Add SuperglobalAssignRule and SuperglobalAccessRule

Author: paulbalandan

README.md

@@ -20,6 +20,7 @@ This extension provides the following features:
 * Checks if the string argument passed to `service()` or `single_service()` function is a valid service name. This can be turned off by setting `codeigniter.checkArgumentTypeOfServices: false` in your `phpstan.neon`.
 * Disallows instantiating cache handlers using `new` and suggests to use the `CacheFactory` class instead.
 * Disallows instantiating `FrameworkException` classes using `new`.
+* Disallows direct re-assignment or access of `$_SERVER` and `$_GET` and suggests to use the `Superglobals` class instead.
 
 ## Installation
 

extension.neon

@@ -33,6 +33,9 @@ services:
     arguments:
       additionalServices: %codeigniter.additionalServices%
 
+  superglobalRuleHelper:
+    class: CodeIgniter\PHPStan\Rules\Superglobals\SuperglobalRuleHelper
+
   -
     class: CodeIgniter\PHPStan\Type\FactoriesFunctionReturnTypeExtension
     tags:
@@ -58,3 +61,5 @@ conditionalTags:
 rules:
   - CodeIgniter\PHPStan\Rules\Classes\CacheHandlerInstantiationRule
   - CodeIgniter\PHPStan\Rules\Classes\FrameworkExceptionInstantiationRule
+  - CodeIgniter\PHPStan\Rules\Superglobals\SuperglobalAccessRule
+  - CodeIgniter\PHPStan\Rules\Superglobals\SuperglobalAssignRule

src/Rules/Superglobals/SuperglobalAccessRule.php

@@ -0,0 +1,94 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * This file is part of CodeIgniter 4 framework.
+ *
+ * (c) 2023 CodeIgniter Foundation <admin@codeigniter.com>
+ *
+ * For the full copyright and license information, please view
+ * the LICENSE file that was distributed with this source code.
+ */
+
+namespace CodeIgniter\PHPStan\Rules\Superglobals;
+
+use PhpParser\Node;
+use PHPStan\Analyser\Scope;
+use PHPStan\Rules\Rule;
+use PHPStan\Rules\RuleErrorBuilder;
+use PHPStan\Type\VerbosityLevel;
+
+/**
+ * @implements Rule<Node\Expr\ArrayDimFetch>
+ */
+final class SuperglobalAccessRule implements Rule
+{
+    public function __construct(
+        private readonly SuperglobalRuleHelper $superglobalRuleHelper
+    ) {}
+
+    public function getNodeType(): string
+    {
+        return Node\Expr\ArrayDimFetch::class;
+    }
+
+    /**
+     * @param Node\Expr\ArrayDimFetch $node
+     */
+    public function processNode(Node $node, Scope $scope): array
+    {
+        if ($scope->isInExpressionAssign($node)) {
+            return [];
+        }
+
+        if (! $node->var instanceof Node\Expr\Variable) {
+            return [];
+        }
+
+        $name = $node->var->name;
+
+        if (! is_string($name)) {
+            return [];
+        }
+
+        if (! $this->superglobalRuleHelper->isHandledSuperglobal($name)) {
+            return [];
+        }
+
+        if ($node->dim === null) {
+            return [];
+        }
+
+        $dimType = $scope->getType($node->dim);
+
+        if ($dimType->isString()->no()) {
+            return [];
+        }
+
+        $method = $this->superglobalRuleHelper->getSuperglobalMethodGetter($name);
+        $errors = [];
+
+        if ($dimType->getConstantStrings() !== []) {
+            foreach ($dimType->getConstantStrings() as $dimString) {
+                $dim = $dimString->getValue();
+
+                $errors[] = RuleErrorBuilder::message(sprintf('Accessing offset \'%s\' directly on $%s is discouraged.', $dim, $name))
+                    ->tip(sprintf('Use \\Config\\Services::superglobals()->%s(\'%s\') instead.', $method, $dim))
+                    ->identifier('codeigniter.superglobalAccess')
+                    ->build();
+            }
+
+            return $errors;
+        }
+
+        $dim = $dimType->describe(VerbosityLevel::precise());
+
+        return [
+            RuleErrorBuilder::message(sprintf('Accessing offset %s directly on $%s is discouraged.', $dim, $name))
+                ->tip(sprintf('Use \\Config\\Services::superglobals()->%s() instead.', $method))
+                ->identifier('codeigniter.superglobalAccess')
+                ->build(),
+        ];
+    }
+}

