Monday, August 5, 2024

The Pest Plugin Is Now Maintained by JetBrains

 You’ve probably heard about the Pest test framework developed by Nuno Maduro and the community. There is also a dedicated PhpStorm plugin for Pest, which until now has been brilliantly developed by Oliver Nybroe. In this post, we will talk about how JetBrains is going to maintain the plugin, and here’s what that means for the community.

The Pest plugin will be bundled with PhpStorm starting with v2023.3. It will be developed by JetBrains but stay open source.

We want PhpStorm users to get as much use and value out of the box as possible. That’s why we offered the author of the Pest plugin Oliver Nybroe to bundle the plugin in the next release of PhpStorm.

Oliver supported this idea, and we came to an agreement to move the plugin repository under the JetBrains organization. Our team will continue the development, but the plugin will remain fully open source.

This means that any developer can still send a pull request or just use the plugin for inspiration and as a basis for their development, while the PhpStorm team will conduct code reviews. The plugin will continue to be distributed under the MIT license.

We have also closed the existing issues on GitHub and suggest using YouTrack, our public issue tracker, instead. Since the plugin will be a part of the IDE, issues and bugs related to it should be reported in the same place as all others for clarity and consistency.

A thank you to Oliver Nybroe 

We sincerely thank Oliver for his dedication and hard work on the Pest plugin and his contributions to the PHP community. His expertise and creativity have been instrumental in making Pest a beloved tool for PHP developers.

Oliver NybroeOliver Nybroe
Copenhagen, Denmark
Senior Software Engineer

Twitter | GitHub | Blog

 

We’re committed to building upon this foundation to provide developers with the best experience possible. You can expect regular updates, and full-fledged support to simplify your testing processes.

What’s coming for Pest in PhpStorm?

As we assume work on the Pest plugin, our primary goal is to ensure that PHP developers have access to a robust and seamlessly integrated solution for their testing needs.

The PhpStorm team has already implemented a noticeable improvement, which is available in the latest version of the plugin.

Reworked custom expectation support engine

Reworking the engine allowed us to fix some technical issues with projects stuck on closing and thus streamline performance.

On top of that, you can now go to a custom expectation declaration and find its usages as expected. Simply Cmd+Click on one or press Cmd+B.

It’s also possible to perform the Rename refactoring for custom declarations, and PhpStorm will automatically rename all occurrences:

This is already available in PhpStorm 2023.2.3 with the latest version of the Pest plugin. To enjoy these new improvements, download the latest plugin version or update to it. Starting with PhpStorm 2023.3, this will be supplied out of the box.

Stay tuned

As we embrace this transition, we are eager to hear your feedback. Your insights, comments, bug reports, and contributions are not only welcome but highly appreciated.

Once again, thanks to Oliver, the Pest community, and PHP developers around the world for their invaluable contributions to this plugin

Secure Your PHP Code With Taint Analysis

  only takes one user to exploit a vulnerability in your project and breach your system. To defend programs against malicious inputs from external users (known as “taints”), development teams add taint checking to their static analysis routines. 

In this year’s first release, the Qodana team has delivered taint analysis for PHP in the EAP. The feature is available only in Qodana for PHP 2023.1 (jetbrains/qodana-php:2023.1-eap). Qodana for PHP was the first linter we released, so we decided to let PHP developers be the first to test our new security functionality, too. We plan on adding more languages in the future, after we’ve collected enough feedback.

Read on to learn more about what taint analysis is and how it works in Qodana. 

GET STARTED WITH QODANA

What is taint analysis?

A taint is any value that can pose a security risk when modified by an external user. If you have a taint in your code and unverified external data can be distributed across your program, hackers can execute these code fragments to cause SQL injection, arithmetic overflow, cross-site scripting, path traversal, and more. Usually they exploit these vulnerabilities to destroy the system, hijack credentials and other data, and change the system’s behavior.

Example of a taint. Arbitrary data from the GET parameter is displayed on the screen. For example, malicious users can exploit this vulnerability to tamper with your program’s layout.  

As an extra layer of defense against malicious inputs, development teams execute taint analysis when they run a security audit on the program’s attack surface. 

Taint analysis is the process of assessing the flow of untrusted user input throughout the body of a function or method. Its core goal is to determine if unanticipated input can affect program execution in malicious ways. 

