->isSuperTypeOf(new ObjectType($matches[1]))->yes()) {
+                    $errors[] = RuleErrorBuilder::message(
+                        sprintf("%s callback class '%s' at key '%s' does not implement Drupal\Core\Security\TrustedCallbackInterface.", $keyChecked, (new ObjectType($matches[1]))->describe(VerbosityLevel::value()), $pos)
+                    )->line($errorLine)->tip('Change record: https://www.drupal.org/node/2966725.')->build();
+                }
+            } elseif ($type instanceof ConstantArrayType) {
+                if (!$type->isCallable()->yes()) {
+                    $errors[] = RuleErrorBuilder::message(
+                        sprintf("%s callback %s at key '%s' is not callable.", $keyChecked, $type->describe(VerbosityLevel::value()), $pos)
+                    )->line($errorLine)->build();
+                    continue;
+                }
+                $typeAndMethodName = $type->findTypeAndMethodName();
+                if ($typeAndMethodName === null) {
+                    throw new \PHPStan\ShouldNotHappenException();
+                }
+
+                if (!$trustedCallbackType->isSuperTypeOf($typeAndMethodName->getType())->yes()) {
+                    $errors[] = RuleErrorBuilder::message(
+                        sprintf("%s callback class '%s' at key '%s' does not implement Drupal\Core\Security\TrustedCallbackInterface.", $keyChecked, $typeAndMethodName->getType()->describe(VerbosityLevel::value()), $pos)
+                    )->line($errorLine)->tip('Change record: https://www.drupal.org/node/2966725.')->build();
+                }
+            } elseif ($type instanceof ClosureType) {
+                if ($scope->isInClass()) {
+                    $classReflection = $scope->getClassReflection();
+                    if ($classReflection === null) {
+                        throw new \PHPStan\ShouldNotHappenException();
+                    }
+                    $classType = new ObjectType($classReflection->getName());
+                    $formType = new ObjectType('\Drupal\Core\Form\FormInterface');
+                    if ($formType->isSuperTypeOf($classType)->yes()) {
+                        $errors[] = RuleErrorBuilder::message(
+                            sprintf("%s may not contain a closure at key '%s' as forms may be serialized and serialization of closures is not allowed.", $keyChecked, $pos)
+                        )->line($errorLine)->build();
+                    }
+                }
+            } else {
+                $errors[] = RuleErrorBuilder::message(
+                    sprintf("%s value '%s' at key '%s' is invalid.", $keyChecked, $type->describe(VerbosityLevel::value()), $pos)
+                )->line($errorLine)->build();
+            }
+        }
+
+        return $errors;
+    }
+}

tests/fixtures/drupal/modules/pre_render_callback_rule/pre_render_callback_rule.info.yml

@@ -0,0 +1,3 @@
+name: phpstan_fixtures
+type: module
+core: 8.x

tests/fixtures/drupal/modules/pre_render_callback_rule/pre_render_callback_rule.module

@@ -0,0 +1,45 @@
+<?php declare(strict_types=1);
+
+use Drupal\Core\Url;
+
+function sample_pre_render_callback(array $el): array {
+    return $el;
+}
+
+function pre_render_callback_rule_alter_some_stuff() {
+    $sample1 = [
+        '#type' => 'link',
+        '#url' => Url::fromRoute('<front>'),
+        '#title' => 'FooBar',
+        '#pre_render' => [null],
+    ];
+
+    $sample2 = [
+        '#pre_render' => '',
+    ];
+    $sample3 = [
+        '#pre_render' => null,
+    ];
+
+    $sample4 = [
+        '#pre_render' => [
+            'invalid_func',
+            'sample_pre_render_callback',
+            '\Drupal\pre_render_callback_rule\RenderArrayWithPreRenderCallback::preRenderCallback',
+            '\Drupal\pre_render_callback_rule\NotTrustedCallback::unsafeCallback',
+            ['\Drupal\pre_render_callback_rule\NotTrustedCallback', 'unsafeCallback']
+        ],
+    ];
+
+    $sample5 = [
+        '#type' => 'link',
+        '#url' => Url::fromRoute('<front>'),
+        '#title' => 'FooBar',
+        '#pre_render' => [
+            static function(array $element): array {
+                return $element;
+            }
+        ],
+    ];
+
+}

