承接 psecio/parse 相关项目开发

从需求分析到上线部署,全程专人跟进,保证项目质量与交付效率

邮箱:yvsm@zunyunkeji.com | QQ:316430983 | 微信:yvsm316

psecio/parse

Composer 安装命令:

composer require psecio/parse

包简介

A PHP Security Scanner

README 文档

README

Packagist Version Build Status

PLEASE NOTE: This tool is still in a very early stage. The work continues...

The Parse scanner is a static scanning tool to review your PHP code for potential security-related issues. A static scanner means that the code is not executed and tested via a web interface (that's dynamic testing). Instead, the scanner looks through your code and checks for certain markers and notifies you when any are found.

For example, you really shouldn't be using eval in your code anywhere if you can help it. When the scanner runs, it will parse down each of your files and look for any eval() calls. If it finds any, it adds that match to the file and reports it in the results.

Installation

Install as a development dependency in your project using composer:

composer require --dev psecio/parse

The path to the installed executable may vary depending on your bin-dir setting. With the default value parse is located at vendor/bin/psecio-parse.

For a system-wide installation use:

composer global require psecio/parse

Make sure you have ~/.composer/vendor/bin/ in your path.

Usage

NOTE: In version 0.6 the executable was renamed psecio-parse. In earlier versions the tool was simply named parse.

NOTE: In version 0.4 and earlier the --target option was used to specify the project path, this is no longer supported. Use the syntax below.

To use the scanner execute it from the command line:

psecio-parse scan /path/to/my/project

For more detailed information see the help and list commands.

psecio-parse help scan

Output formats

Currently console (dots), xml and json output formats are available. Set format with the --format option.

psecio-parse scan --format=xml /path/to/my/project
psecio-parse scan --format=dots /path/to/my/project
psecio-parse scan --format=json /path/to/my/project

The console formats supports setting the verbosity using the -v or -vv switch.

psecio-parse scan -vv /path/to/my/project

If your platform does not support ANSI codes, or if you want to redirect the console output to a file, use the --no-ansi option.

psecio-parse scan --no-ansi /path/to/my/project > filename

Listing the checks

You can also get a listing of the current checks being done with the rules command:

psecio-parse rules

Managing rules to run

There are several ways to control which rules are run. You can specifically include rules using the --include-rules option, specifically exclude them with --exclude-rules, turn them on and off on a case-by-case basis using annotations, and disable annotations using --disable-annotations.

Excluding and Including rules

By default, psecio-parse scan includes all available rules in its scan. By using --exclude-rules and --include-rules, the rules included can be reduced.

Any rules specified by --exclude-rules are explicitly excluded from the scan, regardless of any other options selected. These rules cannot be added back to the scan, short of re-running the scan with different options. Invalid rules are silently ignored.

If --include-rules is provided, only those rules specified can be used. No other rules are checked. Note that rules that aren't available (whether they do not exist or --excluded-rules is used to exclude them) cannot be included. Invalid rules are silently ignored.

Annotations

Rules can be enabled and disabled using DocBlock annotations. These are comments in the code being scanned that tells Parse to specifically enable or disable a rule for the block of code the DocBlock applies to.

  • @psecio\parse\disable <rule>: Tells Parse to ignore the given rule for the scope of the DocBlock.
  • @psecio\parse\enable <rule>: Tells Parse to enable the given rule for the scope of the DocBlock. This can be used to re-enable a particular rule when @psecio\parse\disable has been applied to the containing scope.

Note that annotations cannot enable tests that have been omitted via the command line options. If a test is disabled at the command line, it is disabled for the entire scan, regardless of any annotations.

Comments can be added after <rule> following a dobule-slash (//) comment separator. It is recommended that comments be used to indicate why the rule has been disabled or enabled.

To disable the use of annotations, use the --disable-annotations option.

See the examples directory for some examples of the use of annotations for Parse.

The Checks

Here's the current list of checks:

  • Warn when sensitive values are committed (as defined by a variable like "username" set to a string)
  • Warn when display_errors is enabled manually
  • Avoid the use of eval()
  • Avoid the use of exit or die()
  • Avoid the use of logical operators (ex. using and over &&)
  • Avoid the use of the ereg* functions (now deprecated)
  • Ensure that the second parameter of extract is set to not overwrite (not EXTR_OVERWRITE)
  • Checking output methods (echo, print, printf, print_r, vprintf, sprintf) that use variables in their options
  • Ensuring you're not using echo with file_get_contents
  • Testing for the system execution functions and shell exec (backticks)
  • Use of readfile, readlink and readgzfile
  • Using parse_str or mb_parse_str (writes values to the local scope)
  • Warn if a .phps file is found
  • Using session_regenerate_id either without a parameter or using false
  • Avoid use of $_REQUEST (know where your data is coming from)
  • Don't use mysql_real_escape_string
  • Avoiding use of import_request_variables
  • Avoid use of $GLOBALS
  • Ensure the use of type checking validating against booleans (===)
  • Ensure that the /e modifier isn't used in regular expressions (execute)
  • Using concatenation in header() calls
  • Avoiding the use of $http_raw_post_data

Plenty more to come... (yup, @todo)

TODO

See the current issues list for @todo items...

Parse is covered under the MIT license.

@author Chris Cornutt (ccornutt@phpdeveloper.org)

psecio/parse 适用场景与选型建议

psecio/parse 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 72k 次下载、GitHub Stars 达 382, 最近一次更新时间为 2014 年 11 月 10 日, 在 PHP 生态内属于活跃度较高的组件。

它主要适用于以下技术方向: 「security」 「static」 「scanner」 等业务场景。在实际项目中,围绕这些方向常见需要落地的问题包括:接口对接、性能调优、并发安全、与既有框架(Laravel / ThinkPHP / Yii / Webman 等)的兼容适配,以及生产环境的日志埋点与稳定性保障。

我们在过去多个企业项目中使用过 psecio/parse 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。

围绕 psecio/parse 我们能提供哪些服务?
定制开发 / 二次开发

基于 psecio/parse 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。

BUG 修复 & 性能优化

线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。

项目外包 & 长期维护

承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。

yvsm@zunyunkeji.com QQ:316430983 微信:yvsm316 西安尊云信息科技 · 专注 PHP / Go / 分布式系统研发

统计信息

  • 总下载量: 72k
  • 月度下载量: 0
  • 日度下载量: 0
  • 收藏数: 384
  • 点击次数: 43
  • 依赖项目数: 1
  • 推荐数: 0

GitHub 信息

  • Stars: 382
  • Watchers: 21
  • Forks: 41
  • 开发语言: PHP

其他信息

  • 授权协议: MIT
  • 更新时间: 2014-11-10