psalm-plugin-symfony/README.md

# Symfony Psalm Plugin

![Integrate](https://github.com/psalm/psalm-plugin-symfony/workflows/Integrate/badge.svg)

### Installation

```
composer require --dev psalm/plugin-symfony
vendor/bin/psalm-plugin enable psalm/plugin-symfony
```

### Features

- Detect `ContainerInterface::get()` result type. Works better if you [configure](#configuration) compiled container XML file.
- Support [Service Subscribers](https://github.com/psalm/psalm-plugin-symfony/issues/20). Works only if you [configure](#configuration) compiled container XML file.
- Detect return type of console arguments (`InputInterface::getArgument()`) and options (`InputInterface::getOption()`). Enforces
to use InputArgument and InputOption constants as a part of best practise.
- Detects correct Doctrine repository class if entities are configured with annotations.
- Fixes `PossiblyInvalidArgument` for `Symfony\Component\HttpFoundation\Request::getContent`.
The plugin calculates real return type by checking the given argument and marks return type as either string or resource.
- Detect return type of `Symfony\Component\HttpFoundation\HeaderBag::get` (by checking default value and third argument for < Symfony 4.4)
- Detect return type of `Symfony\Component\Messenger\Envelope::last` and `Symfony\Component\Messenger\Envelope::all`, based on the provided argument.
- Taint analysis for Symfony
- Detects service and parameter [naming convention](https://symfony.com/doc/current/contributing/code/standards.html#naming-conventions) violations
- Complains when `Container` is injected to a service. Use dependency-injection.
- Fix false positive `PropertyNotSetInConstructor` issues
  - $container in AbstractController
  - $context in ConstraintValidator classes
  - properties in custom `@Annotation` classes

### Configuration

If you follow installation instructions, psalm-plugin command will add plugin configuration to psalm.xml

```xml
<?xml version="1.0"?>
<psalm errorLevel="1">
    <!--  project configuration -->

    <plugins>
        <pluginClass class="Psalm\SymfonyPsalmPlugin\Plugin" />
    </plugins>
</psalm>
```

To be able to detect return types of services using ID (generally starts with `@` in Symfony YAML config files. Ex: `logger` service)
`containerXml` must be provided. Example:
```xml
<pluginClass class="Psalm\SymfonyPsalmPlugin\Plugin">
    <containerXml>var/cache/dev/App_KernelDevDebugContainer.xml</containerXml>
</pluginClass>
```

This file path may change based on your Symfony version, file structure and environment settings.
Default file for Symfony versions:
- Symfony 3: var/cache/dev/srcDevDebugProjectContainer.xml
- Symfony 4: var/cache/dev/srcApp_KernelDevDebugContainer.xml
- Symfony 5: var/cache/dev/App_KernelDevDebugContainer.xml

Multiple container files can be configured. In this case, first valid file is taken into account.
If none of the given files is valid, configuration exception is thrown.
Example:

```xml
<pluginClass class="Psalm\SymfonyPsalmPlugin\Plugin">
    <containerXml>var/cache/dev/App_KernelDevDebugContainer.xml</containerXml>
    <containerXml>var/cache/dev/App_KernelTestDebugContainer.xml</containerXml>
</pluginClass>
```

#### Twig tainting configuration

There are two approaches to including twig templates for taint analysis  :

 - one based on a specific file analyzer which uses the twig parser to taint twig's AST nodes
 - one based on the already compiled twig templates

To leverage the real Twig file analyzer, you have to configure the `.twig` extension as follows :

```xml
<fileExtensions>
   <extension name=".php" />
   <extension name=".twig" checker="./vendor/psalm/plugin-symfony/src/Twig/TemplateFileAnalyzer.php"/>
</fileExtensions>
```

To allow the analysis through the cached template files, you have to add the `twigCachePath` entry to the plugin configuration :

```xml
<pluginClass class="Psalm\SymfonyPsalmPlugin\Plugin">
    <twigCachePath>/cache/twig</twigCachePath>
</pluginClass>
```

### Credits

- Plugin created by [@seferov](https://github.com/seferov)
- [@weirdan](https://github.com/weirdan) for [codeception psalm module](https://github.com/weirdan/codeception-psalm-module)
initial commit 2019-11-12 14:36:05 +01:00			`# Symfony Psalm Plugin`

Github Actions: fix badge 2020-03-13 17:16:51 +01:00			`![Integrate](https://github.com/psalm/psalm-plugin-symfony/workflows/Integrate/badge.svg)`
acceptance tests (#3) 2019-11-14 08:27:50 +01:00
initial commit 2019-11-12 14:36:05 +01:00			`### Installation`

