README

This package provides additional PHPStan rules for Shopware 6 projects. It helps developers catch common mistakes and enforce best practices specific to Shopware development.

Installation

You can install the package via composer:

composer require --dev shopwarelabs/phpstan-shopware

Usage

To use these rules, include the package's configuration file in your PHPStan configuration:

includes:
    - vendor/shopwarelabs/phpstan-shopware/rules.neon

or you use PHPStan Extension Installer

Features

• Custom rules for Shopware 6.5 specific patterns
• Improved type inference for Shopware core classes
• Additional checks for common Shopware development pitfalls

Available Rules

Here's a comprehensive list of all available rules:

1. NoSuperglobalsRule: Prevents usage of superglobals ($_GET, $_POST, $_FILES, $_REQUEST). Use proper request objects instead.

2. DisallowFunctionsRule: Prevents usage of certain disallowed functions in the codebase.

3. NoEntityRepositoryInLoopRule: Prevents EntityRepository method calls within loops to avoid N+1 query problems.

4. NoSessionInPaymentHandlerAndStoreApiRule: Prevents usage of session in payment handlers and Store API contexts.

5. NoSymfonySessionInConstructorRule: Prevents injection of Symfony Session in constructor to avoid early session starts.

6. ForbidGlobBraceRule: Prevents usage of glob brace expansion for better cross-platform compatibility.

7. InternalClassExtendsRule: Ensures proper extension of internal classes.

8. NoUserEntityGetStoreTokenRule: Prevents direct access to store tokens from User entities.

9. MethodBecomesAbstractRule: Checks for methods that should be abstract.

10. ClassExtendUsesAbstractClassWhenExisting: Enforces the use of abstract classes when they exist.

11. NoDALFilterByID: Prevents direct ID filtering in DAL queries.

12. ScheduledTaskTooLowIntervalRule: Ensures scheduled tasks don't have too low intervals.

13. DisallowDefaultContextCreation: Prevents creation of default contexts in inappropriate places.

14. SetForeignKeyRule: Enforces proper foreign key handling.

15. InternalFunctionCallRule: Controls usage of internal functions.

16. InternalMethodCallRule: Controls usage of internal methods.

17. DisallowSessionFunctionsRule: Prevents usage of session functions (session_write_close, session_start, session_destroy). Use the Symfony Session component instead.

18. ForbidLocalDiskWriteRule: Prevents local disk write operations (file_put_contents, fopen with write mode, mkdir, unlink, etc.). Use the temporary directory or Flysystem instead.

19. ForwardSalesChannelContextToSystemConfigServiceRule: Ensures that when a method has a SalesChannelContext parameter, it is forwarded to SystemConfigService methods as the salesChannelId argument.

20. ForbidPredictableSaltRule: Prevents hardcoded salts in crypt() and password_hash() calls, which are predictable and weaken security.

21. ForbidWeakCryptoKeyRule: Prevents weak cryptographic key sizes in openssl_pkey_new() calls. RSA keys must be at least 2048 bits.

22. ForbidInsecureCookieRule: Prevents setting cookies without the secure flag in setcookie() and setrawcookie() calls. Cookies should use secure=true for HTTPS-only transmission.

23. ForbidInsecureSymfonyCookieRule: Prevents creating Symfony Cookie objects without explicit secure=true. Detects new Cookie(...), Cookie::create(...), and ->withSecure(false) calls. The $secure parameter must be explicitly set to true for HTTPS-only transmission.

24. ForbidDisabledSslVerificationRule: Prevents disabling SSL/TLS certificate verification in curl_setopt() and stream_context_create() calls, which allows man-in-the-middle attacks.

25. NoEmptyResponseRule: Detects Response class/subclass instantiations with empty or missing body content. Checks classes where the first constructor parameter represents the response body (e.g. Response, JsonResponse, JsonApiResponse) and allows empty bodies for status codes like 204, 301, 302, 304, 307, and 308.

Configuration

You can customize the behavior of these rules by adding configuration to your phpstan.neon file. See the configuration section for more details.

Contributing

Contributions are welcome! Please see CONTRIBUTING.md for details.

License

The MIT License (MIT). Please see License File for more information.