Add new tests.

Yousha · Yousha · commit d20459d41fbc · 2025-10-15T15:56:56.000+03:30
diff --git a/tests/Integration/LinterIntegrationTest.php b/tests/Integration/LinterIntegrationTest.php
@@ -0,0 +1,124 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Yousha\PhpSecurityLinter\Integration;
+
+use PHPUnit\Framework\TestCase;
+use Yousha\PhpSecurityLinter\Linter;
+use Yousha\PhpSecurityLinter\Exceptions\LinterException;
+
+/**
+ * Integration Test for the Linter class.
+ *
+ * This test uses actual file operations and rule sets to verify the Linter's
+ * behavior without relying on mocks.
+ */
+final class LinterIntegrationTest extends TestCase
+{
+    private const string FIXTURES_DIR = __DIR__ . '/../fixtures/project_to_scan';
+
+    /**
+     * Set up a temporary directory structure for testing.
+     */
+    protected function setUp(): void
+    {
+        // 1. Create the fixture directory
+        if (!is_dir(self::FIXTURES_DIR)) {
+            mkdir(self::FIXTURES_DIR, 0o777, true);
+        }
+
+        // 2. Create files with known issues and non-issues
+
+        // File 1: Contains an OWASP-002 (Command Injection) and CIS-003 (Directory Traversal)
+        file_put_contents(self::FIXTURES_DIR . '/bad_code.php', <<<PHP
+            <?php
+            // OWASP-002: OS Command Injection risk
+            \$cmd = 'ls ' . \$_GET['dir'];
+            shell_exec(\$cmd);
+
+            // CIS-003: Directory traversal vulnerability
+            \$file = \$_GET['f'];
+            include_once __DIR__ . '/../../views/' . \$file . '.php'; // Traversal check with /../../
+            ?>
+            PHP);
+
+        // File 2: Contains a harmless file that should not trigger any rule
+        file_put_contents(self::FIXTURES_DIR . '/clean_code.php', <<<PHP
+            <?php
+            declare(strict_types=1);
+            class Clean {
+                public function safeMethod(string \$data): bool {
+                    return password_verify(\$data, 'hash');
+                }
+            }
+            ?>
+            PHP);
+
+        // 3. Create a subdirectory with an ignored file
+        mkdir(self::FIXTURES_DIR . '/sub_dir', 0o777, true);
+        file_put_contents(self::FIXTURES_DIR . '/sub_dir/ignored_file.txt', 'This should be ignored.');
+
+        // 4. Create a default excluded directory (e.g., vendor)
+        mkdir(self::FIXTURES_DIR . '/vendor', 0o777, true);
+        file_put_contents(self::FIXTURES_DIR . '/vendor/autoload.php', '<?php // vendor code');
+    }
+
+    /**
+     * Clean up the temporary directory structure after tests.
+     */
+    protected function tearDown(): void
+    {
+        $this->removeDirectory(self::FIXTURES_DIR);
+    }
+
+    /**
+     * Helper to recursively remove a directory.
+     */
+    private function removeDirectory(string $dir): void
+    {
+        if (!is_dir($dir)) {
+            return;
+        }
+
+        $files = array_diff(scandir($dir), ['.', '..']);
+        foreach ($files as $file) {
+            (is_dir(sprintf('%s/%s', $dir, $file))) ? $this->removeDirectory(sprintf('%s/%s', $dir, $file)) : unlink(sprintf('%s/%s', $dir, $file));
+        }
+
+        rmdir($dir);
+    }
+
+    /**
+     * Test that the hardcoded 'vendor' exclusion works.
+     */
+    public function testDefaultVendorExclusion(): void
+    {
+        // The Linter's scan method relies on bin/php-sl.php to inject 'vendor' and '.git'
+        // into the $exclude array. Since we are testing Linter directly, we must manually
+        // pass the default exclusions.