			```
Update references 2020-03-13 15:45:04 +01:00			`composer require --dev psalm/plugin-symfony`
			`vendor/bin/psalm-plugin enable psalm/plugin-symfony`
initial commit 2019-11-12 14:36:05 +01:00			```
acceptance tests (#3) 2019-11-14 08:27:50 +01:00
[feature] request getContent return type fix (#5) 2019-12-06 10:25:16 +01:00			`### Features`

add class to codebase if service is used by id (#10) * add class to codebase if service is used by id * fix doc 2020-03-11 14:43:52 +01:00			- Detect `ContainerInterface::get()` result type. Works better if you [configure](#configuration) compiled container XML file.
[container] support subscribed services in child classes (#102) 2020-11-15 19:52:47 +01:00			`- Support [Service Subscribers](https://github.com/psalm/psalm-plugin-symfony/issues/20). Works only if you [configure](#configuration) compiled container XML file.`
console handler (#22) * console handler - fixes #17 * no message * no message 2020-04-12 16:56:21 +02:00			- Detect return type of console arguments (`InputInterface::getArgument()`) and options (`InputInterface::getOption()`). Enforces
			`to use InputArgument and InputOption constants as a part of best practise.`
Tainting twig (#61) * Taint Request::get and Response::__construct * Taint Request::request, Request::query & Request::cookies * Taint Request::headers (only for the user-agent header) * Taint HeaderBag::__toString (and a fix of psalm taint api usage) * Taint InputBag::all * Fix type resolving * Bump psalm requirement * refactoring first scenario outline * Refactor RequestTaint * no message * Taint HeaderBag using the MethodReturnTypeProviderInterface * Skip tests when dependencies too low * Taint Request::get and Response::__construct * Taint Request::headers (only for the user-agent header) * wip * Try using MethodReturnTypeProviderInterface * Compiling templates * Make it work using fake call * Explicitely load compliled twig files * wip * Add more direct way of tainting output * wip * Add real twig template analyzer * Refactor * Little fixes * Change namespace from Taint to Twig * Refactoring * Some type fixing * Fix CS * Guess template-to-cache mapping instead of using the twig env. * Fix typing * Last minutes changes * Change test group * Update README * fix TemplateFileAnalyzer path in readme Co-authored-by: Farhad Safarov <farhad.safarov@gmail.com> Co-authored-by: Brown <github@muglug.com> 2020-09-13 18:37:26 +02:00			`- Detects correct Doctrine repository class if entities are configured with annotations.`
[feature] request getContent return type fix (#5) 2019-12-06 10:25:16 +01:00			- Fixes `PossiblyInvalidArgument` for `Symfony\Component\HttpFoundation\Request::getContent`.
			`The plugin calculates real return type by checking the given argument and marks return type as either string or resource.`
HeaderBag get default value return type (#49) 2020-06-26 13:58:43 +02:00			- Detect return type of `Symfony\Component\HttpFoundation\HeaderBag::get` (by checking default value and third argument for < Symfony 4.4)
Add envelope stub to provide the correct argument and return types (#53) * Add envelope stub to provide the correct argument and return types * Use a custom test stamp 2020-07-06 05:29:10 +02:00			- Detect return type of `Symfony\Component\Messenger\Envelope::last` and `Symfony\Component\Messenger\Envelope::all`, based on the provided argument.
Taint Request::get and Response::__construct (#50) * Taint Request::get and Response::__construct * no message Co-authored-by: Farhad Safarov <farhad.safarov@gmail.com> 2020-07-02 13:27:48 +02:00			`- Taint analysis for Symfony`
naming convention for parameters (#52) 2020-06-28 08:04:40 +02:00			`- Detects service and parameter [naming convention](https://symfony.com/doc/current/contributing/code/standards.html#naming-conventions) violations`
[feature] request getContent return type fix (#5) 2019-12-06 10:25:16 +01:00			- Complains when `Container` is injected to a service. Use dependency-injection.
PropertyNotSetInConstructor error is not raised when class is an Annotation (#65) 2020-08-01 17:07:39 +02:00			- Fix false positive `PropertyNotSetInConstructor` issues
			`- $container in AbstractController`
			`- $context in ConstraintValidator classes`
			- properties in custom `@Annotation` classes
[feature] request getContent return type fix (#5) 2019-12-06 10:25:16 +01:00
refactor container check (#8) * refactor container check * no message * no message * no message 2020-03-09 13:24:39 +01:00			`### Configuration`

totallyTyped is deprecated, changed to errorLevel="1" (#56) Co-authored-by: Anton Zagorskii <anton@paytronix.io> 2020-07-19 10:28:57 +02:00			`If you follow installation instructions, psalm-plugin command will add plugin configuration to psalm.xml`
refactor container check (#8) * refactor container check * no message * no message * no message 2020-03-09 13:24:39 +01:00
			```xml
			`<?xml version="1.0"?>`
totallyTyped is deprecated, changed to errorLevel="1" (#56) Co-authored-by: Anton Zagorskii <anton@paytronix.io> 2020-07-19 10:28:57 +02:00			`<psalm errorLevel="1">`
refactor container check (#8) * refactor container check * no message * no message * no message 2020-03-09 13:24:39 +01:00			`<!-- project configuration -->`

