Idea: plugin to warn about improperly comparing hashes (sha1, etc)

TysonAndre / phan

Phan is a static analyzer for PHP. Phan prefers to avoid false-positives and attempts to prove incorrectness rather than correctness.

Other

0 stars 0 forks source link

Open TysonAndre opened 5 years ago

TysonAndre commented 5 years ago

For hash_file, md5, sha1, etc.

Override the return type in the plugin to be 'fake_hash_value_' . $i
Warn if using != or == instead of ===. Loose inequality has surprising behaviors. (analyze in PostOrder with that plugin)
Separately, suggest using hash_equals for hashes of sensitive information (passwords)