+
+        $defaultExclusions = ['vendor', '.git'];
+        $linter = new Linter();
+        $results = $linter->scan(self::FIXTURES_DIR, $defaultExclusions);
+
+        // Check the total scanned count. It should only count bad_code.php and clean_code.php
+        // (The vendor directory is ignored, the sub_dir/ignored_file.txt is ignored because it's not .php)
+        $this->assertArrayHasKey('_meta', $results);
+
+        // Assert that the file inside 'vendor' was not counted
+        $this->assertSame(2, $results['_meta']['scanned_count']);
+    }
+
+    /**
+     * Test Linter throws LinterException for non-existent path.
+     */
+    public function testScanThrowsExceptionForNonExistentPath(): void
+    {
+        $linter = new Linter();
+        $this->expectException(LinterException::class);
+        $this->expectExceptionMessage('Path does not exist:');
+
+        $linter->scan('/non/existent/path/for/linter/test');
+    }
+}
diff --git a/tests/Unit/Rules/CisRulesTest.php b/tests/Unit/Rules/CisRulesTest.php
@@ -0,0 +1,84 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Yousha\PhpSecurityLinter\Unit\Rules;
+
+use PHPUnit\Framework\TestCase;
+use Yousha\PhpSecurityLinter\Rules\CisRules;
+
+final class CisRulesTest extends TestCase
+{
+    private array $rules;
+
+    protected function setUp(): void
+    {
+        $this->rules = CisRules::getRules();
+    }
+
+    /**
+     * Test that the rules array is correctly structured and not empty.
+     */
+    public function testRulesArrayStructure(): void
+    {
+        $this->assertIsArray($this->rules);
+        $this->assertNotEmpty($this->rules);
+
+        foreach ($this->rules as $rule) {
+            $this->assertArrayHasKey('id', $rule);
+            $this->assertIsString($rule['id']);
+            $this->assertStringStartsWith('CIS-', $rule['id']);
+
+            $this->assertArrayHasKey('severity', $rule);
+            $this->assertIsString($rule['severity']);
+
+            $this->assertArrayHasKey('message', $rule);
+            $this->assertIsString($rule['message']);
+
+            $this->assertArrayHasKey('pattern', $rule);
+            $this->assertIsString($rule['pattern']);
+        }
+    }
+
+    /**
+     * Data provider for vulnerable and clean code snippets for each CIS rule.
+     * * The array structure is: [rule_id, vulnerable_code, clean_code]
+     */
+    public static function ruleDataProvider(): array
+    {
+        return [
+            // CIS-001: Direct call to dangerous function detected
+            ['CIS-001', '<?php eval($code); system("ls");', '<?php if (true) { /* no exec */ }'],
+
+            // CIS-002: Error reporting exposes stack traces
+            ['CIS-002', '<?php display_errors(true);', '<?php ini_set("display_errors", "Off");'],
+
+            // CIS-003: Directory traversal vulnerability
+            ['CIS-003', '<?php include(__DIR__ . "/../../config.php");', '<?php require_once("config.php");'],
+
+            // CIS-004: Unsafe temporary file creation
+            ['CIS-004', '<?php $tmp = tempnam("/tmp", "prefix");', '<?php $safe = sys_get_temp_dir();'],
+
+            // CIS-005: Session fixation possible
+            ['CIS-005', '<?php session_start(); $_SESSION["user"] = 1;', '<?php session_start(); session_regenerate_id(true);'],
+
+            // CIS-006: Weak hash function detected
+            ['CIS-006', '<?php $hash = md5($password);', '<?php $hash = password_hash($password, PASSWORD_DEFAULT);'],
+
+            // CIS-007: Hardcoded encryption keys
+            ['CIS-007', '<?php $key = "a1b2c3d4e5f6g7h8i9j0";', '<?php $key = $_ENV["SECRET_KEY"];'],
+
+            // CIS-008: Raw SQL with user input
+            ['CIS-008', '<?php mysqli_query($db, "SELECT * FROM users WHERE id=" . $_GET["id"]);', '<?php $stmt->execute([$id]);'],
