Exakat 1.6.6 Review

The Exakat 1.6.6 was born in Miami, during sunshine PHP 19. The conference is incredibly energetic, and with the help of fellow attendees, it provided inspiration for some interesting update : PHP supports strings with logical operators (good for security); Exakat reviews typehint and check if they are sufficient in the method call. Avast, me hearties, to the Exakat 1.6.6 review!

Insufficient Typehint

Typehint are an configuration for arguments : it specifies the type of incoming data, so that its methods and properties are known early in the code. For example :

    
<?php

interface i {
    function foo() ;
}

class x implements i {
    function foo() { return 1;}
    function bar() { return 2;}
}

function foobar(i $x) {
    echo $x->foo();
}

?>

As you can read above, $x is now an object whose class implements the i interface : in the script above, this means that the method foo is implemented. This way, it is possible to check that the incoming argument $x has the pre-requisite to be used in the function foobar.

The typehinting, which is part of the typing strategy to improve the code, only checks that the correct interface is implemented. It doesn’t check that the methods are actually used, since it is not compulsory. It also doesn’t check that any other method is used, as is illustrated below, based on the previous script.

    
<?php

interface i {
    function foo() ;
}

class x implements i {
    function foo() { return 1;}
    function bar() { return 2;}
}

function foobar(i $x) {
    echo $x->foo();
    echo $x->bar(); // This is a new call
}

?>

The call to the method bar was added to the foobar function, and if the object is an xobject, then bar is indeed a method of this object. Yet, the typehint only requires the interface i to be displayed. As such, an implementation of i without bar would end the application on a fatal error.

The current analysis in Exakat checks if the methods used with the argument are really defined. Undefined interfaces are currently skipped. This should help spot pieces of code that are trying to sneak in some extra method call : the maintenance day where another class is used with this function would be a day of misery.

Thanks to Brandon Savage for the inspiration!

Bitwise operators with strings

Bitwise operators are &, |, ^ and ~. They work on data as a bit field, and return a integer, while their close cousin &&, ||, and, or, xor make logical combinations, and return a boolean.

What is less known is that bitwise operators also work with strings. When BOTH of the operands is strings, then PHP turn the characters into numbers, apply the transformation, and then, turn the result back to a string. See the script live on 3v4l.org;

    
<?php

echo 'a' ^ 'Z', PHP_EOL;
echo 'a', ord('a'), PHP_EOL;
echo 'Z', ord('Z'), PHP_EOL;
echo '90 ^ 97', 90 ^ 97, PHP_EOL;
echo ';', ord(';'), PHP_EOL;

?>

The semicolon (ASCII 59) is the result of the xor applied on a (ASCII 90) and Z (ASCII 97).

This is not a frequent usage, but this PHP feature is a good way to obfuscate code, and hide strings that may contain sensitive names. Like this :

    
<?php

$_="`{{{" ^ "?<>/";

${$_}

?>

The xor on the first two strings produces the string _GET, which, in turn, may be used as a base to access PHP superglobals.

Note that the line above doesn’t contain any alphabetical characters, leading to hard to grep code. Yet, it works its way to produce a reference to $_GET, and from there, open access to injections.

Thanks to Chris Cornutt to point this script. This lead to upgrading the Exakat engine, so that the bitwise operators now handles strings correctly, on top of handling the integers. We will upgrade security analysis with those new tools.

PHP 7.3.2 bug fixes

Last week, PHP 7.3.2 and PHP 7.2.15 were released.

When you want to know if a PHP patch version may have an impact on your code, run an audit, and open the Ambassador report. In the section ‘Audit log’, there is an entry called ‘Bugfixes’. It reports functions and extensions that were found in the audited code, and that were fixed.

Bug fixes right into your code

This gives a precise review of any potential impact of a PHP patch on your code. Sometimes, you had to work around the bug to make it work, and it is good news to be freed from this tyranny.

The Weekly Audits : 2019, Week #08

Exakat includes a ‘weekly’ report : this report is built with a selection of five analyses. This means a short audit report, with few issues to review. This is not a lot to read them, and review them in your code. Everyone in the PHP community can focus on one of the classic coding problems and fix it. Talk about the weekly audit around you : you’ll find programmers facing the same challenges.

To obtain the ‘weekly’ audit, run an audit, and request the ‘Weekly’ report.

# Init the project (skip when it is already done)    
php exakat.phar init -p <yourproject> -R https://github.com/Seldaek/monolog.git -git 

# Run the project (skip when it is already done)    
php exakat.phar project -p <yourproject> 

# Export the weekly project (every monday)    
php exakat.phar report -p <yourproject> -format Weekly 

# Open projects/<yourproject>/weekly/index.html in your browser    

Every week, you can find here 5 new analysis to review in your code. In fact, when your code is clean, you can also take a quick look at the upcoming

Weekly recommendations for PHP code review : 2018, week 2019-07

Happy PHP Code Reviews

All the 356 analyzers are presented in the docs, including the inevitable : Avoid Optional Properties: avoid optional properties, to prevent littering the code with existence checks.

It is a frequent source of overwork in the code : 74% of applications are falling for this misguided code.

You can check all of the Exakat reports at the gallery: exakat gallery.

Download Exakat on exakat.io, install it with Docker, upgrade it with ‘exakat.phar upgrade -u’ and like us on github.