Taint sources are locations where a program gets access to potentially tainted data. Key points in a program that are susceptible to allowing tainted input are called taint sinks. This data can be propagated to the sinks via function calls or assignments.

If you run taint analysis manually, you should spot all of the places where you accept data from external users and follow each piece of data through the system – the tainted data can be used in dozens of nodes. Then, to prevent taint propagation, you should take one of the two approaches described below:

  1. Sanitize the data, i.e. transform data to a safe state. In the example below, we removed tags to resolve the taint. 
  1. Validate the data, i.e. check that the added data conforms to a required pattern. In the example below, we enable validation for the `$email` variable. 

In other words, the taint analysis inspection traces user-tainted data from its source to your sinks, and raises the alarm when you work with that data without sanitizing or validating it. 

How taint analysis works in Qodana

Taint analysis is performed by Qodana for PHP starting from version 2023.1 EAP. This functionality includes an inspection that scans the code and highlights the taint and potential vulnerability, the ability to open the problem in PhpStorm to address it on the spot, and a dataflow graph visualizing the taint flow. 

Example #1. SQL injection 

Let’s take a look at an example of SQL injection and how Qodana detects it:

Here, Qodana shows us the following taints in the system_admin() function:

Markers 1-2: Data from user form input is retrieved from the $_POST global array with no sanitization or validation and is assigned to the variable $editThis is a taint.

Marker 3: The tainted variable $edit is passed to the system_save_settings function as an argument without any proper sanitization.

Marker 4: Data from the $edit variable is now located in the $edit parameter.

Marker 5: The $edit variable is passed to foreach with the $filename key and $status value. Both variables contain the tainted data from the $edit variable concatenated with the string. The $filename key is concatenated with a tainted SQL string, and then it will propagate tainted data into an argument passed to the db_query.

Marker 6: The $ filename key contains the tainted data from the $edit variable concatenated with the string.

Marker 7: The $ filename key is concatenated with a tainted SQL string.

Marker 8: Tainted SQL string will propagate tainted data into an argument passed to the `db_query`

Let’s now look at the db_query:

Marker 9: The tainted string will be located in the $query parameter.

Marker 10: This parameter is going to be an argument of the _db_query function.

Let’s move on to the _db_query function:

Marker 11: Tainted data located in the first parameter $ query of the _db_query function.

Marker 12: Data of the parameter is passed to the mysql_query function, which is a sink.

The whole data flow above illustrates how data moves from $_POST[“edit”] to the mysql_query($query) without any sanitization or validation. This allows the attacker to manipulate the SQL query which was concatenated with a key of $_POST[“edit”] and trigger SQL injection

Qodana will spot these risks in your codebase along with all nodes where tainted data is used, so you can sanitize all tainted data in a timely manner. 

Opening the issue in PhpStorm.

Example #2. XSS problem

In the Qodana UI, you can see a graph that visualizes the entire taint flow. Here’s how Qodana will visualize the XSS vulnerability, which contains 2 sources that would be merged on marker 5.

Source 1

Markers 1-2: Data from the searchUpdate.pos file will be read and tainted data will be assigned to the $start variable.

Source 2

Markers 3-4: Data from files whose path is located in $posFile will be read and tainted data will be assigned to the $start variable.

Marker 5: A merged tainted state from all conditional branches in the $start variable will be passed as an argument to the doUpdateSearchIndex method.

Let’s look inside the doUpdateSearchIndex() method:

Markers 6-8: The $ start parameter will contain tainted data on this dataflow slice and then it will be passed within a concatenated string as an argument to the `output` method.

Let’s look inside the output method:

Marker 9: Tainted data contained inside the transmitted string will be located in the $out parameter.

Marker 10: Data from the $out parameter will be transferred to the `print` function without any sanitization. This function is a sink and causes XSS vulnerability, which can be exploited.

To exploit the vulnerability, an attacker can, for example, upload a shell script instead of the expected files in markers 1 and 2, and will be able to put any information onto the web page as a result of an unsanitized print function.

Qodana will alert you to this vulnerability and give it a high priority so that you can resolve it as soon as possible and prevent the hack. 

