Page MenuHomePhabricator
Create Task
Maniphest T386570

phan-taint-check test failure for exit/die with php8.4
Closed, ResolvedPublic
Actions

Description

exit and die changed from language construct to functions - https://php.watch/versions/8.4/exit-die-as-functions

This also affects phan-taint-check how to detect exit and die calls

1) SecurityCheckTest::testIntegration with data set "exit" ('exit', 'integration/exit/test.php:4 S...aped\n')
Failed asserting that two strings are equal.
--- Expected
+++ Actual
@@ @@
-'integration/exit/test.php:4 SecurityCheck-XSS Echoing expression that was not html escaped\n
-integration/exit/test.php:14 SecurityCheck-XSS Echoing expression that was not html escaped\n
-'
+''

/src/tests/SecurityCheckTest.php:181

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Bump phan/phan to 5.4.6mediawiki/tools/phan/SecurityCheckPluginmaster+1 -6
Zuul: [mediawiki/tools/phan/SecurityCheckPlugin] Test on PHP 8.4integration/configmaster+2 -13
Add taintedness data for exit() and die() as functionsmediawiki/tools/phan/SecurityCheckPluginmaster+25 -3
Zuul: [mediawiki/tools/phan/SecurityCheckPlugin] Disable on PHP 8.4integration/configmaster+15 -2
Customize query in gerrit

Related Objects
Search...

Event Timeline

Umherirrender created this task.Feb 16 2025, 12:54 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 16 2025, 12:54 AM
Umherirrender added a project: PHP 8.4 support.Feb 16 2025, 12:54 AM
gerritbot added a comment.Feb 16 2025, 4:17 AM

Change #1119862 had a related patch set uploaded (by Daimona Eaytoy; author: Daimona Eaytoy):

[mediawiki/tools/phan/SecurityCheckPlugin@master] Add taintedness data for exit() and die() as functions

https://gerrit.wikimedia.org/r/1119862

gerritbot added a project: Patch-For-Review.Feb 16 2025, 4:17 AM
Daimona claimed this task.Feb 16 2025, 4:17 AM
Reedy moved this task from Backlog to Other on the PHP 8.4 support board.Feb 21 2025, 10:51 PM
Umherirrender unsubscribed.Feb 25 2025, 5:30 PM
Jdforrester-WMF mentioned this in T386108: Make PHP 8.4 voting on development (master) branch of MW ecosystem (core, vendor, extensions, skins, libraries) in CI.Mar 4 2025, 1:00 AM
gerritbot added a comment.Mar 4 2025, 1:31 AM

Change #1124215 had a related patch set uploaded (by Jforrester; author: Jforrester):

[integration/config@master] Zuul: [mediawiki/tools/phan/SecurityCheckPlugin] Disable on PHP 8.4

https://gerrit.wikimedia.org/r/1124215

gerritbot added a comment.Mar 4 2025, 1:42 AM

Change #1124215 merged by jenkins-bot:

[integration/config@master] Zuul: [mediawiki/tools/phan/SecurityCheckPlugin] Disable on PHP 8.4

https://gerrit.wikimedia.org/r/1124215

Stashbot added a comment.Mar 4 2025, 1:42 AM

Mentioned in SAL (#wikimedia-releng) [2025-03-04T01:42:58Z] <James_F> Zuul: [mediawiki/tools/phan/SecurityCheckPlugin] Disable on PHP 8.4, for T386570

gerritbot added a comment.Mar 7 2025, 5:17 PM

Change #1119862 merged by jenkins-bot:

[mediawiki/tools/phan/SecurityCheckPlugin@master] Add taintedness data for exit() and die() as functions

https://gerrit.wikimedia.org/r/1119862

Umherirrender closed this task as Resolved.Mar 7 2025, 5:19 PM
Umherirrender removed a project: Patch-For-Review.
Stashbot added a comment.Mar 7 2025, 8:53 PM

Mentioned in SAL (#wikimedia-releng) [2025-03-07T20:53:50Z] <James_F> Zuul: [wikipeg] Enable PHP 8.4 as voting, for T386570

