First-class callables with parameter conditions (#418)

PHPStan detects first-class callable syntax at the point of `func(...)`, where no arguments are present - they are supplied only when the callable is later invoked, which means parameter conditions configured on the disallowed call cannot be evaluated at the detection point.

This PR corrects the behavior across all param condition directives. Conditions that require a matching param value to allow a call - `allowParamsAnywhere`, `allowParamsInAllowed`, and their _`AnyValue`_ and _`Flags`_ variants - can never be satisfied without arguments, so first-class callables are always reported when any of these is configured, regardless of zone. Conditions that require a matching param value to disallow a call - `allowExceptParamsAnywhere`, `allowExceptParamsInAllowed`, and their variants and aliases - can never be triggered without arguments, so first-class callables are never reported in either `allowIn*` or `allowExceptIn*` zones when these are configured.

Previously, `allowParamsAnywhere` incorrectly allowed first-class callables because the null-args path in `hasAllowedParams` unconditionally returned `true`. `allowExceptParamsInAllowed` incorrectly disallowed first-class callables in allowed zones because the null-args path in `hasAllowedParamsInAllowed` treated it identically to `allowParamsInAllowed`. Both are fixed. A new section in `docs/allow-with-parameters.md` documents the complete behavior for all param condition directives.

Closes #415

Author: spaze

composer.json

@@ -41,8 +41,8 @@
 	},
 	"scripts": {
 		"lint": "vendor/bin/parallel-lint --colors src/ tests/",
-		"lint-7.x": "vendor/bin/parallel-lint --colors src/ tests/ --exclude tests/src/TypesEverywhere.php --exclude tests/src/AttributesEverywhere.php --exclude tests/src/disallowed/functionCallsClassPatternParams.php --exclude tests/src/disallowed/functionCallsNamedParams.php --exclude tests/src/disallowed-allow/functionCallsNamedParams.php --exclude tests/src/disallowed/attributeUsages.php --exclude tests/src/disallowed-allow/attributeUsages.php --exclude tests/src/disallowed/constantDynamicUsages.php --exclude tests/src/disallowed-allow/constantDynamicUsages.php --exclude tests/src/AttributeClass.php --exclude tests/src/Bar.php --exclude tests/src/Enums.php --exclude tests/src/Functions.php --exclude tests/src/disallowed/controlStructures.php --exclude tests/src/disallowed-allow/controlStructures.php --exclude tests/src/disallowed/firstClassCallable.php --exclude tests/src/disallowed-allow/firstClassCallable.php --exclude tests/src/disallowed/callableParameters.php --exclude tests/src/disallowed-allow/callableParameters.php",
-		"lint-8.0": "vendor/bin/parallel-lint --colors src/ tests/ --exclude tests/src/TypesEverywhere.php --exclude tests/src/AttributesEverywhere.php --exclude tests/src/disallowed/constantDynamicUsages.php --exclude tests/src/disallowed-allow/constantDynamicUsages.php --exclude tests/src/Enums.php --exclude tests/src/disallowed/firstClassCallable.php --exclude tests/src/disallowed-allow/firstClassCallable.php",
+		"lint-7.x": "vendor/bin/parallel-lint --colors src/ tests/ --exclude tests/src/TypesEverywhere.php --exclude tests/src/AttributesEverywhere.php --exclude tests/src/disallowed/functionCallsClassPatternParams.php --exclude tests/src/disallowed/functionCallsNamedParams.php --exclude tests/src/disallowed-allow/functionCallsNamedParams.php --exclude tests/src/disallowed/attributeUsages.php --exclude tests/src/disallowed-allow/attributeUsages.php --exclude tests/src/disallowed/constantDynamicUsages.php --exclude tests/src/disallowed-allow/constantDynamicUsages.php --exclude tests/src/AttributeClass.php --exclude tests/src/Bar.php --exclude tests/src/Enums.php --exclude tests/src/Functions.php --exclude tests/src/disallowed/controlStructures.php --exclude tests/src/disallowed-allow/controlStructures.php --exclude tests/src/disallowed/firstClassCallable.php --exclude tests/src/disallowed-allow/firstClassCallable.php --exclude tests/src/disallowed/callableParameters.php --exclude tests/src/disallowed-allow/callableParameters.php --exclude tests/src/FirstClassCallableParamsAnywhere.php --exclude tests/src/RoyaleAllowInFirstClassCallable.php --exclude tests/src/RoyaleExceptFirstClassCallable.php",
+		"lint-8.0": "vendor/bin/parallel-lint --colors src/ tests/ --exclude tests/src/TypesEverywhere.php --exclude tests/src/AttributesEverywhere.php --exclude tests/src/disallowed/constantDynamicUsages.php --exclude tests/src/disallowed-allow/constantDynamicUsages.php --exclude tests/src/Enums.php --exclude tests/src/disallowed/firstClassCallable.php --exclude tests/src/disallowed-allow/firstClassCallable.php --exclude tests/src/FirstClassCallableParamsAnywhere.php --exclude tests/src/RoyaleAllowInFirstClassCallable.php --exclude tests/src/RoyaleExceptFirstClassCallable.php",
 		"lint-8.1": "vendor/bin/parallel-lint --colors src/ tests/ --exclude tests/src/AttributesEverywhere.php --exclude tests/src/disallowed/constantDynamicUsages.php --exclude tests/src/disallowed-allow/constantDynamicUsages.php --exclude tests/src/disallowed/firstClassCallable.php --exclude tests/src/disallowed-allow/firstClassCallable.php",
 		"lint-8.2": "vendor/bin/parallel-lint --colors src/ tests/ --exclude tests/src/disallowed/constantDynamicUsages.php --exclude tests/src/disallowed-allow/constantDynamicUsages.php",
 		"lint-neon": "vendor/bin/neon-lint .",

