Hi,
Regarding PRS-3 (Logger Interface), at the moment the $message is simply defined as a string (or stringable).
That's fine, but it relies on the developer understanding that they cannot include untrusted user values in the message, and for them to never make a mistake - which could lead to a log-injection vulnerability.
Since September 2021, both PHPStan and Psalm support the `literal-string` type:
This allows static analysis tools to check $message is a trusted developer defined string; it can still use variables, and it supports concatenation as well (so long as all of the strings are also of the literal-string type), so I'm hopeful that it's relaxed enough of a check to not cause problems, while still identifying mistakes that could lead to a security issue.
I'm wondering if this would be appropriate to use in a future version of the Logger Interface?
Something like:
Thanks,
Craig