Wednesday, July 5, 2023

How to extend lifetime of legacy PHP applications

 

How to extend lifetime of legacy PHP applications

PHP is evolving steadily. Every year, there is a major new release containing new features, performance improvements, a fair share of deprecations, and even syntax changes. PHP core developers maintain the two latest PHP versions with active bug fixes and security fixes, followed by security fixes. This effectively means that each major PHP version will be supported at most for three years, and existing PHP applications are forced to upgrade.

While updating existing PHP applications is the ideal and recommended approach, inevitably, there are some applications/websites that cannot justify the human, political, and financial cost of the update. This is especially the case for legacy PHP applications that run on PHP 5 series or PHP 7 series. WordPress.org, for example, reports that only 16% of the reported WordPress sites run on a PHP version supported by the PHP core developers.

PHP versions reported by WordPress.org
PHP Version distribution, reported by WordPress.org

Updating a PHP application to be compatible with the latest PHP version is on a wide spectrum of difficulties. This can range from requiring no or little changes to what feels like a complete rewrite. PHP applications that were developed over a decade ago pose the biggest challenge because they tend to use PHP extensions that are no longer supported, have no type support, and often have no automated tests to verify the changes either.

Tools such as Rector can automate some, if not most, of the changes necessary, but extremely old PHP versions tend to require a lot of manual code updates.

In some cases, the cost of upgrading is not worth the effort and the cost. Some of the examples include internal applications that are only used within a private network, applications that are planned for a rewrite, and applications that the original developers are no longer working at the company. Realistically, these applications may never get updated; only eventually replaced.

Because PHP versions receive official updates for only up to three years, this can leave the applications vulnerable to security vulnerabilities that often affect these unmaintained PHP versions as well. PHP Platform-as-a-Product (PAAS) offerings and shared hosting providers also force updating to a recent PHP version which can leave the applications broken on the new PHP version as well.

This article discusses strategies for running legacy PHP applications on a secure PHP environment, with additional security precautions and maintenance, thus extending the lifetime of said PHP applications.

The more a PHP application stays locked into a PHP version, the steeper it gets to update. However, squeezing a few more years out of a legacy application until it is replaced is sometimes more realistically viable compared to updating a decades-old PHP application.

Shared Hosts and Platforms to a Private Server

Most shared and managed hosting platforms and PHP PaaS offerings usually only offer the current PHP versions, but do not support old PHP versions in the long term. This makes absolute sense because the old PHP versions are left unmaintained, and it can compromise the security of their servers in case a vulnerability is discovered that affects these unmaintained PHP versions.

If the hosting provider/PaaS provider no longer supports the required PHP version, it might make sense to shop around for a provider that supports a wide range of PHP versions.

CloudLinux is one of the commercial operating systems that shared/managed hosting providers use on their servers, and those providers likely enable CloudLinux's HardenedPHP feature. HardenedPHP is a feature in CloudLinux that the CloudLinux backports security fixes even after the official php.net team has marked a PHP version as EOL.

Another approach is maintaining a private server/cloud server and configuring it yourself. Maintaining a VPS/Cloud server comes with a maintenance burden, but most operating systems nowadays come with sane defaults, automatic updates, and more to take some of this burden away. However, this server maintenance may not be for everyone.

Debian LTS, Ubuntu LTS, Rocky Linux, and RHEL are a few Linux-based operating systems that provide PHP in their default repositories. They do not receive bug fixes from upstream, but security fixes are backported as applicable.

For example, Ubuntu 20.04 LTS includes PHP 7.4.3 in its default repositories. Ubuntu 20.04 LTS receives hardware and maintenance updates until 2025. PHP 7.4 is currently marked as End-Of-Life by the official php.net team, but the developers behind Ubuntu 20.04 back-port any security patches to the PHP version available in the repository. Any non-security bug fixes are not back-ported. This essentially means that the PHP version of Ubuntu 20.04 will remain as PHP 7.4.3, but with all the security fixes applied. Ubuntu's paid (free for five personal computers) Ubuntu Pro offering extends this with five additional years, which essentially means it is possible to securely run a PHP 7.4 application until 2030.