+
+            // CIS-009: Unvalidated redirect
+            ['CIS-009', '<?php header("Location: " . $_POST["url"]);', '<?php header("Location: /dashboard");'],
+
+            // CIS-011: Dangerous use of extract() with user input
+            ['CIS-011', '<?php extract($_REQUEST);', '<?php extract($data, EXTR_SKIP);'],
+
+            // CIS-010: SSL verification disabled
+            ['CIS-010', '<?php curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);', '<?php curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);'],
+        ];
+    }
+}
diff --git a/tests/Unit/Rules/OwaspRulesTest.php b/tests/Unit/Rules/OwaspRulesTest.php
@@ -0,0 +1,162 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Yousha\PhpSecurityLinter\Tests\Unit\Rules;
+
+use PHPUnit\Framework\TestCase;
+use Yousha\PhpSecurityLinter\Rules\OwaspRules;
+
+final class OwaspRulesTest extends TestCase
+{
+    private array $rules;
+
+    protected function setUp(): void
+    {
+        parent::setUp();
+        $this->rules = OwaspRules::getRules();
+    }
+
+    public function ruleDataProvider(): array
+    {
+        $rules = OwaspRules::getRules();
+        $data = [];
+        foreach ($rules as $rule) {
+            // Extract the ID from the message
+            $idMatch = [];
+            preg_match('/^(OWASP-[A-Z0-9-]+):/', (string) $rule['message'], $idMatch);
+            $id = $idMatch[1] ?? 'unknown';
+            $data[] = [$rule, $id];
+        }
+
+        return $data;
+    }
+
+    public function testOwaspA07WeakPasswordHashPattern(): void
+    {
+        $pattern = null;
+        foreach ($this->rules as $rule) {
+            if (str_starts_with((string) $rule['message'], 'OWASP-A07:')) {
+                $pattern = $rule['pattern'];
+                break;
+            }
+        }
+
+        $this->assertNotNull($pattern, 'OWASP-A07 (Weak Hash) rule not found');
+
+        $vulnerableCode1 = '<?php $hash = hash("md5", $password); ?>';
+        $vulnerableCode2 = '<?php $hash = hash("sha1", $data); ?>';
+        $vulnerableCode3 = '<?php $hash = hash("md2", $input); ?>';
+        $vulnerableCode4 = '<?php $hash = hash("md4", $input); ?>';
+        $vulnerableCode5 = '<?php $hash = hash("sha224", $input); ?>';
+
+        $this->assertMatchesRegularExpression($pattern, $vulnerableCode1);
+        $this->assertMatchesRegularExpression($pattern, $vulnerableCode2);
+        $this->assertMatchesRegularExpression($pattern, $vulnerableCode3);
+        $this->assertMatchesRegularExpression($pattern, $vulnerableCode4);
+        $this->assertMatchesRegularExpression($pattern, $vulnerableCode5);
+
+        $safeCode1 = '<?php $hash = hash("sha256", $password); ?>';
+        $safeCode2 = '<?php $hash = hash("sha512", $data); ?>';
+        $safeCode3 = '<?php $hash = password_hash($password, PASSWORD_DEFAULT); ?>';
+
+        $this->assertDoesNotMatchRegularExpression($pattern, $safeCode1);
+        $this->assertDoesNotMatchRegularExpression($pattern, $safeCode2);
+        $this->assertDoesNotMatchRegularExpression($pattern, $safeCode3);
+    }
+
+    public function testOwaspA08InsecureDeserializationUnserializePattern(): void
+    {
+        $pattern = null;
+        foreach ($this->rules as $rule) {
+            if (str_starts_with((string) $rule['message'], 'OWASP-A08:')) {
+                if (str_contains((string) $rule['message'], 'unserialize')) {
+                    $pattern = $rule['pattern'];
+                    break;
+                }
+            }
+        }
+
+        $this->assertNotNull($pattern, 'OWASP-A08 (unserialize) rule not found');
+
+        $vulnerableCode1 = '<?php $data = unserialize($_GET["obj"]); ?>';
+        $vulnerableCode2 = '<?php $data = unserialize($_POST["data"]); ?>';
+        $vulnerableCode3 = '<?php $data = unserialize($_REQUEST["input"]); ?>';