tests/fixtures/drupal/modules/pre_render_callback_rule/src/FormWithClosure.php

@@ -0,0 +1,51 @@
+<?php declare(strict_types=1);
+
+namespace Drupal\pre_render_callback_rule;
+
+use Drupal\Core\Form\FormInterface;
+use Drupal\Core\Form\FormStateInterface;
+use Drupal\Core\Security\TrustedCallbackInterface;
+use Drupal\Core\Url;
+
+final class FormWithClosure implements FormInterface, TrustedCallbackInterface {
+
+    public static function preRenderCallback(array $element) {
+        return $element;
+    }
+
+    public static function trustedCallbacks()
+    {
+        return ['preRenderCallback'];
+    }
+
+    public function getFormId()
+    {
+        // TODO: Implement getFormId() method.
+    }
+
+    public function buildForm(array $form, FormStateInterface $form_state)
+    {
+        return [
+            '#type' => 'link',
+            '#url' => Url::fromRoute('<front>'),
+            '#title' => 'FooBar',
+            '#pre_render' => [
+                [self::class, 'preRenderCallback'],
+                [$this, 'preRenderCallback'],
+                static function(array $element): array {
+                    return $element;
+                }
+            ]
+        ];
+    }
+
+    public function validateForm(array &$form, FormStateInterface $form_state)
+    {
+        // TODO: Implement validateForm() method.
+    }
+
+    public function submitForm(array &$form, FormStateInterface $form_state)
+    {
+        // TODO: Implement submitForm() method.
+    }
+}

tests/fixtures/drupal/modules/pre_render_callback_rule/src/NotTrustedCallback.php

@@ -0,0 +1,11 @@
+<?php declare(strict_types=1);
+
+namespace Drupal\pre_render_callback_rule;
+
+final class NotTrustedCallback {
+
+    public static function unsafeCallback(array $element): array {
+        return $element;
+    }
+
+}

tests/fixtures/drupal/modules/pre_render_callback_rule/src/RenderArrayWithPreRenderCallback.php

@@ -0,0 +1,33 @@
+<?php declare(strict_types=1);
+
+namespace Drupal\pre_render_callback_rule;
+
+use Drupal\Core\Security\TrustedCallbackInterface;
+use Drupal\Core\Url;
+
+final class RenderArrayWithPreRenderCallback implements TrustedCallbackInterface {
+
+    public function staticCallback(): array {
+        return [
+            '#type' => 'link',
+            '#url' => Url::fromRoute('<front>'),
+            '#title' => 'FooBar',
+            '#pre_render' => [
+                [self::class, 'preRenderCallback'],
+                [$this, 'preRenderCallback'],
+                static function(array $element): array {
+                    return $element;
+                }
+            ]
+        ];
+    }
+
+    public static function preRenderCallback(array $element) {
+        return $element;
+    }
+
+    public static function trustedCallbacks()
+    {
+        return ['preRenderCallback'];
+    }
+}

tests/src/Rules/PreRenderCallbackRuleTest.php

@@ -0,0 +1,80 @@
+<?php declare(strict_types=1);
+
+namespace mglaman\PHPStanDrupal\Tests\Rules;
+
+
+use mglaman\PHPStanDrupal\Tests\DrupalRuleTestCase;
+use mglaman\PHPStanDrupal\Rules\Drupal\RenderCallbackRule;
+
+final class PreRenderCallbackRuleTest extends DrupalRuleTestCase {
+
+    protected function getRule(): \PHPStan\Rules\Rule
+    {
+        return new RenderCallbackRule(
+            $this->createReflectionProvider()
+        );
+    }
+
+    /**
+     * @dataProvider fileData
+     */
+    public function testRule(string $path, array $errorMessages): void
+    {
+        $this->analyse([$path], $errorMessages);
+    }
+
+    public function fileData(): \Generator
+    {
+        yield [
+          __DIR__ . '/../../fixtures/drupal/modules/pre_render_callback_rule/pre_render_callback_rule.module',
+            [
+                [
+                    "#pre_render value 'null' at key '0' is invalid.",
+                    14
+                ],
+                [
+                    'The "#pre_render" render array value expects an array of callbacks.',
+                    18
+                ],
+                [
+                    'The "#pre_render" render array value expects an array of callbacks.',
+                    21
+                ],
+                [
+                    "#pre_render callback 'invalid_func' at key '0' is not callable.",
+                    26
+                ],
+                [
+                    "#pre_render callback 'sample_pre_render…' at key '1' is not trusted.",
+                    27,
+                    'Change record: https://www.drupal.org/node/2966725.',
+                ],
+                [
+                    "#pre_render callback class 'Drupal\pre_render_callback_rule\NotTrustedCallback' at key '3' does not implement Drupal\Core\Security\TrustedCallbackInterface.",
+                    29,
+                    'Change record: https://www.drupal.org/node/2966725.',
+                ],
+                [
+                    "#pre_render callback class 'Drupal\pre_render_callback_rule\NotTrustedCallback' at key '4' does not implement Drupal\Core\Security\TrustedCallbackInterface.",
+                    30,
+                    'Change record: https://www.drupal.org/node/2966725.',
+                ],
+            ]
+        ];
+        yield [
+            __DIR__ . '/../../fixtures/drupal/modules/pre_render_callback_rule/src/RenderArrayWithPreRenderCallback.php',
+            []
+        ];
+        yield [
+            __DIR__ . '/../../fixtures/drupal/modules/pre_render_callback_rule/src/FormWithClosure.php',
+            [
+                [
+                    "#pre_render may not contain a closure at key '2' as forms may be serialized and serialization of closures is not allowed.",
+                    35
+                ]
+            ]
+        ];
+    }
+
+
+}