src/Rules/Superglobals/SuperglobalAssignRule.php

@@ -0,0 +1,165 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * This file is part of CodeIgniter 4 framework.
+ *
+ * (c) 2023 CodeIgniter Foundation <admin@codeigniter.com>
+ *
+ * For the full copyright and license information, please view
+ * the LICENSE file that was distributed with this source code.
+ */
+
+namespace CodeIgniter\PHPStan\Rules\Superglobals;
+
+use CodeIgniter\Superglobals;
+use PhpParser\Node;
+use PHPStan\Analyser\Scope;
+use PHPStan\Rules\Rule;
+use PHPStan\Rules\RuleError;
+use PHPStan\Rules\RuleErrorBuilder;
+use PHPStan\Type\VerbosityLevel;
+
+/**
+ * @implements Rule<Node\Expr\Assign>
+ */
+final class SuperglobalAssignRule implements Rule
+{
+    public function __construct(
+        private readonly SuperglobalRuleHelper $superglobalRuleHelper
+    ) {}
+
+    public function getNodeType(): string
+    {
+        return Node\Expr\Assign::class;
+    }
+
+    /**
+     * @param Node\Expr\Assign $node
+     */
+    public function processNode(Node $node, Scope $scope): array
+    {
+        if ($node->var instanceof Node\Expr\ArrayDimFetch) {
+            return $this->processArrayDimFetch($node, $scope);
+        }
+
+        if ($node->var instanceof Node\Expr\Variable) {
+            return $this->processVariableExpr($node, $scope);
+        }
+
+        return [];
+    }
+
+    /**
+     * @param Node\Expr\Assign $node
+     *
+     * @return RuleError[]
+     */
+    private function processArrayDimFetch(Node $node, Scope $scope): array
+    {
+        assert($node->var instanceof Node\Expr\ArrayDimFetch);
+
+        $arrayDimFetch = $node->var;
+
+        if ($arrayDimFetch->dim === null) {
+            return [];
+        }
+
+        $dimType = $scope->getType($arrayDimFetch->dim);
+
+        if ($dimType->isString()->no()) {
+            return [];
+        }
+
+        if (! $arrayDimFetch->var instanceof Node\Expr\Variable) {
+            return [];
+        }
+
+        $name = $arrayDimFetch->var->name;
+
+        if (! is_string($name)) {
+            return [];
+        }
+
+        if (! $this->superglobalRuleHelper->isHandledSuperglobal($name)) {
+            return [];
+        }
+
+        if ($scope->isInClass() && $scope->getClassReflection()->getName() === Superglobals::class) {
+            return [];
+        }
+
+        $exprType = $scope->getType($node->expr);
+
+        $expr   = $exprType->describe(VerbosityLevel::precise());
+        $dim    = $dimType->describe(VerbosityLevel::precise());
+        $method = $this->superglobalRuleHelper->getSuperglobalMethodSetter($name);
+
+        $addTip = static function (RuleErrorBuilder $ruleErrorBuilder) use ($method, $dimType, $exprType): RuleErrorBuilder {
+            if ($dimType->getConstantStrings() !== [] && $exprType->getConstantStrings() !== []) {
+                foreach ($dimType->getConstantStrings() as $dimString) {
+                    foreach ($exprType->getConstantStrings() as $exprString) {
+                        $ruleErrorBuilder->addTip(sprintf(
+                            'Use \\Config\\Services::superglobals()->%s(%s, %s) instead.',
+                            $method,
+                            $dimString->describe(VerbosityLevel::precise()),
+                            $exprString->describe(VerbosityLevel::precise())
+                        ));
+                    }
+                }
+
+                return $ruleErrorBuilder;
+            }
+
+            return $ruleErrorBuilder->tip(sprintf('Use \\Config\\Services::superglobals()->%s() instead.', $method));
+        };
+
+        return [
+            $addTip(RuleErrorBuilder::message(sprintf('Assigning %s directly on offset %s of $%s is discouraged.', $expr, $dim, $name)))
+                ->identifier('codeigniter.superglobalAccessAssign')
+                ->build(),
+        ];
+    }
+
+    /**
+     * @param Node\Expr\Assign $node
+     *
+     * @return RuleError[]
+     */
+    private function processVariableExpr(Node $node, Scope $scope): array
+    {
+        assert($node->var instanceof Node\Expr\Variable);
+
+        $name = $node->var->name;
+
+        if (! is_string($name)) {
+            return [];
+        }
+
+        if (! $this->superglobalRuleHelper->isHandledSuperglobal($name)) {
+            return [];
+        }
+
+        if ($name !== '_GET') {
+            return [];
+        }
+
+        $exprType = $scope->getType($node->expr);
+
+        if (! $exprType->isArray()->yes()) {
+            return [
+                RuleErrorBuilder::message(sprintf('Cannot re-assign non-arrays to $_GET, got %s.', $exprType->describe(VerbosityLevel::typeOnly())))
+                    ->identifier('codeigniter.getReassignNonarray')
+                    ->build(),
+            ];
+        }
+
+        return [
+            RuleErrorBuilder::message('Re-assigning arrays to $_GET directly is discouraged.')
+                ->tip('Use \\Config\\Services::superglobals()->setGetArray() instead.')
+                ->identifier('codeigniter.getReassignArray')
+                ->build(),
+        ];
+    }
+}

