PSR Log, and literal-string

[Craig Francis]

Hi,

Regarding PRS-3 (Logger Interface), at the moment the $message is simply defined as a string (or stringable).

That's fine, but it relies on the developer understanding that they cannot include untrusted user values in the message, and for them to never make a mistake - which could lead to a log-injection vulnerability.

Since September 2021, both PHPStan and Psalm support the `literal-string` type:

https://github.com/vimeo/psalm/releases/tag/4.8.0
https://github.com/phpstan/phpstan/releases/tag/0.12.97

This allows static analysis tools to check $message is a trusted developer defined string; it can still use variables, and it supports concatenation as well (so long as all of the strings are also of the literal-string type), so I'm hopeful that it's relaxed enough of a check to not cause problems, while still identifying mistakes that could lead to a security issue.

I'm wondering if this would be appropriate to use in a future version of the Logger Interface?

Something like:

https://github.com/craigfrancis/php-fig-log/commit/80ac8b82cb049fb11cefa8a5ad199751d34149d0

Thanks,

Craig

[Adrien Crivelli]

Hi

This would still accept any (unsafe) Stringable as can be seen in:

• https://phpstan.org/r/1b827130-5dd0-41c4-92e1-d08279d89601
• https://psalm.dev/r/1b19498b4e

Is it still worth doing it ?

Cheers,

Adrien

[Craig Francis]

Hi Adrien,

Taking the following example, showing the typical mistake developers make:

$search = ($_GET['q'] ?? '');

$logger->info("User $userId search $search");

When their static analysis tool complains (because $message is not a literal-string), I suppose they could decide to use a Stringable object, but I'd hope it would prompt them to use placeholders, e.g.

https://phpstan.org/r/6b3b8f2b-ed5a-4694-a20f-2bf6838c8d44

I take the view that at least they were told.

Craig

--
You received this message because you are subscribed to the Google Groups "PHP Framework Interoperability Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to php-fig+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/php-fig/4fe6dcf9-1fc1-44c3-87f4-88da3dd01de4n%40googlegroups.com.