Git Product home page Git Product logo

Comments (4)

dryabov avatar dryabov commented on June 20, 2024

PH2 rule does more than just a check defined("_JEXEC") exists in the code. It ensures that this check is the first executed statement in the code (and it's the main reason for this check: to prevent any code execution in non-Joomla context to avoid possible path disclosure and other vulnerabilities).

PHP reads your code as T_OPEN_TAG token ("<?php") followed by the "<" comparison operator (resulting in the "Parse error" here), and so this rule is triggered.

Maybe next releases of the JED Checker will check PHP syntax as well and detect such issues automatically, but I'm very glad to know this error (duplicated <?php tag) is indirectly found by the current version of JED Checker.

from jedchecker.

Llewellynvdm avatar Llewellynvdm commented on June 20, 2024

Okay this makes sense and yes doing some PHP syntax validation would be helpful, what approach do you have in mind?

What we also need, to detect depreciated methods, classes and method signature mismatching of the Joomla API, this will a be a huge step-up... and something I would really want to help happen.

from jedchecker.

dryabov avatar dryabov commented on June 20, 2024

what approach do you have in mind?

https://github.com/nikic/PHP-Parser, but it requires PHP7.0+ (note that currently required PHP version in JED Checker is 5.6). It's pretty easy to implement, just a simple try/catch block.

What we also need, to detect depreciated methods, classes and method signature mismatching of the Joomla API

It's quite complicated, because of dynamical nature of PHP, so any code analyzer cannot be sure about the type of a given variable. Probably, the best solution here is to use https://github.com/ircmaxell/php-cfg to track variables lifetimes, but it has some known issues (doesn't take into account parameters passed by reference and doesn't process try/catch/finally blocks properly).

An alternative is to use PHPStan with https://github.com/phpstan/phpstan-deprecation-rules, but it's quite a large project (PHPStan is shipped as a 20Mb phpstan.phar file). And I'm not sure it is able to cover nontrivial cases.

from jedchecker.

dryabov avatar dryabov commented on June 20, 2024

One more tool to found deprecated methods: https://github.com/vimeo/psalm (size of phar is 11Mb only).

from jedchecker.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.