Package Magic - Prohibited Code Check Plugin Documentation

[ Package Magic ]

Prohibited Code Check Plugins

Prohibited Code Checks are implemented through pluggable checks.

Functionality can be extended by adding plugin classes for additional Prohibited Code Checks. Prohibited Code Check plugins are simple classes that provide the functionality to apply code checks to files . They should inherit from ProhibitedCodeCheckPluginBase. Details are provided by comments in the code.

Plugins can be added by placing the plugin classes at packages/anyPackageName/src/PackageMagic/ProhibitedCodeCheck/PluginsPluginName or application/src/PackageMagic/ProhibitedCodeCheck/PluginsPluginName. Plugins can also be similarly placed beneath any namespace declared in a package controller's AutoloaderRegistries.

[ Package Magic ]

Alternative Syntax

Detect alternative syntax, generally discouraged.

Alternative syntax are control structures using colons and ending with: endfor, endforeach, endif, endswitch, endwhile.

[ Package Magic ]

Controller Methods

Detect deprecated concrete5 controller methods.

See Deprecated Code Refernece (ongoing) for details. Deprecated code may be necessary for backward compatibility with older concrete5 core versions.

[ Package Magic ]

Deprecated Code

Detect deprecated concrete5 API use.

See Deprecated Code Refernece (ongoing) for details. Deprecated code may be necessary for backward compatibility with older concrete5 core versions.

[ Package Magic ]

Direct MySQL Calls

Detect direct MySQL and MySQLi calls.

Forbidden MySQL functions are based on those listed by goutnet at Forbidden Functions and C5 Forbidden functions: mysql_affected_rows, mysql_client_encoding, mysql_close, mysql_connect, mysql_create_db, mysql_data_seek, mysql_db_name, mysql_db_query, mysql_drop_db, mysql_errno, mysql_error, mysql_escape_string, mysql_fetch_array, mysql_fetch_assoc, mysql_fetch_field, mysql_fetch_lengths, mysql_fetch_object, mysql_fetch_row, mysql_field_flags, mysql_field_len, mysql_field_name, mysql_field_seek, mysql_field_table, mysql_field_type, mysql_free_result, mysql_get_client_info, mysql_get_host_info, mysql_get_proto_info, mysql_get_server_info, mysql_info, mysql_insert_id, mysql_list_dbs, mysql_list_fields, mysql_list_processes, mysql_list_tables, mysql_num_fields, mysql_num_rows, mysql_pconnect, mysql_ping, mysql_query, mysql_real_escape_string, mysql_result, mysql_select_db, mysql_set_charset, mysql_stat, mysql_tablename, mysql_thread_id, mysql_unbuffered_query, mysqli_bind_param, mysqli_bind_result, mysqli_client_encoding, mysqli_connect, mysqli_disable_reads_from_master, mysqli_disable_rpl_parse, mysqli_driver, mysqli_enable_reads_from_master, mysqli_enable_rpl_parse, mysqli_escape_string, mysqli_execute, mysqli_fetch, mysqli_get_cache_stats, mysqli_get_metadata, mysqli_master_query, mysqli_param_count, mysqli_report, mysqli_result, mysqli_rpl_parse_enabled, mysqli_rpl_probe, mysqli_send_long_data, mysqli_set_opt, mysqli_slave_query, mysqli_sql_exception, mysqli_stmt, mysqli_warning

[ Package Magic ]

Empty File

Detect empty files.

Empty files are generally superfluous, but in some circumstances may actually be necessary. A file is deemed empty if it contains nothing save white space.

[ Package Magic ]

Empty Methods

Detect empty methods and blocks.

Empty methods and blocks are generally superfluous, but in some circumstances may actually be necessary.

[ Package Magic ]

Facades and Aliases

Detect use of facades and aliases.

See Deprecated Code Refernece (ongoing) for details. Facades and Aliases are usually better expressed using the full namespace. Deprecated code may be necessary for backward compatibility with older concrete5 core versions.

[ Package Magic ]

Forbidden Classes

Detect use of forbidden classes.