src/Rules/Superglobals/SuperglobalRuleHelper.php

@@ -0,0 +1,48 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * This file is part of CodeIgniter 4 framework.
+ *
+ * (c) 2023 CodeIgniter Foundation <admin@codeigniter.com>
+ *
+ * For the full copyright and license information, please view
+ * the LICENSE file that was distributed with this source code.
+ */
+
+namespace CodeIgniter\PHPStan\Rules\Superglobals;
+
+use InvalidArgumentException;
+
+final class SuperglobalRuleHelper
+{
+    public function isHandledSuperglobal(string $name): bool
+    {
+        return in_array($name, ['_SERVER', '_GET'], true);
+    }
+
+    /**
+     * @throws InvalidArgumentException
+     */
+    public function getSuperglobalMethodSetter(string $name): string
+    {
+        return match ($name) {
+            '_SERVER' => 'setServer',
+            '_GET'    => 'setGet',
+            default   => throw new InvalidArgumentException(sprintf('Unhandled superglobal: "%s".', $name)),
+        };
+    }
+
+    /**
+     * @throws InvalidArgumentException
+     */
+    public function getSuperglobalMethodGetter(string $name): string
+    {
+        return match ($name) {
+            '_SERVER' => 'server',
+            '_GET'    => 'get',
+            default   => throw new InvalidArgumentException(sprintf('Unhandled superglobal: "%s".', $name)),
+        };
+    }
+}

tests/Fixtures/Rules/Superglobals/superglobal-access-cases.php

@@ -0,0 +1,24 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * This file is part of CodeIgniter 4 framework.
+ *
+ * (c) 2023 CodeIgniter Foundation <admin@codeigniter.com>
+ *
+ * For the full copyright and license information, please view
+ * the LICENSE file that was distributed with this source code.
+ */
+
+namespace SuperglobalAccess;
+
+$foo = $_SERVER['foo'] ?? null;
+
+$a = (static fn (): string => mt_rand(0, 1) ? 'a' : 'b')();
+$b = $_GET[$a] ?? null;
+
+function bar(string $c): ?string
+{
+    return $_SERVER[$c] ?? null;
+}

tests/Fixtures/Rules/Superglobals/superglobal-assign-cases.php

@@ -0,0 +1,32 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * This file is part of CodeIgniter 4 framework.
+ *
+ * (c) 2023 CodeIgniter Foundation <admin@codeigniter.com>
+ *
+ * For the full copyright and license information, please view
+ * the LICENSE file that was distributed with this source code.
+ */
+
+namespace SuperglobalAssign;
+
+$_SERVER['HTTP_HOST'] = 'https://localhost';
+
+$_GET['first_name'] = 'John Doe';
+
+$_SERVER[0] = 'hello';
+
+function bar(string $key, string $value): void
+{
+    $_SERVER[$key] = $value;
+
+    $_GET[$key] = $value;
+}
+
+$_GET = 'sss';
+$_GET = 12_500;
+
+$_GET = ['first' => 'John', 'last' => 'Doe'];