- Change all URLs from github.com to opensource.rogarithm.net
- Update Docker image references to local build (php-security-linter:latest)
- Fix Gitea Issues URL in CONTRIBUTING.md
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Version updates:
- Set version to 0.0.1 across all files
- Update CLI banner, SARIF output, and documentation
New files:
- LICENSE: MIT license
- CHANGELOG.md: Initial changelog with all features
- CONTRIBUTING.md: Contribution guidelines
composer.json enhancements:
- Add version, keywords, homepage, support URLs
- Add authors section
- Add require-dev for PHPUnit
README.md updates:
- Update repository URLs to security-linter/php-laravel
- Update Docker image references
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add message translations for LaravelSecurityRule:
- laravel.mass_assignment: Model without $fillable/$guarded
- laravel.mass_assignment_all: Using $request->all()
- laravel.raw_sql: Raw SQL without bindings
- laravel.db_raw: DB::raw() with variables
- laravel.csrf_missing: Form without @csrf
- laravel.file_validation: Extensions only validation
- laravel.route_auth: Sensitive route without auth
- laravel.route_throttle: Auth route without throttle
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
New LaravelSecurityRule detects:
- Mass Assignment: Models without $fillable/$guarded
- Mass Assignment: Model::create($request->all())
- SQL Injection: DB::raw() with variables
- SQL Injection: whereRaw/selectRaw without bindings
- CSRF: Forms without @csrf directive
- File Upload: Validation with extensions only (no mimes)
- Auth Middleware: Sensitive routes without auth
- Rate Limiting: Auth routes without throttle
All detections include Japanese and English messages with
specific remediation recommendations.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- XSS: Fix script tag detection regex to not cross tag boundaries
Previously {!! !!} in HTML between <script> tags was incorrectly
flagged as JavaScript context XSS
- Credentials: Change from key-pattern matching to value-based analysis
- Add looksLikeActualCredential() to analyze if value looks like
a real credential (alphanumeric, no spaces, no non-ASCII)
- Skip display text (Japanese, sentences with spaces)
- Skip placeholder values (changeme, your_*_here, etc.)
- This fundamentally fixes false positives like:
'password_reset_mail_subject' => 'パスワードリセットのご案内'
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Instead of checking for specific patterns like nl2br(e($var)),
now checks if e(), htmlspecialchars(), or htmlentities() appears
anywhere in the expression.
This covers more use cases:
- {!! e($var) !!}
- {!! nl2br(e($var)) !!}
- {!! wordwrap(e($var), 80) !!}
- {!! str_replace('x', 'y', e($var)) !!}
Still flags expressions with escape-breaking functions:
- {!! html_entity_decode(e($var)) !!} -> flagged
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The pattern nl2br(e($var)) is safe because:
1. e() / htmlspecialchars() escapes HTML entities first
2. nl2br() then adds <br> tags for newlines
3. {!! !!} is required to render the <br> tags
This is a common Laravel pattern for displaying user text
with preserved line breaks while preventing XSS.
Also added nl2br(htmlspecialchars()) and nl2br(htmlentities())
as equivalent safe patterns.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
URL helper functions (route, url, asset, secure_url, secure_asset,
action, mix, vite) return URL strings, not HTML. Using {!! !!} with
these is safe and often necessary to avoid & being encoded as &
Added these to the safe patterns in isSafeBladeRawOutput().
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Skip XSS detection for:
- Safe URL helpers: route(), url(), asset(), secure_asset(),
secure_url(), static_url(), action(), mix(), vite()
- Null coalesce with safe helpers: $var ?? url(...)
- Model ID patterns: $model->id (typically safe integers)
These patterns are unlikely to be user-controllable and create
noise that obscures real vulnerabilities.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
When options that require values (e.g., -s, -f) are followed by
another flag (e.g., -s -c), the parser set them to boolean true
instead of their expected string value, causing TypeError.
Now these options properly fall back to defaults when no value
is provided.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
