False negatives when denied call used in: first class callable, dynamic call, anonymous class, array callable, ...

[janedbal]

Hi, this package is very similar to our rule in shipmonk/phpstan-rules under forbidCustomFunctions

I was considering to switch to your package as it has far more features (and possibly phase-out our rule one day), but when I ran quick comparison of the behaviour of our packages, I found that phpstan-disallowed-calls is missing quite a few features, most notably it suffers from those false-negatives:

• First class callables not detected
  • denied_function(...);
• Dynamic calls not detected
  • $fn = 'denied_function'; $fn();
• Anonymous classes not detected
  • new class extends ClassWithForbiddenConstructor {};
• Callables not detected
  • array_map('denied_function', $array);
  • array_map([$class, 'forbiddenMethod'], $array);
• See the MR for full diff, there are few other differences

Due to that, I'm sticking with our implementation for now, but if you ever consider implementing those, please let me know and I'll reconsider again :)

[spaze]

Hi, thanks for pointing out the issues. I've noticed your PR adding most of the missing detections to shipmonk/phpstan-rules, feel free to send a similar one, if you'd like to have those also supported here.

The purpose of spaze/phpstan-disallowed-calls has never been to detect all possible usages (as documented!) but I'll happily add more detections. Until then feel free to use whatever suits your needs the best :-)

[spaze]

I have started working on at least some of the missing detections, the list and the progress is below, will update it as more detections are added. There still may be some differences, or something I've missed. I'm getting lost a bit in shipmonk-rnd/phpstan-rules#292 so I'd appreciate if you could, once I think I've added all the detections below, run the tests again and interpret them for me like you did above :-)

• First class callables not detected
  First class callable syntax supported for functions and methods #279
• Dynamic calls not detected
  Detect dynamic function calls #276
  More dynamic calls #278
• Anonymous classes not detected
  I believe those were already detected but I've have added tests to make sure
  Test anonymous class-related calls and usages #277
• Callables not detected
  Detect callable parameters #281
  Add missing tests for allowed-by-path callable params calls #283
  Detect callables in constructors #285