Integration of Security Rules into ECS
Problem
The Easy Coding Standard (ECS) currently lacks dedicated security rules for analyzing PHP code, which can allow the introduction of insecure patterns and common vulnerabilities into the code.
Proposal
Add and configure recommended security rules to the ecs.php file, using sniffs such as those from PHPCS Security Audit, to ensure that ECS identifies and alerts about insecure practices, such as the use of dangerous functions, absence of escapes, lack of input validation, among others.
Examples of relevant rules
- Prohibition of dangerous functions (
eval, backticks, system execution functions)
- Mandatory data input validation
- Correct use of escapes in outputs
- Prohibition of unsafe file manipulation functions
- Detection of unsafe headers (e.g., CORS)
Maintenance suggestion
Periodically review the security rules configured in ECS, updating them as new known threats and vulnerabilities arise.
Relationship
Relate this ticket to PR https://github.com/php-fast-forward/dev-tools/pull/5/changes, which is implementing the integration of security rules into ECS.
Acceptance criteria
Functional Criteria
Architectural/Isolation Criteria
-
MUST: The core rules must be isolated and easily extensible.
-
MUST: The configuration must allow for updates and maintenance without major refactoring.
-
MUST: The ECS must remain compatible with other rules already existing in the project.
Integration of Security Rules into ECS
Problem
The Easy Coding Standard (ECS) currently lacks dedicated security rules for analyzing PHP code, which can allow the introduction of insecure patterns and common vulnerabilities into the code.
Proposal
Add and configure recommended security rules to the
ecs.phpfile, using sniffs such as those from PHPCS Security Audit, to ensure that ECS identifies and alerts about insecure practices, such as the use of dangerous functions, absence of escapes, lack of input validation, among others.Examples of relevant rules
eval, backticks, system execution functions)Maintenance suggestion
Periodically review the security rules configured in ECS, updating them as new known threats and vulnerabilities arise.
Relationship
Relate this ticket to PR https://github.com/php-fast-forward/dev-tools/pull/5/changes, which is implementing the integration of security rules into ECS.
Acceptance criteria
Functional Criteria
ECS must identify and alert about unsafe PHP code patterns according to the configured rules.
Security rules must be easily adjustable and documented.
Architectural/Isolation Criteria
MUST: The core rules must be isolated and easily extensible.
MUST: The configuration must allow for updates and maintenance without major refactoring.
MUST: The ECS must remain compatible with other rules already existing in the project.