docs/allow-with-parameters.md

@@ -208,6 +208,14 @@ parameters:
 
 But because the "positional _or_ named" limitation described above applies here as well, I generally don't recommend using these shortcuts and instead recommend specifying both `position` and `name` keys.
 
+### First-class callables
+
+When a function or method is used as a [first-class callable](https://www.php.net/functions.first_class_callable_syntax) (`strlen(...)`), no arguments are present at the call site - the callable is invoked later with whatever arguments the caller passes. Because parameter conditions that restrict which calls are *allowed* (`allowParamsInAllowed`, `allowParamsInAllowedAnyValue`, `allowParamFlagsInAllowed`, `allowParamsAnywhere`, `allowParamsAnywhereAnyValue`, `allowParamFlagsAnywhere`) cannot be evaluated without arguments, any first-class callable is always reported when such a condition is configured, no matter where in the code it appears.
+
+Conditions that restrict which calls are *disallowed* behave differently - the forbidden parameter condition cannot be triggered without arguments. For the `*Anywhere` variants (`allowExceptParamsAnywhere`, `allowExceptParamsAnyValue`, `allowExceptParamFlags`, `allowExceptCaseInsensitiveParams`, and their aliases), first-class callables are never reported. For the `*InAllowed` variants (`allowExceptParamsInAllowed`, `allowExceptParamFlagsInAllowed`, and their aliases), first-class callables are not reported inside the relevant zone; outside it, the zone rule alone determines whether the call is reported.
+
+To allow a first-class callable of a disallowed function, use a zone-based directive without a parameter condition, for example `allowIn`, `allowInMethods`, or `allowInInstanceOf`. Alternatively, use an anonymous function that calls the function with the required argument: `fn($x) => hash('sha256', $x)` instead of `hash(...)`.
+
 ### PHPDoc type strings
 
