1.2.564. Incompatible Types With Incoming Values¶
This analysis report invalid type used when extracting data from an HTTP request, and using them with typed method.
This currently is based on symfonycomponenthttpfoundationrequest class, and its related get*() methods.
The analysis also checks usage of superglobals and their related types.
<?php
function foo(\Symfony\Component\HttpFoundation\Request $request) {
// This is valid and typed
$object = new X($request->getInt('value'));
// This is wrong : value is a string, or even an array
$object = new X($request->get('value'));
}
class X {
function __construct(int $a) {}
}
foo($_GET['a']);
// This is missing null type
function foo(array|string $arg) {}
?>
1.2.564.1. Suggestions¶
Add restriction before calling the methods
Add possible types in the method definition
1.2.564.2. Specs¶
Short name |
Security/IncompatibleTypesWithIncoming |
Rulesets |
|
Exakat since |
2.5.0 |
PHP Version |
All |
Severity |
Minor |
Time To Fix |
Quick (30 mins) |
Precision |
Medium |
Features |
typehint |
Available in |