Web Server Integration

PHP integrates with web servers such as Apache, Nginx, Litespeed, Caddy, and more. When running a legacy PHP application, it is recommended to switch to php-fpm as the server API. Apache, for example, supports running PHP as an Apache module, which hinders the ability to upgrade the Apache version in case the application must be run on an older PHP version.

Nginx and Caddy only integrate with php-fpm, so no changes are necessary for them.

PHP also has a built-in server. It is unlikely that a production server uses it, but make sure to use a fully-fledged web server to add a separation between PHP and the web server.

Containerized PHP

When running a full LTS operating system (such as Ubuntu LTS) is not viable, an alternative approach would be using containers to run the required PHP version.

With containers, the rest of the file system and networking are left intact unless explicitly allowed. The PHP-FPM process can run inside a container with minimal file system access (session storage, temp files, file uploads, etc allowed), FPM port (for web server integration), and database ports allowed, but everything else remain within the container.

PECL Extension Replacements

Even if the operating system or a third-party repository provides PHP updates, it is unlikely that they offer security updates for EOL PHP extensions.

  • PECL extensions that connect with external services such as SSH, FTP, Email, LDAP, etc are better off with user-land PHP implementations of them.
  • Extensions offering cryptographic operations (mcrypt and openssl for example) are better replaced with newer extensions such as Sodium, or its user-land PHP polyfills.
  • PDF libraries (such as DomPDF) can be replaced with headless browsers or command-line tools such as wkhtmltopdf.
  • Image generation extensions (such as Imagick and GD) can be replaced with CDNs that offer image manipulation.
Composer LTS

Composer, PHP's dependency manager recently bumped its minimum PHP version requirement. However, Composer 2.2 is an LTS version of Composer 2, which should be supported for at least the end of 2023.

Composer is fairly conservative when it bumps up its minimum required PHP version, so it should be relatively trouble-free even on older PHP versions.

LTS Frameworks, Libraries, and local forks

PHP Frameworks and libraries such as Laravel, and Nette tend to be fast-moving frameworks while Symfony and Slim are more conservative.

  • Although Laravel used to offer LTS releases that provided five years of security updates, recent Laravel versions only offer only one year of active support followed by a year of security fixes, so it might require manually porting security updates.
  • Recent Drupal versions (such as Drupal 10) require recent PHP versions. Drupal 7 continues to receive support at the moment, but there are free and commercial Drupal LTS projects that provide coordinated security releases even after they officially reach EOL. For Drupal 7, there is also BackDrop CMS that provides an easy upgrade path.
  • WordPress tries to maintain compatibility for older PHP versions, so updating to WordPress should be possible even on older PHP versions.
  • Symfony (and its components) provide LTS versions with at least three years of security updates.

When a PHP library/framework abandons the version the PHP application depends on, it then becomes up to the maintainer of the PHP application to fork the repository and back-port security updates as they are made. Sharing that effort as a public project can pay forward the efforts others make maintaining other LTS packages. For private packages, a locally cloned repository or a private Composer repository can make the Composer integration work.


20 Coming Soon Pages Explained & How to Do Them Right

 For a coming soon page, all upcoming websites can ever do is to show an empty screen with the words “COMING SOON” plastered from end to end.

Or is it?

In several ways, designing a ‘Coming Soon’ landing page for websites, services, and products is a form of art. With limited space, a designer could only hope to infuse all of the necessary elements in a way that would harmonize with the audience — and make them take action to engage, return, subscribe.

In this post, we have gathered 20 unique, elegant, and high quality Coming Soon pages for you to take inspiration from.

Quirky and Cartoony Coming Soon Pages

These Coming Soon landing pages’ common characteristic is that they are playful in nature, which is perfect for products or services that are family-oriented, or those who want to come off as welcoming to people. See for yourself!

Sorellina
Sorellina

Sorellina takes the most important aspects of a Coming Soon page and combines it with a unique design. This original aesthetic is tailored to the website that it’s stitched on, giving it a custom look and feel. A refreshing sight to behold that is perfect for “quirky” kind of service or product.

You see all the essential elements of a coming soon page including a content box, email signup, social integration, background image, and logo image. The best thing about this, however, is that the overall design stays original despite the familiar elements on display.

Timeville
Timeville

Animations that are driven by quirky or cute illustrations can put a smile on a visitor’s face. This is enough to catch the eyes of a visitor. The general goal of the page is to meet the needs of the viewer’s curiosity just enough for them to scroll down.

