-
Notifications
You must be signed in to change notification settings - Fork 110
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
VSCode plugin does not provide a fully working replacement #614
Comments
Thanks for the report. Definitely a bug. I suspect with the replacement pattern in the rule. |
Putting the language server in verbose mode gives the following traces (extracted a single one);
That correspondents to the following rule specification
I think the definition literally says "Replace $_REQUEST with $_GET" in this case, so the replacement pattern in the rule shouldn't be the problem. I'm thinking it's more in the plugin itself? Looking at the trace message it seems to have the correct cursor range.
So I'm assuming the vscode plugin's replacement logic mixes it up. I'm not setup nor experienced enough to build it / run it.
Or (most likely) the createFix function here doesn't work properly by either getting the wrong value or executing the wrong replacement function here
|
I was able to dig into this a bit today and was able to replicate the same behavior using the analyze/fix commands in the DevSkim CLI. For context, the extension acts as a pretty thin wrapper around the language server which uses the same APIs as the CLI to perform analysis and generate fixes. Fixes are generated by this method from a code snippet and rule - even for fixes consumed by the extension: DevSkim/DevSkim-DotNet/Microsoft.DevSkim/DevSkimRuleProcessor.cs Lines 85 to 102 in ba39d7a
The issue appears to be with the DevSkim/rules/default/security/frameworks/php.json Lines 25 to 38 in ba39d7a
Since the RuleProcessor generates fixes using the Regex.Replace API the replacement text is interpreted by the Regex engine and substitutions are applied. By coincidence, The fix was to update the rule to add an extra |
Thanks for figuring this out! Seems legit, if I replace it manually in the json on my machine, it works 👍 |
Thanks @martijn-coolminds for confirming! |
* Fix PHP Request Rule Replacements Fix #614. * Update Changelog.md
Describe the bug
When using the VSCode plugin and triggering a rule, the offered replacement isn't parsed properly.
When DS144886 is triggered for instance, I get a replacement suggestion of +
So: $_REQUEST would need to be replaced with $_GET but the suggestion is $_REQUESTGET (screenshot attached).
I don't think it's the rule itself, but rather a plugin issue?
To Reproduce
Steps to reproduce the behavior:
<?php $_REQUEST['id'] = 1;
Expected behavior
$_GET and $_POST being suggested.
Screenshots
Versions(please complete the following information):
The text was updated successfully, but these errors were encountered: