Package Magic - Prohibited Code Check Plugin Documentation
[ Package Magic ]
Prohibited Code Check Plugins
Prohibited Code Checks are implemented through pluggable checks.
Functionality can be extended by adding plugin classes for additional Prohibited Code Checks. Prohibited Code Check plugins are simple classes that provide the functionality to apply code checks to files . They should inherit from ProhibitedCodeCheckPluginBase. Details are provided by comments in the code.
Plugins can be added by placing the plugin classes at packages/anyPackageName/src/JtF/PackageMagic/ProhibitedCodeCheck/PluginsPluginName or application/src/JtF/PackageMagic/ProhibitedCodeCheck/PluginsPluginName. Plugins can also be similarly placed beneath the plugin type's namespace declared in a package controller's AutoloaderRegistries.
[ Package Magic ]
Alternative Syntax
Detect alternative syntax, generally discouraged.
Alternative syntax are control structures using colons and ending with: endfor, endforeach, endif, endswitch, endwhile.
[ Package Magic ]
Controller Methods
Detect deprecated controller methods.
See Deprecated Code Refernece (ongoing) for details. Deprecated code may be necessary for backward compatibility with older core versions.
[ Package Magic ]
Deprecated Code
Detect deprecated API use.
See Deprecated Code Refernece (ongoing) for details. Deprecated code may be necessary for backward compatibility with older core versions.
[ Package Magic ]
Direct MySQL Calls
Detect direct MySQL and MySQLi calls.
Forbidden MySQL functions are based on those listed by at Forbidden Functions: mysql_affected_rows, mysql_client_encoding, mysql_close, mysql_connect, mysql_create_db, mysql_data_seek, mysql_db_name, mysql_db_query, mysql_drop_db, mysql_errno, mysql_error, mysql_escape_string, mysql_fetch_array, mysql_fetch_assoc, mysql_fetch_field, mysql_fetch_lengths, mysql_fetch_object, mysql_fetch_row, mysql_field_flags, mysql_field_len, mysql_field_name, mysql_field_seek, mysql_field_table, mysql_field_type, mysql_free_result, mysql_get_client_info, mysql_get_host_info, mysql_get_proto_info, mysql_get_server_info, mysql_info, mysql_insert_id, mysql_list_dbs, mysql_list_fields, mysql_list_processes, mysql_list_tables, mysql_num_fields, mysql_num_rows, mysql_pconnect, mysql_ping, mysql_query, mysql_real_escape_string, mysql_result, mysql_select_db, mysql_set_charset, mysql_stat, mysql_tablename, mysql_thread_id, mysql_unbuffered_query, mysqli_bind_param, mysqli_bind_result, mysqli_client_encoding, mysqli_connect, mysqli_disable_reads_from_master, mysqli_disable_rpl_parse, mysqli_driver, mysqli_enable_reads_from_master, mysqli_enable_rpl_parse, mysqli_escape_string, mysqli_execute, mysqli_fetch, mysqli_get_cache_stats, mysqli_get_metadata, mysqli_master_query, mysqli_param_count, mysqli_report, mysqli_result, mysqli_rpl_parse_enabled, mysqli_rpl_probe, mysqli_send_long_data, mysqli_set_opt, mysqli_slave_query, mysqli_sql_exception, mysqli_stmt, mysqli_warning
[ Package Magic ]
Empty File
Detect empty files.
Empty files are generally superfluous, but in some circumstances may actually be necessary. A file is deemed empty if it contains nothing save white space.
[ Package Magic ]
Empty Methods
Detect empty methods and blocks.
Empty methods and blocks are generally superfluous, but in some circumstances may actually be necessary.
[ Package Magic ]
Facades and Aliases
Detect use of facades and aliases.
See Deprecated Code Refernece (ongoing) for details. Facades and Aliases are usually better expressed using the full namespace. Deprecated code may be necessary for backward compatibility with older core versions.
[ Package Magic ]
Forbidden Classes
Detect use of forbidden classes.
