Safety Rules
This document details the rules available in the Safety category.
Available Rules
| Rule | Code |
|---|---|
| No Error Control Operator | no-error-control-operator |
| No Eval | no-eval |
| No FFI | no-ffi |
| No Global | no-global |
| No Request All | no-request-all |
| No Request Variable | no-request-variable |
| No Shell Execute String | no-shell-execute-string |
| No Unsafe Finally | no-unsafe-finally |
no-error-control-operator
Detects the use of the error control operator @.
The error control operator suppresses errors and makes debugging more difficult.
Configuration
| Option | Type | Default |
|---|---|---|
enabled | boolean | true |
level | string | "error" |
Examples
Correct Code
<?php
try {
$result = file_get_contents('example.txt');
} catch (Throwable $e) {
// Handle error
}Incorrect Code
<?php
$result = @file_get_contents('example.txt');no-eval
Detects unsafe uses of the eval construct. The eval construct executes arbitrary code, which can be a major security risk if not used carefully.
Configuration
| Option | Type | Default |
|---|---|---|
enabled | boolean | true |
level | string | "error" |
Examples
Correct Code
<?php
// Safe alternative to eval
$result = json_decode($jsonString);Incorrect Code
<?php
eval('echo "Hello, world!";');no-ffi
Detects unsafe use of the PHP FFI (Foreign Function Interface) extension.
The FFI extension allows interaction with code written in other languages, such as C, C++, and Rust. This can introduce potential security risks and stability issues if not handled carefully.
If you are confident in your use of FFI and understand the risks, you can disable this rule in your Mago configuration.
Configuration
| Option | Type | Default |
|---|---|---|
enabled | boolean | true |
level | string | "error" |
Examples
Correct Code
<?php
// Using a safe alternative to FFI
$data = 'some data';
$hash = hash('sha256', $data);Incorrect Code
<?php
use FFI;
$ffi = FFI::cdef(\"void* malloc(size_t size);\");
$ffi->malloc(1024); // Allocate memory but never free itno-global
Detects the use of the global keyword and the $GLOBALS variable.
The global keyword introduces global state into your function, making it harder to reason about and test.
Configuration
| Option | Type | Default |
|---|---|---|
enabled | boolean | true |
level | string | "error" |
Examples
Correct Code
<?php
function foo(string $bar): void {
// ...
}Incorrect Code
<?php
function foo(): void {
global $bar;
// ...
}no-request-all
Detects the use of $request->all() or Request::all() in Laravel applications.
Such calls retrieve all input values, including ones you might not expect or intend to handle. It is recommended to use $request->only([...]) to specify the inputs you need explicitly, ensuring better security and validation.
Requirements
- Integration:
Laravel
Configuration
| Option | Type | Default |
|---|---|---|
enabled | boolean | true |
level | string | "warning" |
Examples
Correct Code
<?php
namespace App\Http\Controllers;
use Illuminate\Http\RedirectResponse;
use Illuminate\Http\Request;
class UserController extends Controller
{
/**
* Store a new user.
*/
public function store(Request $request): RedirectResponse
{
$data = $request->only(['name', 'email', 'password']);
// ...
}
}Incorrect Code
<?php
namespace App\Http\Controllers;
use Illuminate\Http\RedirectResponse;
use Illuminate\Http\Request;
class UserController extends Controller
{
/**
* Store a new user.
*/
public function store(Request $request): RedirectResponse
{
$data = $request->all();
// ...
}
}no-request-variable
Detects the use of the $_REQUEST variable, which is considered unsafe.
Use $_GET, $_POST, or $_COOKIE instead for better clarity.
Configuration
| Option | Type | Default |
|---|---|---|
enabled | boolean | true |
level | string | "error" |
Examples
Correct Code
<?php
$identifier = $_GET['id'];Incorrect Code
<?php
$identifier = $_REQUEST['id'];no-shell-execute-string
Detects the use of shell execute strings (...) in PHP code.
Configuration
| Option | Type | Default |
|---|---|---|
enabled | boolean | true |
level | string | "error" |
Examples
Correct Code
<?php
$output = shell_exec('ls -l');Incorrect Code
<?php
$output = `ls -l`;no-unsafe-finally
Detects control flow statements in finally blocks.
Control flow statements in finally blocks override control flows from try and catch blocks, leading to unexpected behavior.
Configuration
| Option | Type | Default |
|---|---|---|
enabled | boolean | true |
level | string | "error" |
Examples
Correct Code
<?php
function example(): int {
try {
return get_value();
} finally {
// no control flow statements
}
}Incorrect Code
<?php
function example(): int {
try {
return get_value();
} finally {
return 42; // Unsafe control flow statement in finally block
}
}