mortenson / psalm-plugin-drupal
Psalm support for Drupal security analysis.
Fund package maintenance!
mortenson
Installs: 25 798
Dependents: 0
Suggesters: 0
Security: 0
Stars: 42
Watchers: 8
Forks: 7
Open Issues: 3
Type:psalm-plugin
Requires
- psalm/plugin-symfony: ^5.0
- vimeo/psalm: ^5
Requires (Dev)
- codeception/codeception: ^4.1
- codeception/module-asserts: ^1.0.0
- codeception/module-phpbrowser: ^1.0.0
- phpunit/phpunit: ^9.0
- squizlabs/php_codesniffer: ^3.3
- weirdan/codeception-psalm-module: dev-master
This package is auto-updated.
Last update: 2024-03-25 15:28:26 UTC
README
psalm-plugin-drupal
A Drupal integration for Psalm focused on security scanning (SAST) taint analysis.
Features
- Stubs for sinks, sources, and sanitizers
- Loading of
.moduleand.themefiles - Autoloading of modules without an installed site
- Support for
\Drupal::service() - Custom script for dumping the Drupal container to XML
- Support for detecting tainted render arrays
- Novel support for Controllers and Form methods.
Installing and running on your Drupal site
This plugin is meant to be used on your Drupal site, for the scanning of custom modules. Note that if you follow this guide and run it on a contrib module, and you find a valid result, you should report your findings to the Drupal Security Team.
To install the plugin:
- Run
composer require mortenson/psalm-plugin-drupal:dev-master - Change directories to the root of your Drupal installation (ex:
cd web,cd docroot). - Create a
psalm.xmlfile in the root of your Drupal installation like:
<?xml version="1.0"?> <psalm errorLevel="6" resolveFromConfigFile="true" runTaintAnalysis="true" autoloader="../vendor/mortenson/psalm-plugin-drupal/scripts/autoload.php" > <fileExtensions> <extension name=".php" /> <extension name=".module" /> <extension name=".theme" /> <extension name=".inc" /> </fileExtensions> <projectFiles> <directory name="modules/custom"/> </projectFiles> <plugins> <pluginClass class="Psalm\SymfonyPsalmPlugin\Plugin"> <containerXml>DrupalContainerDump.xml</containerXml> </pluginClass> <pluginClass class="mortenson\PsalmPluginDrupal\Plugin"> <containerXml>DrupalContainerDump.xml</containerXml> <extensions> <!-- List your modules explicitly here, as the scan may happen without a database --> <module name="my_custom_module" /> <module name="my_module_dependency" /> </extensions> </pluginClass> </plugins> </psalm>
- Run
php ../vendor/mortenson/psalm-plugin-drupal/scripts/dump_script.php && ../vendor/bin/psalm .
Note that the path to vendor may change based on your Drupal installation.
Generating an entrypoint for seemingly unused class methods
Drupal's code paths aren't always clear, especially in Drupal 8. Because of this, things like Controller methods (aka route callbacks) will not be analyzed when running Psalm.
To have Psalm analyze these paths, you'll need to generate an entrypoint file that executes the methods you want to test.
A script has been included for you to generate this entrypoint for you. To use it, do the following:
- Run
php ../vendor/mortenson/psalm-plugin-drupal/scripts/generate_entrypoint.php <comma separated paths to your custom modules> - Add
<file name="psalm_drupal_entrypoint.module"></file>to yourpsalm.xmlfile, under the<projectFiles>node. - Run Psalm.
Currently, only routing.yml files are parsed to generate the entrypoint,
focusing on Controller and Form methods.
Contributing
Running and writing tests
Tests use Codeception via weirdan/codeception-psalm-module.
You can run tests with composer run test.
To write tests, edit tests/acceptance/PsalmPluginDrupal.feature and add a new Scenario.
To run a single failing test, add the @failing tag above the Scenario:
line, then run composer run test-failing.
Checking code style
Code style should be checked before committing code.
To do this, run composer run cs-check, or composer run cs-fix to
automatically fix issues with phpcbf.