See Deprecated Code Refernece (ongoing) for details. Forbidden classes are typically deprecated compatibility classes from when v5.7 was first introduced. Classes detected: Loader, TaskPermission
[ Package Magic ]
Forbidden Functions
Detect php functions prohibited in marketplace packages.
Forbidden php functions are based on those listed by goutnet at Forbidden Functions: eval, exec, passthru, printer_abort, printer_close, printer_create_brush, printer_create_dc, printer_create_font, printer_create_pen, printer_delete_brush, printer_delete_dc, printer_delete_font, printer_delete_pen, printer_draw_bmp, printer_draw_chord, printer_draw_elipse, printer_draw_line, printer_draw_pie, printer_draw_rectangle, printer_draw_roundrect, printer_draw_text, printer_end_doc, printer_end_page, printer_get_option, printer_list, printer_logical_fontheight, printer_open, printer_select_brush, printer_select_font, printer_select_pen, printer_set_option, printer_start_doc, printer_start_page, printer_write, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, system
[ Package Magic ]
Forbidden Keywords
Detect php keywords prohibited in marketplace packages.
Forbidden php keywords are: eval, goto. Other forbidden keywords are detected by other checks.
[ Package Magic ]
Include and Require
Include and require are prohibited in marketplace packages.
Forbidden keywords are: include, include_once, require, require_once.
[ Package Magic ]
Modifies Permissions
Detect modification of file system permissions.
Do not modify file system permissions: chown, chmod, chgrp.
[ Package Magic ]
Only Comments File
Detect files empty save for comments.
Files that are empty save for comments are generally superfluous, but in some circumstances may actually be necessary. A file is deemed empty if it contains nothing save white space and comments.
[ Package Magic ]
Php Cookie Management
Detect php native cookie management.
Do not use php cookie management including $_COOKIE and functions: setcookie, setrawcookie.
Use core API calls.
[ Package Magic ]
Php Filesystem
Detect php filesystem functions.
Core API calls should be used in place of php filesystem functions: delete, feof, fflush, fgetc, fgetcsv, fgets, fgetss, file_get_contents, file_put_contents, file, filegroup, fileinode, fileowner, fileperms, flock, fopen, fpassthru, fputcsv, fputs, fread, fscanf, fseek, fstat, ftell, ftruncate, fwrite, lchgrp, lchown, link, linkinfo, lstat, move_uploaded_file, pclose, popen, readfile, readlink, realpath_cache_get, rename, rewind, set_file_buffer, symlink, tempnam, tmpfile, touch, umask, unlink, mkdir, rmdir, chdir, chroot, closedir, dir, getcwd, opendir, readdir, rewinddir, scandir, dio_close, dio_fcntl, dio_open, dio_read, dio_seek, dio_stat, dio_tcsetattr, dio_truncate, dio_write, finfo_buffer, finfo_close, finfo_file, finfo_open, finfo_set_flags, mime_content_type, inotify_add_watch, inotify_init, inotify_queue_len, inotify_read, inotify_rm_watch, xattr_get, xattr_list, xattr_remove, xattr_set, xattr_supported.
[ Package Magic ]
Php Session Management
Detect php native session management.
Do not use php session management including $_SESSION and functions: session_abort, session_cache_expire, session_cache_limiter, session_commit, session_create_id, session_decode, session_destroy, session_encode, session_gc, session_get_cookie_params, session_id, session_is_registered, session_module_name, session_name, session_regenerate_id, session_register_shutdown, session_register, session_reset, session_save_path, session_set_cookie_params, session_set_save_handler, session_start, session_status, session_unregister, session_unset, session_write_close.
Use core API calls.
[ Package Magic ]
Short Tags
Detect php alternative short tags.
Short Tags refers to <? and <?= opening tags. Checking of <?= depends on minimum core version for a package.
[ Package Magic ]
SuperGlobals
Detect superglobals prohibited in marketplace packages.
$_FILES is detected and advised. Superglobals forbidden are: $_GET, $_POST, $_REQUEST, $_ENV, $GLOBALS, $_SERVER. $_SESSION and $_COOKIE also forbidden and detected in their own specific checks