Add Psalm taint annotations for session/cookie security

[koriym]

Summary

Add Psalm taint annotations to mark session and cookie data as taint sources.

Changes

• @psalm-taint-source input on:
  • SessionProvider::get() - returns Session initialized with $_COOKIE
  • CookieProvider::get() - returns $_COOKIE directly

Also includes code style fixes (phpcbf).

Test Plan

• Existing tests pass
• Run ./vendor/bin/psalm --taint-analysis to verify annotations work

Summary by Sourcery

Mark session and cookie providers as taint sources for static analysis and apply minor coding style improvements.

Enhancements:

• Annotate session and cookie provider getters with Psalm taint-source metadata for input data.
• Add strict types, return type hints, and PSR-compliant attribute usage and formatting across session-related classes.

Summary by CodeRabbit

Release Notes

• Refactor
  • Code modernization with improved type declarations and stricter validation
  • Enhanced documentation formatting and metadata annotations across core modules
  • Improved code structure for better maintainability and consistency

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Adds Psalm taint-source annotations for session and cookie providers and applies small type-safety and coding-style refinements across the session module.

Class diagram for updated session and cookie providers

classDiagram
    direction LR

    class ProviderInterface {
    }

    class SessionFactory {
        +newInstance(array cookieData) Session
    }

    class Session {
    }

    class SessionProvider {
        +get() Session
    }

    class CookieProvider {
        +get() array
    }

    class AuraSessionInject {
        -Session session
        +setSession(Session session) void
    }

    class Cookie {
        <<attribute>>
    }

    class DeleteCookie {
        <<attribute>>
    }

    class AuraSessionModule {
        +configure() void
    }

    class DeleteCookieInvoker {
        +__invoke(string name, array params) void
    }

    ProviderInterface <|.. SessionProvider
    ProviderInterface <|.. CookieProvider

    SessionFactory --> Session : creates
    SessionProvider --> SessionFactory : uses

    AuraSessionInject --> Session

    Cookie <|-- DeleteCookieInvoker
    DeleteCookie <|-- DeleteCookieInvoker

Loading

Flow diagram for taint-source cookie and session data

flowchart LR
    subgraph Browser
        C["$_COOKIE"]
    end

    subgraph Server
        CP["CookieProvider.get()"]
        SP["SessionProvider.get()"]
        SF["SessionFactory.newInstance(cookieData)"]
        S["Session"]
        APP["Application code using cookies and session"]
    end

    C --> CP
    CP --> APP

    C --> SP
    SP --> SF
    SF --> S
    S --> APP

Loading

File-Level Changes

Change	Details	Files
Mark session and cookie providers as taint sources for Psalm taint analysis.	Add @psalm-taint-source input to SessionProvider::get() to mark returned Session (constructed from $_COOKIE) as tainted input Add @psalm-taint-source input to CookieProvider::get() to mark returned cookie array as tainted input	src/SessionProvider.php src/CookieProvider.php
Apply strict types, minor API signatures, and PSR-style formatting cleanups.	Enable strict_types in SessionProvider and normalize docblocks (@inheritdoc) and factory invocation style Update AuraSessionInject::setSession() to declare a void return type and collapse deprecation docblock Split Attribute and Qualifier PHP 8 attributes onto separate lines for Cookie and DeleteCookie annotations Adjust AuraSessionModule configure() docblock to use @inheritdoc Add trailing comma in DeleteCookieInvoker cookie deletion call for coding-style consistency	src/SessionProvider.php src/AuraSessionInject.php src/Annotation/Cookie.php src/Annotation/DeleteCookie.php src/AuraSessionModule.php src/DeleteCookieInvoker.php

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[coderabbitai]

Walkthrough

This PR makes several focused improvements across annotation and provider classes: separating combined PHP attributes into discrete attributes, adding explicit return types, standardizing docblock tag formatting, incorporating Psalm taint annotations, and minor syntax adjustments. No behavioral changes or control-flow modifications are introduced.

Changes

Cohort / File(s)	Summary
Annotation Attributes Separation src/Annotation/Cookie.php, src/Annotation/DeleteCookie.php	Separated combined attribute declaration #[Attribute, Qualifier] into two distinct attributes #[Attribute] and #[Qualifier] on both classes
Type Signature Improvements src/AuraSessionInject.php	Added explicit void return type to setSession(Session $session): void method; reformatted deprecation docblock to single-line format
Documentation & Taint Annotations src/AuraSessionModule.php, src/CookieProvider.php, src/SessionProvider.php	Standardized docblock tags from {@inheritdoc} to {@inheritdoc}; added @psalm-taint-source input annotations; added declare(strict_types=1) to SessionProvider; replaced (new SessionFactory) with (new SessionFactory()) syntax
Syntax Formatting src/DeleteCookieInvoker.php	Added trailing comma after domain argument in setcookie() function call

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title accurately reflects the primary objective and main changes: adding Psalm taint annotations to session and cookie related code for security purposes.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch add-psalm-taint-annotations

---

📜 Recent review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 24258a0 and 0db8b96.