 Instead of the `value` directive, you can use the `typeString` directive which allows you to specify arrays, unions, and anything that can be expressed with PHPDoc:

src/Allowed/Allowed.php

@@ -61,7 +61,7 @@ public function isAllowed(?Node $node, Scope $scope, ?array $args, Disallowed $d
 		$hasParams = $disallowed instanceof DisallowedWithParams;
 		foreach ($disallowed->getAllowInCalls() as $call) {
 			if ($this->callMatches($scope, $call)) {
-				return !$hasParams || $this->hasAllowedParamsInAllowed($scope, $args, $disallowed);
+				return !$hasParams || $this->hasAllowedParamsInAllowed($scope, $args, $disallowed, true);
 			}
 		}
 		if ($disallowed->getAllowExceptInCalls()) {
@@ -74,7 +74,7 @@ public function isAllowed(?Node $node, Scope $scope, ?array $args, Disallowed $d
 		}
 		foreach ($disallowed->getAllowIn() as $allowedPath) {
 			if ($this->allowedPath->matches($scope, $allowedPath)) {
-				return !$hasParams || $this->hasAllowedParamsInAllowed($scope, $args, $disallowed);
+				return !$hasParams || $this->hasAllowedParamsInAllowed($scope, $args, $disallowed, true);
 			}
 		}
 		if ($disallowed->getAllowExceptIn()) {
@@ -104,7 +104,7 @@ public function isAllowed(?Node $node, Scope $scope, ?array $args, Disallowed $d
 			if (!$this->isInstanceOf($scope, $disallowed->getAllowInInstanceOf())) {
 				return false;
 			}
-			return !$hasParams || $this->hasAllowedParamsInAllowed($scope, $args, $disallowed);
+			return !$hasParams || $this->hasAllowedParamsInAllowed($scope, $args, $disallowed, true);
 		}
 		if ($disallowed->getAllowExceptInInstanceOf()) {
 			if (!$this->isInstanceOf($scope, $disallowed->getAllowExceptInInstanceOf())) {
@@ -196,13 +196,13 @@ private function classOrAncestorMatches(ClassReflection $classReflection, string
 	 * @param Scope $scope
 	 * @param array<Arg>|null $args
 	 * @param array<int|string, Param> $allowConfig
-	 * @param bool $paramsRequired
+	 * @param bool $paramsRequired True to allow only when params match, false to allow unless params match
 	 * @return bool
 	 */
 	private function hasAllowedParams(Scope $scope, ?array $args, array $allowConfig, bool $paramsRequired): bool
 	{
 		if ($args === null) {
-			return true;
+			return !$paramsRequired;
 		}
 
 		$disallowedParams = false;
@@ -232,18 +232,27 @@ private function hasAllowedParams(Scope $scope, ?array $args, array $allowConfig
 	 * @param Scope $scope
 	 * @param array<Arg>|null $args
 	 * @param DisallowedWithParams $disallowed
-	 * @param bool $defaultResult
+	 * @param bool $allowedByDefault What to return when no param condition applies
 	 * @return bool
 	 */
-	private function hasAllowedParamsInAllowed(Scope $scope, ?array $args, DisallowedWithParams $disallowed, bool $defaultResult = true): bool
+	private function hasAllowedParamsInAllowed(Scope $scope, ?array $args, DisallowedWithParams $disallowed, bool $allowedByDefault): bool
 	{
+		if ($args === null) {
+			if ($disallowed->getAllowExceptParamsInAllowed()) {
+				return true;
+			}
+			if ($disallowed->getAllowParamsInAllowed()) {
+				return false;
+			}
+			return $allowedByDefault;
+		}
 		if ($disallowed->getAllowExceptParamsInAllowed()) {
 			return $this->hasAllowedParams($scope, $args, $disallowed->getAllowExceptParamsInAllowed(), false);
 		}
 		if ($disallowed->getAllowParamsInAllowed()) {
 			return $this->hasAllowedParams($scope, $args, $disallowed->getAllowParamsInAllowed(), true);
 		}
-		return $defaultResult;
+		return $allowedByDefault;
 	}
 
