Prohibited Code Checks are implemented through pluggable checks.
Functionality can be extended by adding plugin classes for additional Prohibited Code Checks. Prohibited Code Check plugins are simple classes that provide the functionality to apply code checks to files . They should inherit from ProhibitedCodeCheckPluginBase. Details are provided by comments in the code.
Plugins can be added by placing the plugin classes at packages/anyPackageName/src/JtF/PackageMagic/ProhibitedCodeCheck/PluginsPluginName or application/src/JtF/PackageMagic/ProhibitedCodeCheck/PluginsPluginName. Plugins can also be similarly placed beneath the plugin type's namespace declared in a package controller's AutoloaderRegistries.
Detect alternative syntax, generally discouraged.
Alternative syntax are control structures using colons and ending with: endfor, endforeach, endif, endswitch, endwhile.
Detect deprecated controller methods.
See Deprecated Code Refernece (ongoing) for details. Deprecated code may be necessary for backward compatibility with older core versions.
Detect deprecated API use.
See Deprecated Code Refernece (ongoing) for details. Deprecated code may be necessary for backward compatibility with older core versions.
Detect direct MySQL and MySQLi calls.
Forbidden MySQL functions are based on those listed by at Forbidden Functions: mysql_affected_rows, mysql_client_encoding, mysql_close, mysql_connect, mysql_create_db, mysql_data_seek, mysql_db_name, mysql_db_query, mysql_drop_db, mysql_errno, mysql_error, mysql_escape_string, mysql_fetch_array, mysql_fetch_assoc, mysql_fetch_field, mysql_fetch_lengths, mysql_fetch_object, mysql_fetch_row, mysql_field_flags, mysql_field_len, mysql_field_name, mysql_field_seek, mysql_field_table, mysql_field_type, mysql_free_result, mysql_get_client_info, mysql_get_host_info, mysql_get_proto_info, mysql_get_server_info, mysql_info, mysql_insert_id, mysql_list_dbs, mysql_list_fields, mysql_list_processes, mysql_list_tables, mysql_num_fields, mysql_num_rows, mysql_pconnect, mysql_ping, mysql_query, mysql_real_escape_string, mysql_result, mysql_select_db, mysql_set_charset, mysql_stat, mysql_tablename, mysql_thread_id, mysql_unbuffered_query, mysqli_bind_param, mysqli_bind_result, mysqli_client_encoding, mysqli_connect, mysqli_disable_reads_from_master, mysqli_disable_rpl_parse, mysqli_driver, mysqli_enable_reads_from_master, mysqli_enable_rpl_parse, mysqli_escape_string, mysqli_execute, mysqli_fetch, mysqli_get_cache_stats, mysqli_get_metadata, mysqli_master_query, mysqli_param_count, mysqli_report, mysqli_result, mysqli_rpl_parse_enabled, mysqli_rpl_probe, mysqli_send_long_data, mysqli_set_opt, mysqli_slave_query, mysqli_sql_exception, mysqli_stmt, mysqli_warning
Detect empty files.
Empty files are generally superfluous, but in some circumstances may actually be necessary. A file is deemed empty if it contains nothing save white space.
Detect empty methods and blocks.
Empty methods and blocks are generally superfluous, but in some circumstances may actually be necessary.
Detect use of facades and aliases.
See Deprecated Code Refernece (ongoing) for details. Facades and Aliases are usually better expressed using the full namespace. Deprecated code may be necessary for backward compatibility with older core versions.
Detect use of forbidden classes.
See Deprecated Code Refernece (ongoing) for details. Forbidden classes are typically deprecated compatibility classes from when v5.7 was first introduced. Classes detected: Loader, TaskPermission
Detect php functions prohibited in marketplace packages.
Forbidden php functions are based on those listed by goutnet at Forbidden Functions: eval, exec, passthru, printer_abort, printer_close, printer_create_brush, printer_create_dc, printer_create_font, printer_create_pen, printer_delete_brush, printer_delete_dc, printer_delete_font, printer_delete_pen, printer_draw_bmp, printer_draw_chord, printer_draw_elipse, printer_draw_line, printer_draw_pie, printer_draw_rectangle, printer_draw_roundrect, printer_draw_text, printer_end_doc, printer_end_page, printer_get_option, printer_list, printer_logical_fontheight, printer_open, printer_select_brush, printer_select_font, printer_select_pen, printer_set_option, printer_start_doc, printer_start_page, printer_write, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, system
Detect php keywords prohibited in marketplace packages.
Forbidden php keywords are: eval, goto. Other forbidden keywords are detected by other checks.
Include and require are prohibited in marketplace packages.
Forbidden keywords are: include, include_once, require, require_once.
Detect modification of file system permissions.
Do not modify file system permissions: chown, chmod, chgrp.
Detect files empty save for comments.
Files that are empty save for comments are generally superfluous, but in some circumstances may actually be necessary. A file is deemed empty if it contains nothing save white space and comments.
Detect php native cookie management.
Do not use php cookie management including $_COOKIE and functions: setcookie, setrawcookie.
Use core API calls.
Detect php filesystem functions.
Core API calls should be used in place of php filesystem functions: delete, feof, fflush, fgetc, fgetcsv, fgets, fgetss, file_get_contents, file_put_contents, file, filegroup, fileinode, fileowner, fileperms, flock, fopen, fpassthru, fputcsv, fputs, fread, fscanf, fseek, fstat, ftell, ftruncate, fwrite, lchgrp, lchown, link, linkinfo, lstat, move_uploaded_file, pclose, popen, readfile, readlink, realpath_cache_get, rename, rewind, set_file_buffer, symlink, tempnam, tmpfile, touch, umask, unlink, mkdir, rmdir, chdir, chroot, closedir, dir, getcwd, opendir, readdir, rewinddir, scandir, dio_close, dio_fcntl, dio_open, dio_read, dio_seek, dio_stat, dio_tcsetattr, dio_truncate, dio_write, finfo_buffer, finfo_close, finfo_file, finfo_open, finfo_set_flags, mime_content_type, inotify_add_watch, inotify_init, inotify_queue_len, inotify_read, inotify_rm_watch, xattr_get, xattr_list, xattr_remove, xattr_set, xattr_supported.
Detect php native session management.
Do not use php session management including $_SESSION and functions: session_abort, session_cache_expire, session_cache_limiter, session_commit, session_create_id, session_decode, session_destroy, session_encode, session_gc, session_get_cookie_params, session_id, session_is_registered, session_module_name, session_name, session_regenerate_id, session_register_shutdown, session_register, session_reset, session_save_path, session_set_cookie_params, session_set_save_handler, session_start, session_status, session_unregister, session_unset, session_write_close.
Use core API calls.
Detect php alternative short tags.
Short Tags refers to <? and <?= opening tags. Checking of <?= depends on minimum core version for a package.
Detect superglobals prohibited in marketplace packages.
$_FILES is detected and advised. Superglobals forbidden are: $_GET, $_POST, $_REQUEST, $_ENV, $GLOBALS, $_FILES, $_SERVER. $_SESSION and $_COOKIE also forbidden and detected in their own specific checks