The first section of the page itself is the entirety of the animation with a timer and an email signup function lying in wait. Scroll down and you’ll find that there’s enough space for a paragraph or two about the website. Social media functions are then sprawled on the bottom.

Dualingo
Dualingo

Dualingo, like some of the pages listed, uses cute imagery and matching color combinations as their main design. The overall page design itself only revolves around the progress of the website alone. The only other content bar is an email signup.

The page itself mainly consists of a background illustration and a progress bar that uses three image markers for progression. These images show the progress of an owl hatching from its egg. Apart from that, an email signup function is located on the upper right corner.

Omakase Sushi
Omakase Sushi

This website is for a sushi restaurant that pitches in a custom-made illustration on the left and content on the right. Of course, the overall color scheme will remind you of Japan and the content found on the right will sound like the deepest and most thought-provoking description you have ever read.

It’s quite easy to see that your eyes are first drawn to the image on the left which is then transferred to the content on the right. Reading past the description on top, you’ll find an email sign up box on the bottom. In addition, a banner trails off on the box which advertises other products of the website.

Shiva
Shiva

Have you ever wanted to use a design or an image to purely convey what your coming soon page is all about? Well, this design by Shiva uses no text but the words “Coming Soon.” It’s simple and very minimalist in its structure.

You’ll notice right away that the page is bright. It’s painted with a white background save for a small image of workers prepping a billboard. Other than that, social media links are found at the bottom left.

Creative and Radical Landing Pages

On a different theme of Coming Soon pages, the items in this section give off a different vibe. You can feel the eagerness to be different from the rest of the boring, straightforward designs. These landing pages are perfect for those who wish to pique people’s interest through creative means, like the music industry, art, and the like.

Skate City
Skate City

Skate City was originally a Coming Soon page used for a mobile game. It uses two clever techniques to keep a viewer’s eyes locked on the screen: animation and video. The latter being the first thing that viewers see as it occupies the entire screen.

As for its animation, Skate City uses two lights that switch on once a viewer scrolls down. The lights illuminate the email signup function and the viewer’s eye is immediately centered on it. It’s a clever way of putting a literal spotlight on a desired section of the page.

Self Made
Self Made

Self Made is a music and talent competition website. It takes on unconventional imagery and color combinations that pull the eyes of a user even from afar. It also uses surreal or unfamiliar illustrations that make viewers take a second look thus capturing their full attention to the page and what it’s all about.

The main focus of the site consists of the image on the right which is then followed by a brief description of development on the left. Below this description lies the email signup and a few more links below it. Finally, the bottom page fits in information on the website itself.

Free Sketch
Free Sketch

The pre-launch page for Free Sketch takes on a modern look for the website. If the background image of a city isn’t clear enough, then the text boxes in the middle should make it shine. It keeps everything simple and minimalist in nature.

The design itself is composed of a background image, a logo on top, a series of messages from the admin and an email signup box on the bottom for current updates.

Vincent Thouin
Vincent Thouin

Vincent’s coming soon page utilizes one image and a dark background. That’s it. The image itself is animated and encapsulates what he’s trying to convey. It’s a simple technique that may be too vague for the ordinary user.

The overall design is a dark background and a sizeable lightbulb in the middle with working gears behind it. As the website’s structure progresses so too will the light that comes from the lightbulb.

Firman
Firman

Firman’s pre-launch page is something different. You’ll notice right off the bat that its color scheme is dark and grim. This is furthermore supplemented by a background image of a misty forest.

The design itself uses a unique form of a timer on the right, the words “coming soon” on the left, and social media integration on the bottom. It’s simple, yes, but it’s mainly carried by the overall vibe that it gives off.

Modern and Professional

Smart, sleek, minimalist — like all professional Coming Soon pages. These are some perfect examples of how coming soon pages should be designed, which can be used in a corporate setting.

Robert Smart
Robert Smart

Sometimes, simplicity is the most efficient way of creating an impression that lasts. Well, Robert Smart created a coming soon page that embraces simplicity and straightforward design. What’s produced is a site that gives viewers what they want and offers them a chance to get in touch with you.