 

tests/Calls/FunctionFirstClassCallablesAllowExceptInMethodsWithParamsTest.php

@@ -0,0 +1,74 @@
+<?php
+declare(strict_types = 1);
+
+namespace Spaze\PHPStan\Rules\Disallowed\Calls;
+
+use PHPStan\Rules\Rule;
+use PHPStan\ShouldNotHappenException;
+use PHPStan\Testing\RuleTestCase;
+use PHPUnit\Framework\Attributes\RequiresPhp;
+use Spaze\PHPStan\Rules\Disallowed\DisallowedCallFactory;
+use Spaze\PHPStan\Rules\Disallowed\RuleErrors\DisallowedFunctionRuleErrors;
+
+/**
+ * @extends RuleTestCase<FunctionFirstClassCallables>
+ */
+class FunctionFirstClassCallablesAllowExceptInMethodsWithParamsTest extends RuleTestCase
+{
+
+	/**
+	 * @throws ShouldNotHappenException
+	 */
+	protected function getRule(): Rule
+	{
+		$container = self::getContainer();
+		return new FunctionFirstClassCallables(
+			$container->getByType(DisallowedFunctionRuleErrors::class),
+			$container->getByType(DisallowedCallFactory::class),
+			[
+				[
+					'function' => 'crc32()',
+					'allowExceptInMethods' => [
+						'Fiction\Pulp\RoyaleExceptFirstClassCallable::methodA()',
+					],
+					'allowParamsInAllowed' => [
+						1 => 'a',
+					],
+				],
+				[
+					'function' => 'strtolower()',
+					'allowExceptInMethods' => [
+						'Fiction\Pulp\RoyaleExceptFirstClassCallable::methodA()',
+					],
+					'allowExceptParamsInAllowed' => [
+						1 => 'a',
+					],
+				],
+			]
+		);
+	}
+
+
+	/**
+	 * @requires PHP >= 8.1.0
+	 */
+	#[RequiresPhp('>= 8.1.0')]
+	public function testRule(): void
+	{
+		$this->analyse([__DIR__ . '/../src/RoyaleExceptFirstClassCallable.php'], [
+			[
+				'Calling crc32() is forbidden.',
+				11,
+			],
+		]);
+	}
+
+
+	public static function getAdditionalConfigFiles(): array
+	{
+		return [
+			__DIR__ . '/../../extension.neon',
+		];
+	}
+
+}

tests/Calls/FunctionFirstClassCallablesAllowInMethodsWithParamsTest.php

@@ -0,0 +1,82 @@
+<?php
+declare(strict_types = 1);
+
+namespace Spaze\PHPStan\Rules\Disallowed\Calls;
+
+use PHPStan\Rules\Rule;
+use PHPStan\ShouldNotHappenException;
+use PHPStan\Testing\RuleTestCase;
+use PHPUnit\Framework\Attributes\RequiresPhp;
+use Spaze\PHPStan\Rules\Disallowed\DisallowedCallFactory;
+use Spaze\PHPStan\Rules\Disallowed\RuleErrors\DisallowedFunctionRuleErrors;
+
+/**
+ * @extends RuleTestCase<FunctionFirstClassCallables>
+ */
+class FunctionFirstClassCallablesAllowInMethodsWithParamsTest extends RuleTestCase
+{
+
+	/**
+	 * @throws ShouldNotHappenException
+	 */
+	protected function getRule(): Rule
+	{
+		$container = self::getContainer();
+		return new FunctionFirstClassCallables(
+			$container->getByType(DisallowedFunctionRuleErrors::class),
+			$container->getByType(DisallowedCallFactory::class),
+			[
+				[
+					'function' => 'crc32()',
+					'allowInMethods' => [
+						'Fiction\Pulp\RoyaleAllowInFirstClassCallable::methodA()',
+					],
+					'allowParamsInAllowed' => [
+						1 => 'a',
+					],
+				],
+				[
+					'function' => 'strtolower()',
+					'allowInMethods' => [
+						'Fiction\Pulp\RoyaleAllowInFirstClassCallable::methodA()',
+					],
+					'allowExceptParamsInAllowed' => [
+						1 => 'a',
+					],
+				],
+			]
+		);
+	}
+
+
+	/**
+	 * @requires PHP >= 8.1.0
+	 */
+	#[RequiresPhp('>= 8.1.0')]
+	public function testRule(): void
+	{
+		$this->analyse([__DIR__ . '/../src/RoyaleAllowInFirstClassCallable.php'], [
+			[
+				'Calling crc32() is forbidden.',
+				11,
+			],
+			[
+				'Calling crc32() is forbidden.',
+				18,
+			],
+			[
+				'Calling strtolower() is forbidden.',
+				19,
+			],
+		]);
+	}
+
+
+	public static function getAdditionalConfigFiles(): array
+	{
+		return [
+			__DIR__ . '/../../extension.neon',
+		];
+	}
+
+}

