The PHP security engine uses Type Hints to find more vulnerabilities

Hello PHP developers,

As you know PHP will not require to declare the type of a variable before you can use it. That’s very convenient but from a code analyzer perspective this raises challenges because the analyzer needs to “guess” what’s the potential runtime types of a variable.
This is the reason why inside the PHP security engine there is a type inference mechanism.

In recent versions of PHP, type hints were introduced and allow to give information about the expected type of parameters, return values and fields.
We decided to use these type hints as source of knowledge for the PHP security engine.

In the following example, every developers will admit there is an exploitable vulnerability on line 12:

This is possible only because you, as a human, know that $request is having the type Symfony\Component\HttpFoundation\Request.

Today the PHP security engine is using this information and can raise the expected issue:

This feature is available on SonarCloud, and will be included in SonarQube 8.6.

Alex

2 Likes