diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000..479039a --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,77 @@ +# Changelog + +All notable changes to this project will be documented in this file. + +The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), +and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). + +## [0.0.1] - 2024-01-31 + +### Added + +#### Core Features +- Recursive taint analysis for tracking user input through function calls +- Multi-language support (Japanese/English) +- Syntax highlighting in terminal output +- Multiple output formats: text, JSON, HTML, SARIF, Markdown +- Docker support for easy deployment +- Configuration file support (.security-lint.json) + +#### Vulnerability Detection + +**XSS (Cross-Site Scripting)** +- Blade `{!! !!}` raw output detection +- JavaScript context XSS +- Event handler attribute XSS +- URL context XSS (javascript: URLs) +- Style injection +- Template injection +- Escape bypass function detection +- Dangerous hardcoded HTML detection + +**SQL Injection** +- Laravel Query Builder raw methods +- PDO/MySQLi direct queries +- String concatenation in queries +- Sanitizer bypass detection + +**Command Injection** +- Shell execution functions (exec, shell_exec, system, etc.) +- Code execution functions (eval, create_function, etc.) +- Dynamic file includes +- Symfony Process usage + +**Path Traversal** +- File operation functions +- Laravel Storage operations +- File download/upload + +**Authentication Security** +- Weak hash algorithms (MD5, SHA1) +- Hardcoded credentials detection +- Timing-vulnerable comparisons + +**CSRF/Session Security** +- Missing CSRF tokens +- Insecure session configuration +- Session fixation + +**Configuration Security** +- Debug output (phpinfo, var_dump, dd) +- Insecure unserialize +- Sensitive information logging + +**Laravel-Specific Security** +- Mass Assignment (missing $fillable/$guarded) +- Raw SQL injection (DB::raw, whereRaw without bindings) +- CSRF protection (forms without @csrf) +- File upload validation (extensions-only without mimes) +- Route authentication middleware +- Rate limiting for auth routes + +### Security +- Safe pattern recognition for Laravel helpers (route(), url(), action()) +- Value-based credential detection to reduce false positives +- Escape function recognition (htmlspecialchars, e(), etc.) + +[0.0.1]: https://github.com/security-linter/php-laravel/releases/tag/v0.0.1 diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 0000000..f5d5843 --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,204 @@ +# Contributing to PHP/Laravel Security Linter + +Thank you for your interest in contributing to this project! This document provides guidelines and instructions for contributing. + +## Code of Conduct + +Please be respectful and constructive in all interactions. We welcome contributors of all experience levels. + +## How to Contribute + +### Reporting Bugs + +1. Check if the issue already exists in [GitHub Issues](https://github.com/security-linter/php-laravel/issues) +2. If not, create a new issue with: + - Clear description of the problem + - Steps to reproduce + - Expected vs actual behavior + - PHP/Laravel versions + - Sample code that triggers the issue + +### Reporting False Positives/Negatives + +Security linters can produce false positives (safe code flagged as vulnerable) or false negatives (vulnerable code not detected). Please report these with: +- The code snippet being analyzed +- Why you believe it's a false positive/negative +- Any relevant context + +### Suggesting Features + +1. Check existing issues and discussions +2. Create a new issue describing: + - The vulnerability type you want to detect + - Example vulnerable and safe code patterns + - References to security documentation (CWE, OWASP, etc.) + +### Pull