Release Notes - 1.1

  • 1.1.0-funcrel
    Added functions forward_static_call(), forward_static_call_array(), register_shutdown_function() and register_tick_function() as psalm sinks Improve accuracy of rules 1034012 - “Avoid reflection injection (PHP)” and 1034046 - “Avoid second order reflection injection (PHP)”
    Handles usage of constants XMLReader::VALIDATE and XMLReader::SUBST_ENTITIES Improve accuracy of rule 1034054 - “Avoid parsing XML data without restriction of XML External Entity Reference (XXE) (PHP)”
    Use linux php executable and shared libraries from com.castsoftware.php.runtime82. Support for Linux
    Update to psalm 5.26.1 Upgrade internal library
  • 1.1.0-beta2
    Upgrade to Psalm 5.25.0 (with patches).
  • 1.1.0-beta1
    Upgrade to Psalm 5.24.0 (with patches).
    Added mt_srand(), str_shuffle() and array_rand() as functions triggering a violation for rule “Avoid using insufficient random generator (PHP)”. ๐Ÿ’Ž 1034048
    Added ini_set(‘session.cookie_httponly’, true) as a remediation for rule “Ensure httpOnly option is enabled when creating session (PHP)”. ๐Ÿ’Ž 1034064
    NEW Avoid mixing trusted and untrusted data in HTTP requests (PHP) ๐Ÿ’Ž 1034072
    NEW Ensure strict mode is enabled when creating session (PHP) ๐Ÿ’Ž 1034070
    NEW Ensure SameSite option is enabled when creating session (PHP) ๐Ÿ’Ž 1034068
    NEW Avoid creating application cookie without SameSite option (PHP) ๐Ÿ’Ž 1034066
  • 1.1.0-alpha3
    Added “$argv” and “$_FILES” as taint sources for the rule “Avoid SQL injection (PHP)” ๐Ÿ“ 46530
    Fixes an issue wherein the rules provided by this extension are now considered “critical”. ๐Ÿ“ 46596
    Report from Psalm is now stored a LISA sub-directory named “third_party_reports”. The detailed results of Psalm no longer appear in standard CAST analysis logs.
    The global variable “$argv” was added as a source for taint analysis.
    The release of Psalm used by this extension has been updated to “master” branch, commit 4b2c6980c51129b066ae85c73798162865df5142external link.
    Added $argv an $_FILES as taint sources for rule “Avoid uncontrolled sleep calls (PHP)” ๐Ÿ’Ž 1034058
    Added $argv an $_FILES as taint sources for rule “Avoid XPath injection (PHP)” ๐Ÿ’Ž 1034050
    Added $argv an $_FILES as taint sources for rule “Avoid server-side request forgery (PHP)” ๐Ÿ’Ž 1034022
    Added $argv and $_FILES as taint sources for rule “Avoid HTTP header injection (PHP)” ๐Ÿ’Ž 1034020
    Added $argv and $_FILES as taint sources for rule “Avoid deserialization injection (PHP)” ๐Ÿ’Ž 1034018
    Added $argv and $_FILES as taint sources for rule “Avoid reflected cross-site scripting (non persistent) (PHP)” ๐Ÿ’Ž 1034016
    Added $argv and $_FILES as taint sources for rule “Avoid file path manipulation (PHP)” ๐Ÿ’Ž 1034014
    Added $argv and $_FILES as taint sources for rule “Avoid reflection injection (PHP)” ๐Ÿ’Ž 1034012
    Added $argv and $_FILES as taint sources for rule “Avoid code injection (PHP)” ๐Ÿ’Ž 1034010
    Added $argv and $_FILES as taint sources for rule “Avoid PHP Remote File Inclusion” ๐Ÿ’Ž 1034008
    Added $argv and $_FILES as taint sources for rule “Avoid OS command injection (PHP)” ๐Ÿ’Ž 1034006
    Added $argv and $_FILES as taint sources for rule “Avoid LDAP injection (PHP)” ๐Ÿ’Ž 1034004
    Added $argv and $_FILES as taint sources for rule “Avoid cookie injection (PHP)” ๐Ÿ’Ž 1034002
    NEW Ensure httpOnly option is enabled when creating session (PHP) ๐Ÿ’Ž 1034064
    NEW Avoid creating cookie without setting httpOnly option (PHP) ๐Ÿ’Ž 1034062
    NEW Avoid uncontrolled import into the current symbol table (PHP) ๐Ÿ’Ž 1034060
  • 1.1.0-alpha2
    Update psalm (master branch, commit e72fb5a2b31e606abd525f867696c5ba5bf7451b)
    Psalm standard error is now redirected to cast.analysers.log with a [psalm stderr] prefix.
    NEW Avoid uncontrolled sleep calls (PHP) ๐Ÿ’Ž 1034058
    NEW Avoid using hard-coded HMAC keys (PHP) ๐Ÿ’Ž 1034056
    NEW Avoid parsing XML data without restriction of XML External Entity Reference (XXE) (PHP) ๐Ÿ’Ž 1034054
  • 1.1.0-alpha1
    Switch to Psalm master branch (commit 96d83947615641734a5baa181d44da7f10ee0246) which will be the future version 6.x.
    NEW Avoid second order XPath injection (PHP) ๐Ÿ’Ž 1034052
    NEW Avoid XPath injection (PHP) ๐Ÿ’Ž 1034050
    NEW Avoid using insufficient random generator (PHP) ๐Ÿ’Ž 1034048
    NEW Avoid second order reflection injection (PHP) ๐Ÿ’Ž 1034046
    NEW Avoid second order server-side request forgery (PHP) ๐Ÿ’Ž 1034044
    NEW Avoid second order HTTP header injection (PHP) ๐Ÿ’Ž 1034042
    NEW Avoid second order deserialization injection (PHP) ๐Ÿ’Ž 1034040
    NEW Avoid cross-site scripting (persistent) (PHP) ๐Ÿ’Ž 1034038
    NEW Avoid second order file path manipulation (PHP) ๐Ÿ’Ž 1034036
    NEW Avoid second order cookie injection (PHP) ๐Ÿ’Ž 1034034
    NEW Avoid second order PHP Remote File Inclusion ๐Ÿ’Ž 1034032
    NEW Avoid second order OS command injection (PHP) ๐Ÿ’Ž 1034030
    NEW Avoid second order LDAP injection (PHP) ๐Ÿ’Ž 1034028
    NEW Avoid second order code injection (PHP) ๐Ÿ’Ž 1034026
    NEW Avoid second order SQL injection (PHP) ๐Ÿ’Ž 1034024