fix: PHPStan Level 8 – 0 Fehler (1.0.0-beta2)#48
Merged
Conversation
…naturen, Yform-Suppression)
There was a problem hiding this comment.
Pull request overview
Brings the addon to “PHPStan level 8: 0 errors” by tightening types across core logging + EP handlers and adding a repo-local PHPStan configuration; also includes a small backend UI CSS tweak and removes deprecated EP BC stubs.
Changes:
- Add
phpstan.neon(level 8, PHP 8.2) and tune ignores for optional YForm dependency. - Type-cleanup in
Activity, EP trait/classes, and console command signatures to satisfy PHPStan. - Minor UI/CSS update for the activity table’s first column + version/changelog bump; remove deprecated
lib/extension_points/*stubs.
Reviewed changes
Copilot reviewed 15 out of 15 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| scss/styles.scss | Constrains first table column width via nowrap + width: 1%. |
| assets/css/styles.css | Compiled CSS update reflecting the SCSS change. |
| phpstan.neon | Adds PHPStan level 8 config + ignore for optional YForm class. |
| pages/system.activity-log.php | Makes admin check null-safe for unauthenticated backend contexts. |
| package.yml | Bumps addon version to 1.0.0-beta2. |
| lib/Activity.php | Adds strict static property/return types and stronger initialization assumptions. |
| lib/ActivityClear.php | Adds return types and tighter validator typing for console command input. |
| lib/ActivityLogCronjob.php | Refines PHPDoc return type for parameter fields. |
| lib/EP/EpTrait.php | Broadens callback type to `string |
| lib/EP/Article.php | Adds deduped ART_DELETED handling to avoid multi-language double logging. |
| lib/EP/User.php | Adds rex_user typing via explicit cast for $params['user']. |
| lib/EP/Yform.php | Adds PHPStan suppression strategy for optional rex_yform_manager_table. |
| fragments/filter-form.php | Casts option values to string for htmlspecialchars() / ucfirst(). |
| CHANGELOG.md | Adds 1.0.0-beta2 entry describing the PHPStan cleanup. |
| lib/extension_points/article.php | Removed deprecated RexActivity\\EP\\article BC stub. |
| lib/extension_points/category.php | Removed deprecated RexActivity\\EP\\category BC stub. |
| lib/extension_points/clang.php | Removed deprecated RexActivity\\EP\\clang BC stub. |
| lib/extension_points/ep_trait.php | Removed deprecated RexActivity\\EP\\ep_trait BC stub. |
| lib/extension_points/media.php | Removed deprecated RexActivity\\EP\\media BC stub. |
| lib/extension_points/meta.php | Removed deprecated RexActivity\\EP\\meta BC stub. |
| lib/extension_points/module.php | Removed deprecated RexActivity\\EP\\module BC stub. |
| lib/extension_points/slice.php | Removed deprecated RexActivity\\EP\\slice BC stub. |
| lib/extension_points/template.php | Removed deprecated RexActivity\\EP\\template BC stub. |
| lib/extension_points/user.php | Removed deprecated RexActivity\\EP\\user BC stub. |
| lib/extension_points/yform.php | Removed deprecated RexActivity\\EP\\yform BC stub. |
Comments suppressed due to low confidence (2)
pages/system.activity-log.php:29
- The three POST handlers that perform log deletions (
delete_old_logs,delete_all_logs,delete_single_log) are only guarded by$isAdminand do not verify any CSRF token or origin. This allows a malicious site to trigger cross-site POST requests in an admin's browser that silently delete activity-log entries, undermining the integrity of the audit log. Protect these destructive actions with proper CSRF mitigation (e.g.rex_csrf_tokenor equivalent) in both the form and the request handling before executing deletions.
if ($isAdmin && rex_post('delete_old_logs') && 1 == rex_post('delete_old_logs')) {
$now = (new DateTime());
$now->modify('-7 day');
$date = $now->format('Y-m-d H:i:s');
$sql = rex_sql::factory();
$sql->setTable($table);
$sql->setWhere("created_at <= '$date'");
$sql->delete();
}
if ($isAdmin && rex_post('delete_all_logs') && 1 == rex_post('delete_all_logs')) {
$sql = rex_sql::factory();
$sql->setTable($table);
$sql->delete();
}
if ($isAdmin && rex_post('delete_single_log')) {
$sql = rex_sql::factory();
$sql->setTable($table);
$sql->setWhere('id = ' . rex_post('delete_single_log'));
$sql->delete();
pages/system.activity-log.php:29
setWhere('id = ' . rex_post('delete_single_log'))concatenates unvalidated POST data directly into an SQLWHEREclause, which allows an attacker to inject arbitrary SQL conditions via thedelete_single_logparameter. An attacker who can trigger this endpoint (for example, via a crafted backend request or CSRF against an authenticated admin) can delete arbitrary or all log records instead of a single row. Ensure the ID is strictly validated or cast (for example to an integer) or passed through the database abstraction's escaping/binding API before being used insetWhere.
$now = (new DateTime());
$now->modify('-7 day');
$date = $now->format('Y-m-d H:i:s');
$sql = rex_sql::factory();
$sql->setTable($table);
$sql->setWhere("created_at <= '$date'");
$sql->delete();
}
if ($isAdmin && rex_post('delete_all_logs') && 1 == rex_post('delete_all_logs')) {
$sql = rex_sql::factory();
$sql->setTable($table);
$sql->delete();
}
if ($isAdmin && rex_post('delete_single_log')) {
$sql = rex_sql::factory();
$sql->setTable($table);
$sql->setWhere('id = ' . rex_post('delete_single_log'));
$sql->delete();
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…re in Yform.php entfernt
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
PHPStan Level 8 – vollständige Typbereinigung (1.0.0-beta2)
Alle 113 PHPStan-Level-8-Fehler wurden behoben. Das Addon ist jetzt fehlerfrei auf Level 8.
Geänderte Dateien
lib/Activity.phpself,new self(),assert()lib/ActivityClear.phpQuestionHelper-Cast, Validator-Signaturfloat|int|stringlib/ActivityLogCronjob.php@return array<int, array<string, mixed>>fürgetParamFields()lib/EP/EpTrait.phpcallable→string|callable, PHPDoc-Typen für Callbackslib/EP/User.phprex_user-Import,@var-Cast für$params['user']lib/EP/Yform.phpignoreErrorsviaphpstan.neon(optionales Addon, nicht installiert)fragments/filter-form.php(string)-Cast fürhtmlspecialchars()/ucfirst()pages/system.activity-log.phprex::getUser()?->isAdmin() ?? falsephpstan.neonfragments/als Analyse-Pfad,ignoreErrorsfürrex_yform_manager_tableErgebnis
PHPStan Level 8, PHP 8.2,
phpstan.neonim Addon-Root.