Target: 40% → 100% Completion Vision: Production-Ready PHP Security Analysis & Hardening Tool
- AST: Comprehensive PHP 8.x AST with modern features (attributes, enums, match, etc.)
- Parser: Megaparsec-based PHP parser (basic structures working)
- Security Analysis: Extensive vulnerability detection
- SQL injection, XSS, CSRF, command injection
- Path traversal, unsafe deserialization
- Weak crypto (with modern recommendations: SHAKE3-256/BLAKE3)
- Hardcoded secrets detection
- Dangerous function flagging
- Transform/Sanitize: WordPress-specific security transformations
- Output escaping (esc_html, esc_attr, etc.)
- Input sanitization detection
- SQL preparation wrapping
- Superglobal sanitization
- Exit after redirect
- WordPress: WordPress-specific constraint checking
- Core Modules: Config, Report, Ruleset (exist but need verification)
- Parser: Needs full PHP 8.x expression/statement coverage
- Emit: PHP code generation from AST (critical for transformations)
- Taint Analysis: Data flow tracking needs completion
- Type Inference: PHP type system inference engine
- Dead Code: Unused code detection
- CLI: Production-ready command-line interface
- Testing: Comprehensive test suite
- Documentation: User guide, API docs, examples
Priority: CRITICAL - Nothing works without a complete parser
-
Expression parsing completion
- Match expressions (PHP 8.0) ✓
- Null coalescing assignment (??=) ✓
- Spread operator in arrays ✓
- Arrow functions with attributes ✓
- Ternary and elvis operators ✓
- Method calls and property access (including nullsafe) ✓
-
Statement parsing completion
- Try/catch with multiple exception types ✓
- Switch/match comprehensive coverage ✓
- Declare directives (ticks, encoding) ✓
- Global, static, unset statements ✓
-
Modern PHP 8.x features
- Readonly classes (PHP 8.2) ✓
- DNF types (PHP 8.2) -
(A&B)|(C&D)✓ - Constants in traits ✓
- Attributes on all declarations ✓
- Interface and enum parsing ✓
- Constructor property promotion ✓
-
Robustness (deferred to Phase 5)
- Better error recovery (don't fail on single parse error)
- Preserve whitespace/comments as metadata (for code generation)
- Line/column tracking for all nodes (partially done)
Priority: CRITICAL - Required for all transformations
-
Pretty printer from AST
- Generate readable PHP code ✓
- All statements (match, try/catch, declare, global, static, unset) ✓
- All expressions (closures, arrow functions, yield, throw) ✓
- All declarations (interface, trait, enum, functions, classes) ✓
- Attributes on all declarations ✓
- DNF types with proper parenthesization ✓
- Constructor property promotion ✓
-
Transformation output (deferred to Phase 4)
- Apply transform passes to AST
- Emit modified code
- Diff generation (show what changed)
-
Code style enforcement (deferred to Phase 4)
- PSR-12 compliance option
- WordPress coding standards option
- Configurable brace style, spacing
Priority: HIGH - Enables automatic type hint addition
-
Basic type inference
- Infer return types from function bodies
- Infer parameter types from usage
- Propagate types through assignments
-
WordPress type inference
- Recognize WordPress function signatures
- Hook parameter type inference
- WP_Query, WP_Post type awareness
-
Generics awareness
- array inference
- Collection type tracking
Priority: HIGH - Critical for security analysis accuracy
-
Data flow graph
- Build control flow graph
- Track tainted data propagation
- Source → Sink analysis
-
Taint sources
- Superglobals ($_GET, $_POST, $_COOKIE, etc.)
- Database query results (trust context)
- User input functions (file_get_contents, etc.)