Stashbot added a comment.Mar 7 2025, 9:00 PM

Mentioned in SAL (#wikimedia-releng) [2025-03-07T21:00:23Z] <James_F> Zuul: [mediawiki/libs/Shellbox] Enable PHP 8.4 as voting, for T386570

Jdforrester-WMF subscribed.Mar 7 2025, 9:01 PM

I'm not sure this is "Resolved"; we had to temporarily drop CI running PHP 8.4 for the mediawiki/tools/phan/SecurityCheckPlugin repo just to get the patch to pass. :-(

Jdforrester-WMF reopened this task as Open.Mar 7 2025, 9:02 PM
Daimona added a project: Upstream.Mar 7 2025, 9:34 PM

Yeah, tests are still failing because phan isn't ready for PHP 8.4 (I'm not sure to what degree, i.e. if it's just the expected test output, or if it has more serious bugs). Tagging as upstream, since this is now tracked in https://github.com/phan/phan/issues/4894. To kick things off, I made a small patch to require a newer version of php-ast with PHP 8.4. Then there's going to be more to do, but I'd rather wait until this first PR is merged (and see how long it takes).

Daimona moved this task from Backlog to Reported Upstream on the Upstream board.Mar 7 2025, 9:34 PM
Umherirrender added a comment.Mar 7 2025, 9:46 PM

The failure on taint for exit/die is gone, only the upstream tests are failing (running after taint tests). Maybe the upstream problems with php8.4 needs tracking in phabricator, but taint as-is should be fine for php8.4 (from my understand of the current situation, but it also okay to keep this task open).

Daimona added a comment.Mar 7 2025, 10:19 PM

I thought we could track that here. After all, phan tests are part of the seccheck test suite, so the task title still applies. As for supporting running on PHP 8.4 (the real deal), I too believe we won't need to make any other changes once it's supported upstream.

Daimona moved this task from Reported Upstream to Patch merged upstream on the Upstream board.May 31 2025, 4:27 PM

There has been some activity upstream, and the test suite now passes on PHP 8.4. So we're just waiting for a release.

gerritbot added a comment.Jun 9 2025, 2:07 PM

Change #1154823 had a related patch set uploaded (by Daimona Eaytoy; author: Daimona Eaytoy):

[mediawiki/tools/phan/SecurityCheckPlugin@master] Bump phan/phan to 5.4.6

https://gerrit.wikimedia.org/r/1154823

gerritbot added a project: Patch-For-Review.Jun 9 2025, 2:07 PM
gerritbot added a comment.Jun 9 2025, 2:09 PM

Change #1154824 had a related patch set uploaded (by Daimona Eaytoy; author: Daimona Eaytoy):

[integration/config@master] Zuul: [mediawiki/tools/phan/SecurityCheckPlugin] Test on PHP 8.4

https://gerrit.wikimedia.org/r/1154824

gerritbot added a comment.Jun 9 2025, 2:15 PM

Change #1154824 merged by jenkins-bot:

[integration/config@master] Zuul: [mediawiki/tools/phan/SecurityCheckPlugin] Test on PHP 8.4

https://gerrit.wikimedia.org/r/1154824

Stashbot added a comment.Jun 9 2025, 2:16 PM

Mentioned in SAL (#wikimedia-releng) [2025-06-09T14:16:28Z] <James_F> Zuul: [mediawiki/tools/phan/SecurityCheckPlugin] Test on PHP 8.4, for T386570

Krinkle added a subtask: T396312: Figure out why php-ast sometimes loses MAGIC_* flags in PHP 8.3.Jun 12 2025, 6:09 PM
gerritbot added a comment.Jun 13 2025, 2:25 PM

Change #1154823 merged by jenkins-bot:

[mediawiki/tools/phan/SecurityCheckPlugin@master] Bump phan/phan to 5.4.6

https://gerrit.wikimedia.org/r/1154823

Maintenance_bot removed a project: Patch-For-Review.Jun 13 2025, 2:30 PM
Daimona closed this task as Resolved.Jun 13 2025, 3:22 PM
Daimona moved this task from Patch merged upstream to Patch released upstream on the Upstream board.
hashar closed subtask T396312: Figure out why php-ast sometimes loses MAGIC_* flags in PHP 8.3 as Resolved.Jun 13 2025, 3:57 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits