glpi-project/phpstan-glpi

PHPStan rules for GLPI.

Maintainers

Details

github.com/glpi-project/phpstan-glpi

Source

Issues

Installs: 752

Dependents: 0

Suggesters: 0

Security: 0

Stars: 0

Watchers: 0

Forks: 1

Open Issues: 0

Type:phpstan-extension

1.0.0 2025-06-24 11:45 UTC

Requires

Requires (Dev)

MIT 432f7a10d221f60abdbd4ab4676dbd846a485df1

This package is auto-updated.

Last update: 2025-06-24 11:52:38 UTC

README

This repository provides a PHPStan extension that can be used in both GLPI and GLPI plugins.

Installation

To install this PHPStan extension, run the composer require --dev glpi-project/phpstan-glpi.

The GLPI version should be detected automatically, but you can specify it in your PHPStan configuration:

parameters:
    glpi:
        glpiVersion: "11.0"

Rules

ForbidDynamicInstantiationRule

Since GLPI 11.0.

Instantiating an object from an unrestricted dynamic string is unsecure. Indeed, it can lead to unexpected code execution and has already been a source of security issues in GLPI.

Before instantiating an object, a check must be done to validate that the variable contains an expected class string.

$class = $_GET['itemtype'];

$object = new $class(); // unsafe

if (is_a($class, CommonDBTM::class, true)) {
    $object = new $class(); // safe
}

If the treatPhpDocTypesAsCertain PHPStan parameter is not set to false, a variable with a specific class-string type will be considered safe.

class MyClass
{
    /**
     * @var class-string<\CommonDBTM> $class
     */
    public function doSomething(string $class): void
    {
        $object = new $class(); // safe

        // ...
    }
}

ForbidExitRule

Since GLPI 11.0.

Since the introduction of the Symfony framework in GLPI 11.0, the usage of exit()/die() instructions is discouraged. Indeed, they prevents the execution of post-request/post-command routines, and this can result in unexpected behaviours.

ForbidHttpResponseCodeRule

Since GLPI 11.0.

Due to a PHP bug (see https://bugs.php.net/bug.php?id=81451), the usage of the http_response_code() function, to define the response code, may produce unexpected results, depending on the server environment. Therefore, its usage is discouraged.

MissingGlobalVarTypeRule

Since GLPI 10.0.

By default, PHPStan is not able to detect the global variables types, and is therefore not able to detect any issue related to their usage. To get around this limitation, we recommend that you declare each global variable type with a PHPDoc tag.

/** @var \DBmysql $DB */
global $DB;