Tainted PHP code? JetBrains Qodana has a new detection feature

Tainted PHP code? JetBrains Qodana has a new detection feature
Closer inspection

JetBrains has released a taint analysis feature for PHP in preview, via its early access programme.

A “taint”, the company said, is “any value that can pose a security risk when modified by an external user.” Allowing unverified external data leaves code vulnerable to “SQL injection, arithmetic overflow, cross-site scripting, path traversal, and more,” according to the post.

The key to detecting taints is to identify all the points where external data is accepted into the system. Correct code will sanitize the data – for example, using the PHP function htmlentities which converts special characters to HTML entities – and validation, such as ensuring that an email input field does actually contain an email address, is essential too.

Why only PHP? “Qodana for PHP was the first linter we released, so we decided to let PHP developers be the first to test our new security functionality, too. We plan on adding more languages in the future,” the post explains.

Qodana running via a local Docker container

Qodana is a code quality platform that relies on static analysis. It enables scanning of code and code analysis within an IDE, as well as integration with ID/CD systems. Currently 6 programming environments are supported: JVM (Java Virtual Machine), Android, PHP, Python, JavaScript, Go and .NET. When integrated into a CI/CD system, it can be configured to require checks to pass before code can be merged into a repository.

The tool is delivered either as a Docker image, or via a cloud service. Getting started is a matter of pulling the appropriate Docker image for a particular coding platform and running a code inspection. Qodana’s initial scan is treated as a baseline, and the detected problems pushed into a section called technical debt. “Bringing the number of problems in your code down to zero is quite simple, really: first, fix all existing issues; second, ensure no new problems appear over time. The second part may be easier than the first one, and by using the baseline, we set the current project state as the initial one and only track new issues that appear,” the docs explain.

Qodana is not the only approach to PHP static analysis. The open source project PHPStan is another, with a free to use version and a paid add-on with premium features. Released last month, PHPStan 1.10 adds a “lie detector” that validates inline @var PHPDoc tags, PHPDoc being a documentation tool for PHP adapted from Javadoc. PHPDoc can be useful for static analysis because it can add type information to what is otherwise a dynamic language.

Another popular open source PHP static analysis tool is Psalm, supported by the engineering team at Vimeo and completely free to use.