Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:115455
Return-Path: <ocramius@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 33086 invoked from network); 17 Jul 2021 14:41:10 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 17 Jul 2021 14:41:10 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id ADF9A1804F4
	for <internals@lists.php.net>; Sat, 17 Jul 2021 08:05:38 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE,
	RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,
	SPF_PASS autolearn=no autolearn_force=no version=3.4.2
X-Spam-Virus: No
X-Envelope-From: <ocramius@gmail.com>
Received: from mail-ot1-f52.google.com (mail-ot1-f52.google.com [209.85.210.52])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Sat, 17 Jul 2021 08:05:38 -0700 (PDT)
Received: by mail-ot1-f52.google.com with SMTP id q1-20020a0568300181b02904ce5ae29628so1901723ota.2
        for <internals@lists.php.net>; Sat, 17 Jul 2021 08:05:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=aZJPSmSyy8jTEAm2DZM1YkxxhVgKQJCXjZ/H5bjXHSk=;
        b=DLmQqrR/ilW3NDEFkQXWrOtvuAbFu1YB6rQ/YSnPXA92O5B42X7mdG0V7zL8Y8a9no
         sIdB96f1p6YrTI0f4V7LbhaJoO9HTP7zZ7+KgjmAXw+ZXrAFsyt6ZY9qSuC8rN+6E7Fj
         df0mvTCFd+r8uDycorvx7So8c5MMySlXZzy8bxuVPoMapji6Ylhbp+SAfQDC4ECgnsq5
         z8BOn4C2ztzhF03FaUj9WVtfIuCdRLtx/6blce4uNrU1bbw7EbmUKPvy6oLrckrycOu9
         xfHiS2StDn44ZB0tZXGDdaO68mo3AWhU6lYTWKqsi5UGRvgsYu7j6K/7ObmJQZx2N/5y
         BHBA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=aZJPSmSyy8jTEAm2DZM1YkxxhVgKQJCXjZ/H5bjXHSk=;
        b=Jx8+Ph2WZBWj6b4wo3gqdcu20RNmhgw9PWcegJdkwQ35l/gfV8l4deB7IG7PhvksTw
         jtz29bzOx8lVKXpjzQ48HcGM6FdXBsJj0yXep8hpEJm4I5jOxskIah/UBLmG1NN/YTj0
         9MJUp/Lh10jhl5qwRExo99TKbtyXD5jczGW3UAt6NQDYxrUu2DSDoYyNvZ94r0ieRslJ
         sc4m25TNn8P/0LkLP1+mOodEDap0JW6TKRpMZvHTtaYpGFdxVZhCpNF9QmzJkRdiB/5k
         3AOvgAsC8DxWCTQd8r1x/Mz3Yrls5gPeUHKu+SqthKdP314/ba1tKeR0Td7ceZA3vqYN
         dJaw==
X-Gm-Message-State: AOAM532quaO2lTnHpJP5xiao3RxLdzFR4apzaGhJlZd7TIKtmyFbw9/q
	fTqA1tvmTbBJBwkN0PJOgPOW8nHH9pZorPTf9+ZD5IScKh8sBTX+
X-Google-Smtp-Source: ABdhPJy8p/3590ispaS+5gxFLYQTDBI/9/OEgsQbtVTRWqrbdN3kC4MWywZBxtnNN6BZrdkkX8YcUIRy5VsxQK1K5U4=
X-Received: by 2002:a9d:651a:: with SMTP id i26mr12372017otl.148.1626534337849;
 Sat, 17 Jul 2021 08:05:37 -0700 (PDT)
MIME-Version: 1.0
References: <CAFv4g+HRHrvCOTgpbVfCXj06De1kL+1+RwnGgq6tcyLNAtLfQA@mail.gmail.com>
In-Reply-To: <CAFv4g+HRHrvCOTgpbVfCXj06De1kL+1+RwnGgq6tcyLNAtLfQA@mail.gmail.com>
Date: Sat, 17 Jul 2021 17:05:26 +0200
Message-ID: <CADyq6s+eu4bLM3Z+28Vd0BoGzdbXRyG2Hw9OXqQtyok32p1CJQ@mail.gmail.com>
To: Craig Francis <craig@craigfrancis.co.uk>
Cc: PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="0000000000006c2acc05c753093a"
Subject: Re: [PHP-DEV] [RFC] [VOTE] is_literal
From: ocramius@gmail.com (Marco Pivetta)

--0000000000006c2acc05c753093a
Content-Type: text/plain; charset="UTF-8"

Hey Craig,

On Mon, Jul 5, 2021 at 8:15 PM Craig Francis <craig@craigfrancis.co.uk>
wrote:

> Hi Internals,
>
> I have opened voting on https://wiki.php.net/rfc/is_literal for the
> is-literal function.
>
> The vote closes 2021-07-19
>
> The proposal is to add the function is_literal(), a simple way to identify
> if a string was written by a developer, removing the risk of a variable
> containing an Injection Vulnerability.
>
> This implementation is for literal strings ONLY (after discussion over
> allowing integers) and, thanks to the amazing work of Joe Watkins, now
> works fully with compiler optimisations, interned strings etc.
>
> Craig
>

I ended up voting "no" on this.

Even though I used to work on Doctrine ORM for years, and we had a private
discussion around this, my belief is that this is not a runtime problem,
but rather a type-level issue with tainted/untainted input/output.

This has been brought up in the discussion phase by Tyson Andre, as far as
I remember.

There is good progress in taint analysis in Psalm, specifically:

 * https://psalm.dev/articles/detect-security-vulnerabilities-with-psalm
 * https://psalm.dev/docs/security_analysis/

There's also the issue, from my end, that I would like the ecosystem to
pick up static analysis more, rather than people adding more runtime
roadblocks to their code, leading to further complexity in error analysis.
This is my personal push for putting more problems into build-time rather
than runtime.

You could call it a political choice to push a tool like psalm, instead of
the language having a runtime construct to further "duck-type safety".

In addition to that, a mechanism to un-taint values is missing, but it is
not a concept symmetrical to `is_literal()`.

Greets,

Marco Pivetta

http://twitter.com/Ocramius

http://ocramius.github.com/

--0000000000006c2acc05c753093a--