+        $vulnerableCode4 = '<?php $data = unserialize($_COOKIE["stored"]); ?>';
+
+        $this->assertMatchesRegularExpression($pattern, $vulnerableCode1);
+        $this->assertMatchesRegularExpression($pattern, $vulnerableCode2);
+        $this->assertMatchesRegularExpression($pattern, $vulnerableCode3);
+        $this->assertMatchesRegularExpression($pattern, $vulnerableCode4);
+
+        // Safe code should not match
+        $safeCode1 = '<?php $data = unserialize($trustedData); ?>'; // Variable, not $_GET/POST
+        $safeCode2 = '<?php $data = unserialize("a:1:{s:5:\"hello\";s:5:\"world\";}"); ?>'; // Hardcoded string
+
+        $this->assertDoesNotMatchRegularExpression($pattern, $safeCode1);
+        $this->assertDoesNotMatchRegularExpression($pattern, $safeCode2);
+    }
+
+    public function testOwaspA10SsrFPattern(): void
+    {
+        $pattern = null;
+        foreach ($this->rules as $rule) {
+            if (str_starts_with((string) $rule['message'], 'OWASP-A10:')) {
+                $pattern = $rule['pattern'];
+                break;
+            }
+        }
+
+        $this->assertNotNull($pattern, 'OWASP-A10 rule not found');
+
+        $vulnerableCode1 = '<?php $content = file_get_contents($_GET["url"]); ?>';
+        $vulnerableCode2 = '<?php $fp = fopen($_POST["resource"], "r"); ?>';
+        $vulnerableCode3 = '<?php $ch = curl_init($_REQUEST["endpoint"]); ?>';
+        $vulnerableCode4 = '<?php $fp = fsockopen($_GET["host"], 80); ?>';
+        $vulnerableCode5 = '<?php $fp = stream_socket_client("tcp://" . $_POST["address"] . ":80"); ?>';
+
+        $this->assertMatchesRegularExpression($pattern, $vulnerableCode1);
+        $this->assertMatchesRegularExpression($pattern, $vulnerableCode2);
+        $this->assertMatchesRegularExpression($pattern, $vulnerableCode3);
+        $this->assertMatchesRegularExpression($pattern, $vulnerableCode4);
+        $this->assertMatchesRegularExpression($pattern, $vulnerableCode5);
+
+        // Safe code should not match
+        $safeCode1 = '<?php $content = file_get_contents("https://api.example.com/data"); ?>'; // Hardcoded URL
+        $safeCode2 = '<?php $fp = fopen($validatedUrl, "r"); ?>'; // Variable, not $_GET/POST
+
+        $this->assertDoesNotMatchRegularExpression($pattern, $safeCode1);
+        $this->assertDoesNotMatchRegularExpression($pattern, $safeCode2);
+    }
+
+    public function testOwaspA07ReflectedXssPattern(): void
+    {
+        $pattern = null;
+        foreach ($this->rules as $rule) {
+            if (str_starts_with((string) $rule['message'], 'OWASP-A07:')) {
+                if (str_contains((string) $rule['message'], 'Reflected XSS')) {
+                    $pattern = $rule['pattern'];
+                    break;
+                }
+            }
+        }
+
+        $this->assertNotNull($pattern, 'OWASP-A07 (Reflected XSS) rule not found');
+
+        $vulnerableCode1 = '<?php echo $_GET["name"]; ?>';
+        $vulnerableCode2 = '<?php echo $_POST["comment"]; ?>';
+        $vulnerableCode3 = '<?php echo $_REQUEST["input"]; ?>';
+        $vulnerableCode4 = '<?php echo $_COOKIE["username"]; ?>';
+
+        $this->assertMatchesRegularExpression($pattern, $vulnerableCode1);
+        $this->assertMatchesRegularExpression($pattern, $vulnerableCode2);
+        $this->assertMatchesRegularExpression($pattern, $vulnerableCode3);
+        $this->assertMatchesRegularExpression($pattern, $vulnerableCode4);
+
+        // Safe code should not match (or might need more specific pattern)
+        $safeCode1 = '<?php echo htmlspecialchars($_GET["name"]); ?>'; // Output is sanitized
+
+        $safeCode2 = '<?php echo $safeVariable; ?>'; // Variable, not $_GET/POST
+        $this->assertDoesNotMatchRegularExpression($pattern, $safeCode2);
+    }
+}
