Exakat 0.10.5 review
Exakat 0.10.5 (code name : immortal of tiger power) shipped with no less than six new analyzers and a major upgrade of the Zend Framework report. Here is the exakat 0.10.5 review.
Could be callable argument
Exakat now reports arguments that may be type-hinted with callable. Callable covers every form of callbacks of PHP: strings, arrays and closures. Whenever the argument is used as a callback argument in a native function or a variable functioncall, it is reported to be callable.
<?php function foo($array, $callable) { return array_map($array, $callable); } ?>
This is an experiment, that will lead us to a ‘typehint’ report. This report will collect the typehint that could be inferred from the code. Callable is an easy target and more experiments are under way.
Encoded letters
PHP has several ways to encode characters: this covers programmatically unused characters, likes ideograms or special characters. Common characters, like letters, digits or some punctation may also be encoded. This is used by malware to avoid detections. For example, this code makes it hard to read the eval($_GET[‘z’]);:
<?php $x='e\0126al';$y=”_G\x45T”;$x($$y['z']); ?>
Exakat now reports any string with letters, digits and most punctuation whose Unicode code-point is below 128.
Strange variable and constants names
Who wants to return ‘$tihs’? Or use the famously useful constant DIRECOTRY_SEPARATOR? Those are rare, but they happens. We have now a growing collection of them : they were all found in someone’s code. Currently, we cover variables, constants and methods. Also, feel free to send us your own (it may truly be a friend’s mistake but we won’t disclose names anyway).
Too many FindBy*
Lastly, a new experiment: classes that are defining more than 5 methods starting with ‘findBy’ are reported. The idea is to replace so many methods by a Criteria class, so as to collect all the constraints, and run on dependency injection. This is always better than hard coding all possibilities and their combinations.
This is a first step, as I believe that ‘findBy’ may not be the only prefix or suffix to target. If you have other prefix to target, drop us a note @exakat. Thanks to Alexis to suggest this analysis.
array_merge() with one argument is not useless
We updated the ‘useless instructions’ analysis, removing array_merge() and array_merge_recursive() with only one argument. While merging a simple array is useless, it appears that PHP cleans the keys while merging. array_merge() does preserves the string keys, but reindex the numbered keys in order. Thanks to Mark Baker to point it.
<?php $array = array( 1=>1, 'a' => 'a', -1 => 1); $array = array_merge($array);
//$array = array( 1=>1, 'a' => 'a', 2 => 1);
?>
Happy PHP code auditing
Exakat 0.10.5 brings a load of new analysis. Quite a number of other fixes and edges cases were fixed under the hood too. All the 300+ analyzers are presented in the docs, including the classic ‘No boolean as default‘. Download Exakat on exakat.io, upgrade it with ‘exakat.phar upgrade -u’ and like us on github.