Nits + BC correctness fixes from 5.x audit (followup to #1072)#1073
Merged
Conversation
Small, fully backwards-compatible corrections collected from the same audit pass that produced PR #1072: * CredentialsHelper: swap the click handler from `this.innerHTML = this.title` to `this.textContent = this.title` so a credential URL that ever carries HTML-looking bytes cannot render live HTML when revealed. * ToolbarController::clearCache: bail with `NotFoundException` when the posted cache engine name is not configured, instead of returning 200 with `success: false`. The 200/false case was the only way for the endpoint to silently misreport failure. * RequestPanel: collect the GET payload via `$request->getQueryParams()` instead of `$_GET` so the panel reflects the request as middleware sees it. * Templates: escape `$pluginName` in routes_panel, escape the file path in request_panel's "headers already sent" warning, guard `end($timers)` in timer_panel against an empty array, and replace `extract($package)` in packages_panel with explicit destructuring so a future composer.lock schema key cannot clobber template locals. * DebugKitTransport: override the parent `send()` return-type docblock with the actual shape (assoc headers array + text/html parts split) so static analysis stops papering over the LSP gap, and reject construction without a valid `debugKitLog` ArrayObject up front with a clear InvalidArgumentException rather than a downstream TypeError. * ToolbarService::saveData: move `restore_error_handler()` into a `finally` block guarded by an `$handlerInstalled` flag, and narrow the captured error mask to `E_WARNING | E_NOTICE | E_USER_WARNING | E_USER_NOTICE` so non-serialization warnings raised during `serialize()` aren't misreported as panel-serialization failures. * Drop the now-stale DebugKitTransport return-type entry from the PHPStan baseline. Tests added: CredentialsHelper data provider updated for the new onclick; ToolbarControllerTest gains an unknown-engine 404 case; DebugKitTransportTest gains two constructor-rejection cases (missing key, wrong type).
The DebugKitTransport::send() docblock override resolved the InvalidReturnStatement Psalm was suppressing; CI on PR #1073 flagged it as UnusedBaselineEntry. Drop it from the baseline.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Followup to #1072 -- the rest of the small, fully BC items from the same 5.x audit pass, bundled together.
Nits
CredentialsHelper::filter()-- click handler swapped fromthis.innerHTML = this.titletothis.textContent = this.title. A credential URL whose userinfo portion ever decodes to HTML cannot render live markup when the asterisks are revealed.ToolbarController::clearCache()-- if the posted engine name is not configured, throwNotFoundExceptioninstead of replying200 / success: false. The 200/false combo was the only path where the endpoint silently misreported failure.RequestPanel-- collect the GET payload via$request->getQueryParams()instead of$_GETso the panel reflects the request as middleware sees it, consistent with how thequerykey is already collected one line above.$pluginNameinroutes_panel, escape the file path inrequest_panel's "headers already sent" warning, guardend($timers)against an empty timers array intimer_panel, and replaceextract($package)inpackages_panelwith explicit destructuring so a future composer.lock schema key cannot clobber template locals.BC correctness
DebugKitTransport::send()-- override the parent return-type docblock with the actual shape (assoc headers array + text/html message split). Runtime return value is unchanged; this just stops static analysis from papering over the LSP gap and lets the PHPStan baseline entry be removed.DebugKitTransport::__construct()-- reject construction without a validdebugKitLogArrayObjectup front withInvalidArgumentException. Today the missing-key path fatals with a downstreamTypeErroron the property assignment; this gives a clear, actionable message instead.ToolbarService::saveData()-- moverestore_error_handler()into afinallyblock (guarded by an$handlerInstalledflag so it can't pop a handler that was never installed), and narrow the captured error mask toE_WARNING | E_NOTICE | E_USER_WARNING | E_USER_NOTICE. Previously any warning raised during theserialize()call, including ones from unrelated userland code touched during serialization, was mis-reported as a panel-serialization failure.Baseline
Removes the now-stale DebugKitTransport return-type entry from
phpstan-baseline.neon.Tests added:
CredentialsHelperdata provider updated for the new onclick;ToolbarControllerTestgains an unknown-engine 404 case;DebugKitTransportTestgains two constructor-rejection cases (missing key, wrong type).