Exakat 0.10.4Exakat 0.10.4 review

Exakat 0.10.4 shipped with two new analyzers. Here is a short presentation of them :

No Need For Else

The else branch may be ignored if the then branch actually leaves the current function.

<?php
function foo($a) {
    // Else may be in the main sequence.
    if ($a1) {
        return 1;
    } else {
        $a++;
    }
// doSomethingElse()
}
function foo2($a) {
    // Else may be in the main sequence.
    if ($a1) {
        return 1;
    } 
     $a++;
    // doSomethingElse()
}
?>

The reverse is also true when the return is in the else branch. The only difference is that the replacement if() should use the negated condition, not the straight one.

<?php
function foo($a) {
    // Save as foo2 above
    if (!$a1) {
        $a++;
    } else {
        return 1;
    }
}
?>

This applies to return, break, continue and goto. It helps keeps the level of nesting down to a minium. You may also read about this in Object Calisthenics, rule number 2.
When both branches of if then uses return (or break or …) then this is the end of the function, and nothing is reported.

Extension Data Structure

Exakat 0.10.4 adds support to recognize usage of ext/ds. DS stands for ‘Data Structures’. It is an interesting extension that adds support for various data structures in PHP :
See the code at https://github.com/php-ds/extension and more details by Rudi Theunissen at https://github.com/php-ds/extension.

Should use regenerateid for session for better security

When using session, may it be PHP native session, Zend Session or any other framework’s session, a large part of the security of the session ID reside in its lifespan : the shorter the better. This is why it is always recommended to change the ID during the life of the session, most notably at important moment, like privileges escalation, configuration change, data modification or suppression.
In short, whenever session is used, there must be some session regeneration. Thanks to Cyrille Grandval, who reported the idea, this is now spotted by Exakat, with PHP native sessions or Zend Sessions.

Happy PHP code auditing with Exakat

Exakat 0.10.4 brings some fresh ideas to review code. Session security, and reducing the level of nesting in methods. All the 300+ analyzers are presented in the docs, including the classic ‘Forgotten thrown‘. Download Exakat on exakat.io and like us on github.

Tweet about this on TwitterShare on RedditShare on LinkedInEmail this to someone