Rule Idea: UriSigner check result is used and not used as a void method

[alexander-schranz]

I currently did stumble today over some issue in my code base which I think would be interesting for every project. I have a controller which used the UriSigner to check for a correclty signed Uri.

    public function acceptAction(Request $request): Response
    {
        $this->uriSigner->checkRequest($request);

Actually the UriSigner itself does not throw any exception. So calling it without do anything basically is a Security issue in some projects.

Valid cases would be:

// write the result atleast in a variable
$isValid = $this->uriSigner->checkRequest($request);

// usage in a if statement
if (!$this->uriSigner->checkRequest($request)) {
    throw new AccessDeniedHttpException('The given uri is not valid.');
}

// usage in complex if statements
if (!$this->uriSigner->checkRequest($request) && !$request->attributes->getBoolean('simulate')) {
    throw new AccessDeniedHttpException('The given uri is not valid.');
}

// usage in method calls
$this->validate($this->uriSigner->checkRequest($request));

Invalid would be calling it like a void method:

$this->uriSigner->checkRequest($request);

I'm not sure maybe if there already exist some kind of annotations we could add to the Symfony UriSigner that the result need to be handled and the method not be used like a void method.

[ondrejmirtes]

Try putting @phpstan-pure above it. You can do it in a stub file.

[alexander-schranz]

Thx will give it a try :) https://github.com/symfony/symfony/pull/54297