			`<plugins>`
Migrate Seferov => Psalm 2020-03-13 15:51:18 +01:00			`<pluginClass class="Psalm\SymfonyPsalmPlugin\Plugin" />`
refactor container check (#8) * refactor container check * no message * no message * no message 2020-03-09 13:24:39 +01:00			`</plugins>`
			`</psalm>`
			```

			To be able to detect return types of services using ID (generally starts with `@` in Symfony YAML config files. Ex: `logger` service)
			`containerXml` must be provided. Example:
			```xml
Migrate Seferov => Psalm 2020-03-13 15:51:18 +01:00			`<pluginClass class="Psalm\SymfonyPsalmPlugin\Plugin">`
refactor container check (#8) * refactor container check * no message * no message * no message 2020-03-09 13:24:39 +01:00			`<containerXml>var/cache/dev/App_KernelDevDebugContainer.xml</containerXml>`
			`</pluginClass>`
			```

			`This file path may change based on your Symfony version, file structure and environment settings.`
			`Default file for Symfony versions:`
			`- Symfony 3: var/cache/dev/srcDevDebugProjectContainer.xml`
			`- Symfony 4: var/cache/dev/srcApp_KernelDevDebugContainer.xml`
			`- Symfony 5: var/cache/dev/App_KernelDevDebugContainer.xml`

[container] multiple container xml file support (#45) 2020-06-19 15:18:31 +02:00			`Multiple container files can be configured. In this case, first valid file is taken into account.`
			`If none of the given files is valid, configuration exception is thrown.`
			`Example:`

			```xml
			`<pluginClass class="Psalm\SymfonyPsalmPlugin\Plugin">`
			`<containerXml>var/cache/dev/App_KernelDevDebugContainer.xml</containerXml>`
			`<containerXml>var/cache/dev/App_KernelTestDebugContainer.xml</containerXml>`
			`</pluginClass>`
			```

Tainting twig (#61) * Taint Request::get and Response::__construct * Taint Request::request, Request::query & Request::cookies * Taint Request::headers (only for the user-agent header) * Taint HeaderBag::__toString (and a fix of psalm taint api usage) * Taint InputBag::all * Fix type resolving * Bump psalm requirement * refactoring first scenario outline * Refactor RequestTaint * no message * Taint HeaderBag using the MethodReturnTypeProviderInterface * Skip tests when dependencies too low * Taint Request::get and Response::__construct * Taint Request::headers (only for the user-agent header) * wip * Try using MethodReturnTypeProviderInterface * Compiling templates * Make it work using fake call * Explicitely load compliled twig files * wip * Add more direct way of tainting output * wip * Add real twig template analyzer * Refactor * Little fixes * Change namespace from Taint to Twig * Refactoring * Some type fixing * Fix CS * Guess template-to-cache mapping instead of using the twig env. * Fix typing * Last minutes changes * Change test group * Update README * fix TemplateFileAnalyzer path in readme Co-authored-by: Farhad Safarov <farhad.safarov@gmail.com> Co-authored-by: Brown <github@muglug.com> 2020-09-13 18:37:26 +02:00			`#### Twig tainting configuration`

			`There are two approaches to including twig templates for taint analysis :`

			`- one based on a specific file analyzer which uses the twig parser to taint twig's AST nodes`
			`- one based on the already compiled twig templates`

			To leverage the real Twig file analyzer, you have to configure the `.twig` extension as follows :

			```xml
			`<fileExtensions>`
			`<extension name=".php" />`
			`<extension name=".twig" checker="./vendor/psalm/plugin-symfony/src/Twig/TemplateFileAnalyzer.php"/>`
			`</fileExtensions>`
			```

			To allow the analysis through the cached template files, you have to add the `twigCachePath` entry to the plugin configuration :

			```xml
			`<pluginClass class="Psalm\SymfonyPsalmPlugin\Plugin">`
			`<twigCachePath>/cache/twig</twigCachePath>`
			`</pluginClass>`
			```

acceptance tests (#3) 2019-11-14 08:27:50 +01:00			`### Credits`

Add creator 2020-03-13 17:28:45 +01:00			`- Plugin created by [@seferov](https://github.com/seferov)`
acceptance tests (#3) 2019-11-14 08:27:50 +01:00			`- [@weirdan](https://github.com/weirdan) for [codeception psalm module](https://github.com/weirdan/codeception-psalm-module)`