As you can see, the main focus of the page is to introduce the viewer to who you are. It then trails with more information as to what you can do or what you’re able to do for the reader. It’s closed off with an email signup option.

The Factory
The Factory

If you’re e-commerce website deals with elegant products, then why not show off a coming soon page that reflects this very image? This is what The Factory brings to the table, a coming soon site that puts in just enough effort to merit the viewers’ attention.

The landing page begins with a loading screen shaped to the website’s name. The page itself consists of a static background image, the email signup function on the bottom left, and a few extra links on the bottom right.

Not Dark Yet
Not Dark Yet

Sleek and professionalism are the two aspects that Not Dark Yet would like to introduce you to. It does away with the usual elements that are heavily filled with background colors. It leverages lines, outlines, and transparency in a way that produces a great effect, suitable to its background image.

As for the page itself, there are two progress bars in display one is the loading bar and the other is a timer. In between the main header and progress bars is a sentence or two about the progress. Below you’ll find the email signup function as well as social media links at the bottom. All this is wrapped around a background image or video that’s given a slight tint.

Blogin
Blogin

Blogin toys with the concept of simplicity by adding subtle hints as to what the website is after and it seeks to accomplish. The overall look or aesthetic in the display is pretty simple and the color scheme also follows the same brand. It also gives off an impression of an energetic and exciting thing that is about to unfold.

As the page itself, it still contains an email signup function, a background image, and the logo placed on top. However, what’s most clever about the design is the description in the middle. It produces a call to action by using an action word as an intro to each sentence.

Cap/Sure
Cap/Sure

Cap/Sure is a website that deals with new investors and equity crowdfunding. With that said, it’s easy to say that the overall design of the page is sleek and professional. It uses easy-to-read fonts with a dark background that makes everything more readable and noticeable.

The page consists of a preview image of the beta on the right, a general heading on the left and a brief description below it. At the bottom of the description lies a signup bar for users to try the beta and a “learn more” function beside it.

048
048

You can never go wrong with a sleek and simple design that puts in a release date as its main show. 048 applies this very concept as it tries to be as minimal as it can without being too vague or devoid of information.

The general design of the page is a background image, a logo on top, a suspected release date in the middle and an email signup below it. At the bottom, you’ll find a link on the user’s YouTube account with its associated subscriber count.

Imam Maulana
Imam Maulana

The image above is for a booking website based in Indonesia. Since its focus is just for booking tickets or hotel rooms, the only content box you’ll find is for booking for said events. The color scheme, however, is what really pops into attention as well as the image that melts in the background.

The overall design consists of a background image, a largely plastered “coming soon” sign on top and then a signup box below it. The page then cuts on the bottom to make space for additional contact information.

The Apartment
The Apartment

Sometimes, a flashy or eye-catching design may not be for you. If it’s true, then The Apartment’s cool and laid back design should be your cup of tea. It keeps everything neat and organized in the middle with a lightly colored background image.

The design consists of the logo on top, a short description of the middle, and an email box on the bottom.

Jay Nagar
Jay Nagar

Jay’s coming soon page practices the more common form of a pre-launch page. It has a timer, a description, and a link to the admin’s blog. The overall aesthetic is simplistic as it’s color scheme is only composed of black and different shades of grey.

The structure is made out of a background image that melds together with the color scheme. The content on display is a timer, a description below it, and a link to a blog on the bottom.

PandaDoc
PandaDoc

PandaDoc’s page is quite common at first glance. However, it actually uses simple imagery and design to lure in a user’s eyes as to what it has to offer. It’s not minimal but it does use it space efficiently to prevent the viewer’s eyes from too overburdened.

The design consists of a preview page on the right, and the content on the left. The latter is made out of a header, a short description under it, and then a link to its email box on the bottom. The black background cuts off after the social media link as it turns into a cool green color. This second section details what the website can do for the reader.

Conclusion

If you are going to design a coming soon page for your product or service launch, it is crucial to catch people’s attention in an instant. Not only do they have short attention span, they will also most likely never visit your landing page a second time! So if you don’t capture their details within the first couple of seconds, then I’m afraid you won’t have a second chance because there are literally millions of new websites popping into existence weekly.

With the coming soon page examples shown above, I hope you have been inspired to design new, fresh, and captivating landing pages that will entrance your audience!