Release Notes - 1.1
1.1.0-beta2
Other Updates
Details |
Upgrade to Psalm 5.25.0 (with patches). |
1.1.0-beta1
Other Updates
Details |
Upgrade to Psalm 5.24.0 (with patches). |
Rules
Rule Id |
New Rule |
Details |
1034066 |
TRUE |
Avoid creating application cookie without SameSite option (PHP) |
1034068 |
TRUE |
Ensure SameSite option is enabled when creating session (PHP) |
1034070 |
TRUE |
Ensure strict mode is enabled when creating session (PHP) |
1034072 |
TRUE |
Avoid mixing trusted and untrusted data in HTTP requests (PHP) |
1034064 |
FALSE |
Added ini_set('session.cookie_httponly', true) as a remediation for rule "Ensure httpOnly option is enabled when creating session (PHP)". |
1034048 |
FALSE |
Added mt_srand(), str_shuffle() and array_rand() as functions triggering a violation for rule "Avoid using insufficient random generator (PHP)". |
1.1.0-alpha3
Resolved Issues
Customer Ticket Id |
Details |
46596 |
Fixes an issue wherein the rules provided by this extension are now considered "critical". |
46530 |
Added "$argv" and "$_FILES" as taint sources for the rule "Avoid SQL injection (PHP)" |
Other Updates
Details |
The release of Psalm used by this extension has been updated to "master" branch, commit 4b2c6980c51129b066ae85c73798162865df5142. |
The global variable "$argv" was added as a source for taint analysis. |
Report from Psalm is now stored a LISA sub-directory named "third_party_reports". The detailed results of Psalm no longer appear in standard CAST analysis logs. |
Rules
Rule Id |
New Rule |
Details |
1034060 |
TRUE |
Avoid uncontrolled import into the current symbol table (PHP) |
1034062 |
TRUE |
Avoid creating cookie without setting httpOnly option (PHP) |
1034064 |
TRUE |
Ensure httpOnly option is enabled when creating session (PHP) |
1034002 |
FALSE |
Added $argv and $_FILES as taint sources for rule "Avoid cookie injection (PHP)" |
1034004 |
FALSE |
Added $argv and $_FILES as taint sources for rule "Avoid LDAP injection (PHP)" |
1034006 |
FALSE |
Added $argv and $_FILES as taint sources for rule "Avoid OS command injection (PHP)" |
1034008 |
FALSE |
Added $argv and $_FILES as taint sources for rule "Avoid PHP Remote File Inclusion" |
1034010 |
FALSE |
Added $argv and $_FILES as taint sources for rule "Avoid code injection (PHP)" |
1034012 |
FALSE |
Added $argv and $_FILES as taint sources for rule "Avoid reflection injection (PHP)" |
1034014 |
FALSE |
Added $argv and $_FILES as taint sources for rule "Avoid file path manipulation (PHP)" |
1034016 |
FALSE |
Added $argv and $_FILES as taint sources for rule "Avoid reflected cross-site scripting (non persistent) (PHP)" |
1034018 |
FALSE |
Added $argv and $_FILES as taint sources for rule "Avoid deserialization injection (PHP)" |
1034020 |
FALSE |
Added $argv and $_FILES as taint sources for rule "Avoid HTTP header injection (PHP)" |
1034022 |
FALSE |
Added $argv an $_FILES as taint sources for rule "Avoid server-side request forgery (PHP)" |
1034050 |
FALSE |
Added $argv an $_FILES as taint sources for rule "Avoid XPath injection (PHP)" |
1034058 |
FALSE |
Added $argv an $_FILES as taint sources for rule "Avoid uncontrolled sleep calls (PHP)" |
1.1.0-alpha2
Note
Update psalm (master branch, commit e72fb5a2b31e606abd525f867696c5ba5bf7451b)
Other Updates
Details |
Psalm standard error is now redirected to cast.analysers.log with a [psalm stderr] prefix. |
Rules
Rule Id |
New Rule |
Details |
1034054 |
TRUE |
Avoid parsing XML data without restriction of XML External Entity Reference (XXE) (PHP) |
1034056 |
TRUE |
Avoid using hard-coded HMAC keys (PHP) |
1034058 |
TRUE |
Avoid uncontrolled sleep calls (PHP) |
1.1.0-alpha1
Other Updates
Details |
Switch to Psalm master branch (commit 96d83947615641734a5baa181d44da7f10ee0246) which will be the future version 6.x. |
Rules
Rule Id |
New Rule |
Details |
1034024 |
TRUE |
Avoid second order SQL injection (PHP) |
1034026 |
TRUE |
Avoid second order code injection (PHP) |
1034028 |
TRUE |
Avoid second order LDAP injection (PHP) |
1034030 |
TRUE |
Avoid second order OS command injection (PHP) |
1034032 |
TRUE |
Avoid second order PHP Remote File Inclusion |
1034034 |
TRUE |
Avoid second order cookie injection (PHP) |
1034036 |
TRUE |
Avoid second order file path manipulation (PHP) |
1034038 |
TRUE |
Avoid cross-site scripting (persistent) (PHP) |
1034040 |
TRUE |
Avoid second order deserialization injection (PHP) |
1034042 |
TRUE |
Avoid second order HTTP header injection (PHP) |
1034044 |
TRUE |
Avoid second order server-side request forgery (PHP) |
1034046 |
TRUE |
Avoid second order reflection injection (PHP) |
1034048 |
TRUE |
Avoid using insufficient random generator (PHP) |
1034050 |
TRUE |
Avoid XPath injection (PHP) |
1034052 |
TRUE |
Avoid second order XPath injection (PHP) |