glpi-project
diff --git a/‎.github/workflows/security-scan.yml‎
Lines changed: 50 additions & 0 deletions b/‎.github/workflows/security-scan.yml‎
Lines changed: 50 additions & 0 deletions
diff --git a/‎Makefile‎
Lines changed: 5 additions & 0 deletions b/‎Makefile‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎ajax/asset/assetdefinition.php‎
Lines changed: 8 additions & 1 deletion b/‎ajax/asset/assetdefinition.php‎
Lines changed: 8 additions & 1 deletion
diff --git a/‎ajax/dashboard.php‎
Lines changed: 8 additions & 1 deletion b/‎ajax/dashboard.php‎
Lines changed: 8 additions & 1 deletion
diff --git a/‎ajax/getDropdownNumber.php‎
Lines changed: 7 additions & 1 deletion b/‎ajax/getDropdownNumber.php‎
Lines changed: 7 additions & 1 deletion
diff --git a/‎ajax/getDropdownUsers.php‎
Lines changed: 7 additions & 1 deletion b/‎ajax/getDropdownUsers.php‎
Lines changed: 7 additions & 1 deletion
diff --git a/‎ajax/getDropdownValue.php‎
Lines changed: 7 additions & 1 deletion b/‎ajax/getDropdownValue.php‎
Lines changed: 7 additions & 1 deletion
diff --git a/‎composer.json‎
Lines changed: 2 additions & 1 deletion b/‎composer.json‎
Lines changed: 2 additions & 1 deletion
@@ -0,0 +1,50 @@
+name: "Security scan"
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+  workflow_dispatch:
+
+concurrency:
+  group: "${{ github.workflow }}-${{ github.ref }}"
+  cancel-in-progress: true
+
+jobs:
+  security-scan:
+    name: "Security scan"
+    runs-on: "ubuntu-latest"
+    env:
+      COMPOSE_FILE: ".github/actions/docker-compose-app.yml"
+      APPLICATION_ROOT: "${{ github.workspace }}"
+      PHP_IMAGE: "githubactions-php-apache:8.4"
+      UPDATE_FILES_ACL: true
+    steps:
+      - name: "Set env"
+        run: |
+          echo "APP_CONTAINER_HOME=${{ runner.temp }}/app_home" >> $GITHUB_ENV
+      - name: "Checkout"
+        uses: "actions/checkout@v4"
+      - name: "Restore dependencies cache"
+        uses: actions/cache@v4
+        with:
+          path: |
+            ${{ env.APP_CONTAINER_HOME }}/.composer/cache/
+            ${{ env.APP_CONTAINER_HOME }}/.npm/_cacache/
+          key: "app_home_deps-${{ matrix.php-version }}-${{ hashFiles('composer.lock', 'package-lock.json') }}"
+          restore-keys: |
+            app_home_deps-${{ matrix.php-version }}-
+            app_home_deps-
+      - name: "Initialize containers"
+        run: |
+          .github/actions/init_containers-start.sh
+      - name: "Show versions"
+        run: |
+          .github/actions/init_show-versions.sh
+      - name: "Build dependencies / translations"
+        run: |
+          docker compose exec -T app .github/actions/init_build.sh
+      - name: "Psalm security scan"
+        run: |
+          docker compose exec -T app vendor/bin/psalm --long-progress --output-format=github
@@ -149,6 +149,11 @@ phpstan-generate-baseline: c=--generate-baseline=.phpstan-baseline.php analyze
 phpstan-generate-baseline: phpstan
 .PHONY: phpstan-generate-baseline
 
+psalm: ## Run psalm analysis
+	@$(eval c ?=)
+	@$(PHP) php vendor/bin/psalm $(c)
+.PHONY: psalm
+
 ## —— Coding standards —————————————————————————————————————————————————————————
 phpcsfixer-check: ## Check for php coding standards issues
 	@$(PHP) vendor/bin/php-cs-fixer check --diff -vvv
 
@@ -54,10 +54,17 @@
         $v['id'] = $k;
         $field_results[] = $v;
     }
-    echo json_encode([
+
+    /**
+     * Safe JSON response.
+     * @psalm-taint-escape has_quotes
+     */
+    $response = json_encode([
         'results' => $field_results,
         'count' => count($all_fields),
     ], JSON_THROW_ON_ERROR);
+
+    echo $response;
     return;
 } elseif ($_REQUEST['action'] === 'get_core_field_editor') {
     header("Content-Type: text/html; charset=UTF-8");
 
@@ -151,7 +151,14 @@
             throw new AccessDeniedHttpException();
         }
 
-        echo $dashboard->getFilter(); // `Dashboard::getFilter()` already returns a JSON encoded string.
+        /**
+         * `Dashboard::getFilter()` already returns a JSON encoded string.
+         *
+         * @psalm-taint-escape has_quotes
+         */
+        $filter = $dashboard->getFilter();
+
+        echo $filter;
         return;
 }
 
 
@@ -40,4 +40,10 @@
 header("Content-Type: application/json; charset=UTF-8");
 Html::header_nocache();
 
-echo Dropdown::getDropdownNumber($_POST);
+/**
+ * Safe JSON response.
+ * @psalm-taint-escape has_quotes
+ */
+$response = Dropdown::getDropdownNumber($_POST, json: true);
+
+echo $response;
@@ -40,4 +40,10 @@
 header("Content-Type: application/json; charset=UTF-8");
 Html::header_nocache();
 
-echo Dropdown::getDropdownUsers($_POST);
+/**
+ * Safe JSON response.
+ * @psalm-taint-escape has_quotes
+ */
+$response = Dropdown::getDropdownUsers($_POST, json: true);
+
+echo $response;
@@ -40,4 +40,10 @@
 header("Content-Type: application/json; charset=UTF-8");
 Html::header_nocache();
 
-echo Dropdown::getDropdownValue($_POST);
+/**
+ * Safe JSON response.
+ * @psalm-taint-escape has_quotes
+ */
+$response = Dropdown::getDropdownValue($_POST, json: true);
+
+echo $response;
@@ -124,7 +124,8 @@
         "symfony/twig-bundle": "^6.4",
         "symfony/var-dumper": "^6.4",
         "symfony/web-profiler-bundle": "^6.4",
-        "thecodingmachine/phpstan-safe-rule": "^1.4"
+        "thecodingmachine/phpstan-safe-rule": "^1.4",
+        "vimeo/psalm": "^6.13"
     },
     "provide": {
         "ext-sodium": "*"
Original file line number	Diff line number	Diff line change
`@@ -151,7 +151,14 @@`
`151`	`151`	`throw new AccessDeniedHttpException();`
`152`	`152`	`}`
`153`	`153`
`154`		- echo $dashboard->getFilter(); // `Dashboard::getFilter()` already returns a JSON encoded string.
	`154`	`+ /**`
	`155`	+ * `Dashboard::getFilter()` already returns a JSON encoded string.
	`156`	`+ *`
	`157`	`+ * @psalm-taint-escape has_quotes`
	`158`	`+ */`
	`159`	`+ $filter = $dashboard->getFilter();`
	`160`	`+`
	`161`	`+ echo $filter;`
`155`	`162`	`return;`
`156`	`163`	`}`
`157`	`164`