Requests + +1. Fork the repository +2. Create a feature branch: `git checkout -b feature/your-feature-name` +3. Make your changes +4. Test your changes +5. Commit with clear messages +6. Push and create a Pull Request + +## Development Setup + +### Requirements + +- PHP 8.1+ +- Composer + +### Installation + +```bash +git clone https://github.com/security-linter/php-laravel.git +cd php-laravel +composer install +``` + +### Running the Linter + +```bash +# Analyze a file +php bin/security-lint path/to/file.php + +# Analyze a directory +php bin/security-lint path/to/directory/ +``` + +### Project Structure + +``` +├── bin/ +│ └── security-lint # CLI entry point +├── src/ +│ ├── SecurityLinter.php # Main linter class +│ ├── Rules/ # Detection rules +│ │ ├── XssRule.php +│ │ ├── SqlInjectionRule.php +│ │ ├── CommandInjectionRule.php +│ │ ├── PathTraversalRule.php +│ │ ├── AuthenticationRule.php +│ │ ├── CsrfRule.php +│ │ ├── InsecureConfigRule.php +│ │ └── LaravelSecurityRule.php +│ ├── Analysis/ # Analysis utilities +│ │ ├── TaintAnalyzer.php +│ │ └── FunctionAnalyzer.php +│ ├── Report/ # Report generation +│ │ ├── Vulnerability.php +│ │ └── ReportGenerator.php +│ └── I18n/ # Internationalization +│ └── Messages.php +├── docs/ # Documentation +│ ├── DETECTION_RULES.md +│ └── QUICK_REFERENCE.md +└── test-samples/ # Test samples +``` + +## Adding New Detection Rules + +### 1. Create a New Rule Class + +Create a new file in `src/Rules/`: + +```php +rules = [ + // ... existing rules + new YourNewRule(), + ]; +} +``` + +### 3. Add Messages + +Add messages in `src/I18n/Messages.php` for both Japanese and English: + +```php +// Japanese +'your_rule.name' => 'ルール名', +'your_rule.vulnerability_message' => '脆弱性の説明...', + +// English +'your_rule.name' => 'Rule Name', +'your_rule.vulnerability_message' => 'Vulnerability description...', +``` + +### 4. Update Documentation + +- Add detection patterns to `docs/DETECTION_RULES.md` +- Update README.md if needed + +## Testing + +### Manual Testing + +Create test files in `test-samples/` to verify detection: + +```php + true +- Add messages in Japanese and English +- Update DETECTION_RULES.md + +Fixes #123 +``` + +## Questions? + +Feel free to open an issue for questions or discussions. diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..be06e4e --- /dev/null +++ b/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2024 Security Linter Contributors + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/README.md b/README.md index 51a2035..242e0a8 100644 --- a/README.md +++ b/README.md @@ -28,7 +28,7 @@ No PHP or Composer environment required. ```bash # Clone the repository -git clone https://github.com/your-org/php-laravel-security-linter.git +git clone https://github.com/security-linter/php-laravel.git cd php-laravel-security-linter # Install (builds Docker image and installs command) @@ -49,7 +49,7 @@ php-security-lint app/ -s high Requires PHP 8.1+ and Composer. ```bash -git clone https://github.com/your-org/php-laravel-security-linter.git +git clone https://github.com/security-linter/php-laravel.git cd php-laravel-security-linter composer install php bin/security-lint /path/to/target @@ -207,7 +207,7 @@ Place `.security-lint.json` in your project root to persist settings: ``` ╔════════════════════════════════════════════════════════════╗ -║ PHP/Laravel Security Linter v1.0.0 ║ +║ PHP/Laravel Security Linter v0.0.1 ║ ╚════════════════════════════════════════════════════════════╝ Analyzing: app/ @@ -267,7 +267,7 @@ jobs: - name: Run Security Linter run: | docker run --rm -v ${{ github.workspace }}:/target \ - ghcr.io/your-org/php-security-linter:latest \ + ghcr.io/security-linter/php-laravel:latest \ /target -s high -f sarif -o /target/security.sarif - name: Upload SARIF @@ -280,7 +280,7 @@ jobs: ```yaml security-lint: - image: ghcr.io/your-org/php-security-linter:latest + image: ghcr.io/security-linter/php-laravel:latest script: - security-lint . -s medium -f json -o security-report.json artifacts: @@ -336,7 +336,7 @@ PHPやComposerの環境構築なしで使用できます。 ```bash # リポジトリをクローン -git clone https://github.com/your-org/php-laravel-security-linter.git +git clone https://github.com/security-linter/php-laravel.git cd php-laravel-security-linter # インストール (Dockerイメージのビルドとコマンドのインストール) @@ -357,7 +357,7 @@ php-security-lint app/ -s high PHP 8.1以上とComposerが必要です。 ```bash -git clone https://github.com/your-org/php-laravel-security-linter.git +git clone https://github.com/security-linter/php-laravel.git cd php-laravel-security-linter composer install php bin/security-lint /path/to/target @@ -515,7 +515,7 @@ php bin/security-lint app/ -l en ``` ╔════════════════════════════════════════════════════════════╗ -║ PHP/Laravel セキュリティリンター v1.0.0 ║ +║ PHP/Laravel セキュリティリンター v0.0.1 ║ ╚════════════════════════════════════════════════════════════╝ 解析中: app/ @@ -575,7 +575,7 @@ jobs: - name: Run Security Linter run: | docker run --rm -v ${{ github.workspace }}:/target \ - ghcr.io/your-org/php-security-linter:latest \ + ghcr.io/security-linter/php-laravel:latest \ /target -s high -f sarif -o /target/security.sarif - name: Upload SARIF @@ -588,7 +588,7 @@ jobs: ```yaml security-lint: - image: ghcr.io/your-org/php-security-linter:latest + image: ghcr.io/security-linter/php-laravel:latest script: - security-lint . -s medium -f json -o security-report.json artifacts: diff --git a/bin/security-lint b/bin/security-lint index 70efad9..8f033b7 100755 --- a/bin/security-lint +++ b/bin/security-lint @@ -35,7 +35,7 @@ use SecurityLinter\I18n\Messages; */ class SecurityLintCLI { - private const VERSION = '1.0.0'; + private const VERSION = '0.0.1'; /** @var array Default directories/patterns to exclude */ private const DEFAULT_EXCLUDES = [ diff --git a/composer.json b/composer.json index f0493c8..093409c 100644 --- a/composer.json +++ b/composer.json @@ -1,8 +1,31 @@ { "name": "security-linter/php-laravel", - "description": "Security linter for PHP and Laravel applications", + "description": "A static security analysis tool for PHP and Laravel applications with recursive taint analysis", + "version": "0.0.1", "type": "project", "license": "MIT", + "keywords": [ + "security", + "linter", + "static-analysis", + "php", + "laravel", + "xss", + "sql-injection", + "vulnerability", + "sast" + ], + "homepage": "https://github.com/security-linter/php-laravel", + "support": { + "issues": "https://github.com/security-linter/php-laravel/issues", + "source": "https://github.com/security-linter/php-laravel" + }, + "authors": [ + { + "name": "Security Linter Contributors", + "homepage": "https://github.com/security-linter/php-laravel/contributors" + } + ], "autoload": { "psr-4": { "SecurityLinter\\": "src/" @@ -12,5 +35,13 @@ "php": ">=8.1", "nikic/php-parser": "^5.0" }, - "bin": ["bin/security-lint"] + "require-dev": { + "phpunit/phpunit": "^10.0" + }, + "bin": [ + "bin/security-lint" + ], + "config": { + "sort-packages": true + } } diff --git a/docs/DETECTION_RULES.md b/docs/DETECTION_RULES.md index 14b5b91..358a052 100644 --- a/docs/DETECTION_RULES.md +++ b/docs/DETECTION_RULES.md @@ -1092,6 +1092,6 @@ php bin/security-lint app/ -l en ## バージョン -- ドキュメント作成日: 2024 -- 対応 PHP バージョン: 8.0+ +- バージョン: 0.0.1 +- 対応 PHP バージョン: 8.1+ - 対応 Laravel バージョン: 9.x, 10.x, 11.x diff --git a/src/Report/ReportGenerator.php b/src/Report/ReportGenerator.php index 4546ac9..b6e583c 100644 --- a/src/Report/ReportGenerator.php +++ b/src/Report/ReportGenerator.php @@ -299,7 +299,7 @@ HTML; 'tool' => [ 'driver' => [ 'name' => 'PHP/Laravel Security Linter', - 'version' => '1.0.0', + 'version' => '0.0.1', ], ], 'results' => $results,