orklah / psalm-strict-visibility
A Psalm plugin to detect calling private or protected method via proxy
Installs: 87 478
Dependents: 2
Suggesters: 0
Security: 0
Stars: 8
Watchers: 3
Forks: 0
Open Issues: 1
Type:psalm-plugin
Requires
- php: ^7.1|^8.0
- ext-simplexml: *
Requires (Dev)
- nikic/php-parser: ^4.0
- vimeo/psalm: ^4.0
README
A Psalm plugin to detect calling private or protected method via proxy
Installation:
$ composer require --dev orklah/psalm-strict-visibility $ vendor/bin/psalm-plugin enable orklah/psalm-strict-visibility
Usage:
Run your usual Psalm command:
$ vendor/bin/psalm
Explanation:
Visibilities in PHP are not strongly enforced. According to php.net:
Objects of the same type will have access to each others private and protected members even though they are not the same instances. This is because the implementation specific details are already known when inside those objects.
This means that a private method is not actually private when called from another instance of the same object. This sort of behavior is possible:
class PrivateTests{ private string $secret; private function privateMethod(): void {echo $this->secret;} public function __construct(string $secret){ $this->secret = $secret; } public function proxyByParam(PrivateTests $a): void { $a->privateMethod(); //This is a call to a private method from outside the instance } } $first_secret_key = new PrivateTests('first_secret_key'); $second_secret_key = new PrivateTests('second_secret_key'); $first_secret_key->proxyByParam($second_secret_key);
This call to $first_secret_key instance will actually call a private method on $second_secret_key and display the value of the private attribute of $second_secret_key
This plugins intends to fill those holes in PHP visibility checks