Files

Yutaka Kurosaki 208227b77e Prepare for OSS release v0.0.1

Version updates:
- Set version to 0.0.1 across all files
- Update CLI banner, SARIF output, and documentation

New files:
- LICENSE: MIT license
- CHANGELOG.md: Initial changelog with all features
- CONTRIBUTING.md: Contribution guidelines

composer.json enhancements:
- Add version, keywords, homepage, support URLs
- Add authors section
- Add require-dev for PHPUnit

README.md updates:
- Update repository URLs to security-linter/php-laravel
- Update Docker image references

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

2026-02-02 11:57:18 +09:00

2.2 KiB

Raw Blame History

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

0.0.1 - 2024-01-31

Added

Core Features

Recursive taint analysis for tracking user input through function calls
Multi-language support (Japanese/English)
Syntax highlighting in terminal output
Multiple output formats: text, JSON, HTML, SARIF, Markdown
Docker support for easy deployment
Configuration file support (.security-lint.json)

Vulnerability Detection

XSS (Cross-Site Scripting)

Blade {!! !!} raw output detection
JavaScript context XSS
Event handler attribute XSS
URL context XSS (javascript: URLs)
Style injection
Template injection
Escape bypass function detection
Dangerous hardcoded HTML detection

SQL Injection

Laravel Query Builder raw methods
PDO/MySQLi direct queries
String concatenation in queries
Sanitizer bypass detection

Command Injection

Shell execution functions (exec, shell_exec, system, etc.)
Code execution functions (eval, create_function, etc.)
Dynamic file includes
Symfony Process usage

Path Traversal

File operation functions
Laravel Storage operations
File download/upload

Authentication Security

Weak hash algorithms (MD5, SHA1)
Hardcoded credentials detection
Timing-vulnerable comparisons

CSRF/Session Security

Missing CSRF tokens
Insecure session configuration
Session fixation

Configuration Security

Debug output (phpinfo, var_dump, dd)
Insecure unserialize
Sensitive information logging

Laravel-Specific Security

Mass Assignment (missing $fillable/$guarded)
Raw SQL injection (DB::raw, whereRaw without bindings)
CSRF protection (forms without @csrf)
File upload validation (extensions-only without mimes)
Route authentication middleware
Rate limiting for auth routes

Security

Safe pattern recognition for Laravel helpers (route(), url(), action())
Value-based credential detection to reduce false positives
Escape function recognition (htmlspecialchars, e(), etc.)

2.2 KiB Raw Blame History