tests/Calls/FunctionFirstClassCallablesParamsAnywhereTest.php

@@ -0,0 +1,68 @@
+<?php
+declare(strict_types = 1);
+
+namespace Spaze\PHPStan\Rules\Disallowed\Calls;
+
+use PHPStan\Rules\Rule;
+use PHPStan\ShouldNotHappenException;
+use PHPStan\Testing\RuleTestCase;
+use PHPUnit\Framework\Attributes\RequiresPhp;
+use Spaze\PHPStan\Rules\Disallowed\DisallowedCallFactory;
+use Spaze\PHPStan\Rules\Disallowed\RuleErrors\DisallowedFunctionRuleErrors;
+
+/**
+ * @extends RuleTestCase<FunctionFirstClassCallables>
+ */
+class FunctionFirstClassCallablesParamsAnywhereTest extends RuleTestCase
+{
+
+	/**
+	 * @throws ShouldNotHappenException
+	 */
+	protected function getRule(): Rule
+	{
+		$container = self::getContainer();
+		return new FunctionFirstClassCallables(
+			$container->getByType(DisallowedFunctionRuleErrors::class),
+			$container->getByType(DisallowedCallFactory::class),
+			[
+				[
+					'function' => 'crc32()',
+					'allowParamsAnywhere' => [
+						1 => 'a',
+					],
+				],
+				[
+					'function' => 'strtolower()',
+					'allowExceptParamsAnywhere' => [
+						1 => 'a',
+					],
+				],
+			]
+		);
+	}
+
+
+	/**
+	 * @requires PHP >= 8.1.0
+	 */
+	#[RequiresPhp('>= 8.1.0')]
+	public function testRule(): void
+	{
+		$this->analyse([__DIR__ . '/../src/FirstClassCallableParamsAnywhere.php'], [
+			[
+				'Calling crc32() is forbidden.',
+				4,
+			],
+		]);
+	}
+
+
+	public static function getAdditionalConfigFiles(): array
+	{
+		return [
+			__DIR__ . '/../../extension.neon',
+		];
+	}
+
+}

tests/src/FirstClassCallableParamsAnywhere.php

@@ -0,0 +1,5 @@
+<?php
+declare(strict_types = 1);
+
+$fn = crc32(...); // disallowed: allowParamsAnywhere, null args can't satisfy param condition
+$fn = strtolower(...); // allowed: allowExceptParamsAnywhere, null args don't trigger disallow condition

tests/src/RoyaleAllowInFirstClassCallable.php

@@ -0,0 +1,22 @@
+<?php
+declare(strict_types = 1);
+
+namespace Fiction\Pulp;
+
+class RoyaleAllowInFirstClassCallable
+{
+
+	public function methodA(): void
+	{
+		$fn = crc32(...); // disallowed: in allowed zone, null args can't satisfy allowParamsInAllowed
+		$fn = strtolower(...); // allowed: in allowed zone, null args can't trigger allowExceptParamsInAllowed
+	}
+
+
+	public function methodB(): void
+	{
+		$fn = crc32(...); // disallowed: not in allowed zone
+		$fn = strtolower(...); // disallowed: not in allowed zone
+	}
+
+}

tests/src/RoyaleExceptFirstClassCallable.php

@@ -0,0 +1,22 @@
+<?php
+declare(strict_types = 1);
+
+namespace Fiction\Pulp;
+
+class RoyaleExceptFirstClassCallable
+{
+
+	public function methodA(): void
+	{
+		$fn = crc32(...); // disallowed: in except zone, null args can't satisfy allowParamsInAllowed
+		$fn = strtolower(...); // allowed: in except zone, null args can't trigger allowExceptParamsInAllowed
+	}
+
+
+	public function methodB(): void
+	{
+		$fn = crc32(...); // allowed: not in except zone
+		$fn = strtolower(...); // allowed: not in except zone
+	}
+
+}