-
Sanitizers recognition
- WordPress sanitization functions
- PHP filter functions
- Custom sanitizer patterns
-
Sinks
- SQL queries, shell commands
- File operations, eval
- Output (echo, print)
Priority: MEDIUM - Differentiator for WP developers
-
Hook analysis
- Detect priority conflicts
- Find missing/misplaced hooks
- Identify wrong hook usage
-
Capability checking
- Find missing current_user_can() checks
- Detect privilege escalation risks
- Admin vs frontend context
-
Nonce verification
- Comprehensive CSRF detection
- Find form submissions without nonces
- AJAX handler nonce checking
-
Database query analysis
- $wpdb->prepare() compliance
- Direct SQL detection
- Table prefix usage
-
Internationalization
- Find untranslated strings
- Detect missing text domains
- Check escaping+translation combos
Priority: HIGH - Beyond basic OWASP
-
Time-of-check-time-of-use (TOCTOU)
- File operation race conditions
- Permission check bypasses
-
Regular expression DoS (ReDoS)
- Detect catastrophic backtracking patterns
- Flag unsafe regex in preg_* functions
-
Server-Side Request Forgery (SSRF)
- wp_remote_get/post with user input
- file_get_contents with URLs
-
XML External Entity (XXE)
- simplexml_load_* without disable_entity_loader
- DOMDocument loadXML safety
-
Insecure direct object references
- Missing ownership checks on database queries
- User ID manipulation detection
-
Mass assignment vulnerabilities
- Unvalidated array assignments to models
Priority: HIGH - User-facing interface
-
Command improvements
sanctify analyze- full analysis with report ✓sanctify fix --interactive- interactive fixing with previews ✓sanctify fix --diff- show unified diff of changes ✓sanctify --watch- watch mode for development ✓
-
Output formats
- JSON (machine-readable) ✓
- SARIF (GitHub/GitLab integration) ✓
- HTML (rich visualization) ✓
- Terminal (text output) ✓
-
Filtering & targeting
--severity=high,critical- filter by severity ✓--type=sql,xss- filter by vulnerability type ✓--in-place- apply fixes to files ✓--verbose- detailed output ✓
-
Performance (deferred to Phase 6)
- Parallel file processing
- Incremental analysis (only changed files)
- Result caching
.sanctifyignoresupport
Priority: MEDIUM - DevOps integration
-
CI/CD integration
- Exit codes for CI failure
- GitHub Actions integration
- GitLab CI templates
- Pre-commit hooks
-
IDE integration preparation
- Language Server Protocol (LSP) foundations
- JSON-RPC interface
- Real-time analysis hooks
-
Configuration export
- php.ini hardening recommendations
- nginx/Apache security headers
- Guix/Nix package definitions
- Docker security options
Priority: MEDIUM - Visibility and tracking
-
Comprehensive reports
- Executive summary
- Trend analysis (compare with previous scans)
- Remediation guidance with code examples
- Risk scoring
-
Metrics & dashboards
- Security score calculation
- Issue distribution (by type, severity, file)
- Fix effort estimation
- Progress tracking
Priority: HIGH - Save developer time
-
Safe auto-fixes (zero-risk, always apply)
- Add
declare(strict_types=1) - Add ABSPATH check to WP files
- Convert
rand()→random_int() - Add
exitafterwp_redirect() - Fix missing text domains in i18n functions
- Add
-
Semi-automatic fixes (suggest with preview)
- Wrap superglobals with sanitizers
- Replace
$wpdb->query()with$wpdb->prepare() - Add nonce verification scaffolding
- Wrap
echowithesc_html()
-
Type hint addition
- Infer and add parameter types
- Infer and add return types
- Add property types
-
Modernization
- Convert old array() → []
- Convert isset() chains → null coalescing
- Convert create_function() → closures
Priority: MEDIUM - Beyond security
-
PSR compliance
- Naming conventions
- File organization
- Docblock generation
-
WordPress standards
- Yoda conditions
- Brace style
- Hook documentation
Priority: HIGH - Ensure reliability
-
Unit tests
- Parser tests (golden files)
- Analysis tests (vulnerability detection)
- Transform tests (before/after)
-
Integration tests
- Full WordPress plugin analysis
- Real-world vulnerability detection
- Fix application verification
-
Property-based testing
- Parser round-trip (parse → emit → parse)
- Transform idempotence
Priority: MEDIUM - User success
-
User guide
- Installation (Cabal, Stack, Nix, binaries)
- Quick start tutorial
- Configuration guide
- Workflow examples
-
Rule documentation
- Security check reference
- Transform catalog
- WordPress-specific rules
-
API documentation
- Haddock coverage
- Library usage examples
- Extension guide
Priority: LOW - Cutting edge, experimental
-
Pattern learning
- Learn safe patterns from codebase
- Reduce false positives
- Suggest fixes based on codebase style
-
Anomaly detection
- Find unusual code patterns
- Detect obfuscated malware
Priority: LOW - Extensibility
-
Custom rule engine
- DSL for defining custom checks
- Custom transformation passes
- Project-specific rules
-
Plugin architecture
- Load external analysis modules
- Custom sanitizer definitions
- Framework-specific analyzers (Laravel, Symfony, etc.)
| Phase | Hours | Completion Gain | Target % |
|---|---|---|---|
| Current | - | - | 40% |
| Phase 1: Core Completion | 8-12 | +25% | 65% |
| Phase 2: Advanced Analysis | 8-10 | +15% | 80% |
| Phase 3: Production CLI | 6-8 | +10% | 90% |
| Phase 4: Advanced Transforms | 6-8 | +5% | 95% |
| Phase 5: Testing & Docs | 4-6 | +5% | 100% |
| TOTAL | 32-44h | +60% | 100% |
Critical Path (to 80%):
- Complete Parser (4h)
- Complete Emit (4h)
- Complete Type Inference (3h)
- Complete Taint Tracking (4h)
- WordPress Deep Analysis (3h)
- Enhanced CLI (4h)
- Automatic Fixes (5h)
Total Critical Path: 27h