Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/mortenson/psalm-plugin-drupal

A project to add Psalm support for Drupal for security testing, focused only on taint analysis.
https://github.com/mortenson/psalm-plugin-drupal

Last synced: about 1 month ago
JSON representation

A project to add Psalm support for Drupal for security testing, focused only on taint analysis.

Host: GitHub
URL: https://github.com/mortenson/psalm-plugin-drupal
Owner: mortenson
License: other
Created: 2021-03-07T01:53:01.000Z (almost 4 years ago)
Default Branch: master
Last Pushed: 2024-03-25T15:28:22.000Z (9 months ago)
Last Synced: 2024-05-02T00:45:32.103Z (8 months ago)
Language: PHP
Size: 68.4 KB
Stars: 43
Watchers: 8
Forks: 7
Open Issues: 3
Metadata Files:
- Readme: README.md
- Funding: .github/FUNDING.yml
- License: LICENSE

Awesome Lists containing this project

README

![Test Status](https://github.com/mortenson/psalm-plugin-drupal/actions/workflows/tests.yml/badge.svg)

# psalm-plugin-drupal

A Drupal integration for Psalm focused on security scanning (SAST) taint
analysis.

## Features

- Stubs for sinks, sources, and sanitizers
- Loading of `.module` and `.theme` files
- Autoloading of modules without an installed site
- Support for `\Drupal::service()`
- Custom script for dumping the Drupal container to XML
- Support for detecting tainted render arrays
- Novel support for Controllers and Form methods.

## Installing and running on your Drupal site

This plugin is meant to be used on your Drupal site, for the scanning of custom
modules. Note that if you follow this guide and run it on a contrib module, and
you find a valid result, you should report your findings to the Drupal Security
Team.

To install the plugin:

1. Run `composer require mortenson/psalm-plugin-drupal:dev-master`
2. Change directories to the root of your Drupal installation (ex: `cd web`, `cd docroot`).
3. Create a `psalm.xml` file in the root of your Drupal installation like:
```xml

DrupalContainerDump.xml

DrupalContainerDump.xml

```
4. Run `php ../vendor/mortenson/psalm-plugin-drupal/scripts/dump_script.php && ../vendor/bin/psalm .`

Note that the path to `vendor` may change based on your Drupal installation.

### Generating an entrypoint for seemingly unused class methods

Drupal's code paths aren't always clear, especially in Drupal 8. Because of
this, things like Controller methods (aka route callbacks) will not be
analyzed when running Psalm.

To have Psalm analyze these paths, you'll need to generate an entrypoint file
that executes the methods you want to test.

A script has been included for you to generate this entrypoint for you. To use
it, do the following:

1. Run `php ../vendor/mortenson/psalm-plugin-drupal/scripts/generate_entrypoint.php `
2. Add `` to your
`psalm.xml` file, under the `` node.
3. Run Psalm.

Currently, only `routing.yml` files are parsed to generate the entrypoint,
focusing on Controller and Form methods.

## Contributing

### Running and writing tests

Tests use Codeception via [weirdan/codeception-psalm-module].

You can run tests with `composer run test`.

To write tests, edit tests/acceptance/PsalmPluginDrupal.feature and add a new
Scenario.

To run a single failing test, add the `@failing` tag above the `Scenario:`
line, then run `composer run test-failing`.

### Checking code style

Code style should be checked before committing code.

To do this, run `composer run cs-check`, or `composer run cs-fix` to
automatically fix issues with `phpcbf`.

[weirdan/codeception-psalm-module]: https://github.com/weirdan/codeception-psalm-module