See Deprecated Code Refernece (ongoing) for details. Forbidden classes are typically deprecated compatibility classes from when concrete5.7 was first introduced. Classes detected: Loader, TaskPermission

[ Package Magic ]

Forbidden Functions

Detect php functions prohibited in marketplace packages.

Forbidden php functions are based on those listed by goutnet at Forbidden Functions and C5 Forbidden functions: eval, exec, passthru, printer_abort, printer_close, printer_create_brush, printer_create_dc, printer_create_font, printer_create_pen, printer_delete_brush, printer_delete_dc, printer_delete_font, printer_delete_pen, printer_draw_bmp, printer_draw_chord, printer_draw_elipse, printer_draw_line, printer_draw_pie, printer_draw_rectangle, printer_draw_roundrect, printer_draw_text, printer_end_doc, printer_end_page, printer_get_option, printer_list, printer_logical_fontheight, printer_open, printer_select_brush, printer_select_font, printer_select_pen, printer_set_option, printer_start_doc, printer_start_page, printer_write, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, system

[ Package Magic ]

Forbidden Keywords

Detect php keywords prohibited in marketplace packages.

Forbidden php keywords are: eval, goto. Other forbidden keywords are detected by other checks.

[ Package Magic ]

Include and Require

Include and require are prohibited in marketplace packages.

Forbidden keywords are: include, include_once, require, require_once.

[ Package Magic ]

Modifies Permissions

Detect modification of file system permissions.

Do not modify file system permissions: chown, chmod, chgrp.

[ Package Magic ]

Only Comments File

Detect files empty save for comments.

Files that are empty save for comments are generally superfluous, but in some circumstances may actually be necessary. A file is deemed empty if it contains nothing save white space and comments.

[ Package Magic ]

Php Cookie Management

Detect php native cookie management.

Do not use php cookie management including $_COOKIE and functions: setcookie, setrawcookie.
Use core API calls.

[ Package Magic ]

Php Filesystem

Detect php filesystem functions.

Core API calls should be used in place of php filesystem functions: delete, feof, fflush, fgetc, fgetcsv, fgets, fgetss, file_get_contents, file_put_contents, file, filegroup, fileinode, fileowner, fileperms, flock, fopen, fpassthru, fputcsv, fputs, fread, fscanf, fseek, fstat, ftell, ftruncate, fwrite, lchgrp, lchown, link, linkinfo, lstat, move_uploaded_file, pclose, popen, readfile, readlink, realpath_cache_get, rename, rewind, set_file_buffer, symlink, tempnam, tmpfile, touch, umask, unlink, mkdir, rmdir, chdir, chroot, closedir, dir, getcwd, opendir, readdir, rewinddir, scandir, dio_close, dio_fcntl, dio_open, dio_read, dio_seek, dio_stat, dio_tcsetattr, dio_truncate, dio_write, finfo_buffer, finfo_close, finfo_file, finfo_open, finfo_set_flags, mime_content_type, inotify_add_watch, inotify_init, inotify_queue_len, inotify_read, inotify_rm_watch, xattr_get, xattr_list, xattr_remove, xattr_set, xattr_supported.

[ Package Magic ]

Php Session Management

Detect php native session management.

Do not use php session management including $_SESSION and functions: session_abort, session_cache_expire, session_cache_limiter, session_commit, session_create_id, session_decode, session_destroy, session_encode, session_gc, session_get_cookie_params, session_id, session_is_registered, session_module_name, session_name, session_regenerate_id, session_register_shutdown, session_register, session_reset, session_save_path, session_set_cookie_params, session_set_save_handler, session_start, session_status, session_unregister, session_unset, session_write_close.
Use core API calls.

[ Package Magic ]

Short Tags

Detect php alternative short tags.

Short Tags refers to <? and <?= opening tags. Checking of <?= depends on minimum core version for a package.

[ Package Magic ]

SuperGlobals

Detect superglobals prohibited in marketplace packages.

$_FILES is detected and advised. Superglobals forbidden are: $_GET, $_POST, $_REQUEST, $_ENV, $GLOBALS, $_SERVER. $_SESSION and $_COOKIE also forbidden and detected in their own specific checks