- Notifications
You must be signed in to change notification settings - Fork1.9k
PHP: Add extractor and initial queries#21062
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
base:main
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Pull request overview
This PR adds an initial PHP extractor and query support to the CodeQL repository. The implementation includes a Rust-based tree-sitter extractor, database schema generation, basic security queries, and minimal taint tracking capabilities. The author notes this is a minimal viable product (MVP) submission, with another more complete implementation by@drmckay also in progress.
Key changes:
- Tree-sitter-based PHP extractor written in Rust
- Auto-generated database schema and TreeSitter.qll library
- Three initial security queries: DangerousBuiltinCall, TaintedDangerousBuiltinCall, and AssertWithStringArgument
- Basic taint analysis and security modeling for PHP superglobals
Reviewed changes
Copilot reviewed 54 out of 57 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| php/tools/.sh, php/tools/.cmd | Shell and batch scripts for test execution and file indexing |
| php/scripts/create-extractor-pack.sh | Build script for creating the extractor pack |
| php/ql/test/query-tests/Security/* | Test cases and expected results for security queries |
| php/ql/src/Security/*.ql | Three security queries for dangerous builtins and assert misuse |
| php/ql/lib/codeql/php/security/*.qll | Basic security modeling (sources, sinks, taint) |
| php/ql/lib/codeql/php/ast/*.qll | Call abstraction library and TreeSitter wrapper |
| php/extractor/src/*.rs | Rust extractor implementation (main, generator, extractor, autobuilder) |
| php/extractor/Cargo.toml | Rust dependencies configuration |
| php/**/BUILD.bazel | Bazel build configuration files |
| .github/workflows/php.yml | CI workflow for PHP extractor and tests |
| misc/bazel/3rdparty/* | Third-party dependency configuration for tree-sitter-php |
💡Add Copilot custom instructions for smarter, more guided reviews.Learn how to get started.
Uh oh!
There was an error while loading.Please reload this page.
Working on#12376
Just as I'm opening the pull request, I see that@drmckay has just openedanother one for the same thing, and much more complete!
(I'm just adding it in case my work is of any use to him)