📒 Files selected for processing (7)

• src/Annotation/Cookie.php
• src/Annotation/DeleteCookie.php
• src/AuraSessionInject.php
• src/AuraSessionModule.php
• src/CookieProvider.php
• src/DeleteCookieInvoker.php
• src/SessionProvider.php

🧰 Additional context used

🧬 Code graph analysis (3)

src/Annotation/Cookie.php (1)

src/Annotation/DeleteCookie.php (1)

• Attribute (10-14)

src/SessionProvider.php (2)

src/AuraSessionModule.php (1)

• AuraSessionModule (22-40)

src/CookieProvider.php (1)

• get (21-24)

src/Annotation/DeleteCookie.php (1)

src/Annotation/Cookie.php (1)

• Attribute (10-14)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Sourcery review

🔇 Additional comments (9)

src/AuraSessionModule.php (1)

25-25: LGTM! Documentation tag standardization.

The change from {@inheritdoc} to {@inheritDoc} follows PSR-5 conventions for PHPDoc tags.

src/DeleteCookieInvoker.php (1)

28-28: LGTM! Trailing comma for consistency.

The trailing comma is valid PHP syntax (7.3+) and improves consistency with modern PHP coding standards.

src/CookieProvider.php (1)

16-19: Excellent security enhancement with Psalm taint annotation!

The @psalm-taint-source input annotation correctly identifies that $_COOKIE is an untrusted input source, enabling Psalm's taint analysis to track potential security vulnerabilities. This aligns perfectly with the PR objectives.

src/AuraSessionInject.php (1)

15-15: LGTM! Explicit void return type improves type safety.

Adding the explicit : void return type declaration strengthens type safety and aligns with modern PHP best practices.

src/Annotation/Cookie.php (1)

10-11: LGTM! Correct PHP attribute syntax.

Separating #[Attribute] and #[Qualifier] into distinct attribute declarations is the correct PHP 8 syntax. This ensures both attributes are properly applied to the class rather than treating one as an argument to the other.

src/Annotation/DeleteCookie.php (1)

10-11: LGTM! Consistent attribute syntax with Cookie annotation.

This mirrors the attribute syntax correction in Cookie.php, ensuring both annotation classes follow the correct PHP 8 attribute declaration pattern.

src/SessionProvider.php (3)

3-3: LGTM! Strict types enabled.

Adding declare(strict_types=1) enforces strict type checking, reducing type-related bugs.

---

18-21: Excellent security enhancement with Psalm taint annotation!

The @psalm-taint-source input annotation correctly identifies that the returned Session object is initialized with $_COOKIE data, making it a taint source. This enables Psalm to track how session data flows through the application and detect potential security vulnerabilities. This is a core objective of this PR.

---

25-25: LGTM! Explicit constructor call syntax.

Adding parentheses to (new SessionFactory()) makes the constructor invocation more explicit and consistent with standard PHP style.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

❌ Patch coverage is 0% with 3 lines in your changes missing coverage. Please review.
✅ Project coverage is 54.16%. Comparing base (24258a0) to head (0db8b96).

Files with missing lines	Patch %	Lines
src/AuraSessionInject.php	0.00%	1 Missing ⚠️
src/DeleteCookieInvoker.php	0.00%	1 Missing ⚠️
src/SessionProvider.php	0.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff            @@
##                1.x      #15   +/-   ##
=========================================
  Coverage     54.16%   54.16%           
  Complexity        5        5           
=========================================
  Files             5        5           
  Lines            24       24           
=========================================
  Hits             13       13           
  Misses           11       11           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[sourcery-ai]

Hey - I've left some high level feedback:

• Consider splitting the Psalm taint annotations and the unrelated coding-style/typing tweaks (e.g., declare(strict_types=1), added void return type, attribute formatting) into separate PRs to make the behavior change easier to review and reason about.
• Adding declare(strict_types=1); to SessionProvider only may introduce subtle type behavior differences compared to the rest of the package; consider either applying it consistently or omitting it here to avoid inconsistent runtime behavior.
• The new : void return type on AuraSessionInject::setSession could be a breaking change for consumers that override this method without a return type, so it may be safer to omit the return type or introduce it in a dedicated major/breaking-change PR.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- Consider splitting the Psalm taint annotations and the unrelated coding-style/typing tweaks (e.g., `declare(strict_types=1)`, added `void` return type, attribute formatting) into separate PRs to make the behavior change easier to review and reason about.
- Adding `declare(strict_types=1);` to `SessionProvider` only may introduce subtle type behavior differences compared to the rest of the package; consider either applying it consistently or omitting it here to avoid inconsistent runtime behavior.
- The new `: void` return type on `AuraSessionInject::setSession` could be a breaking change for consumers that override this method without a return type, so it may be safer to omit the return type or introduce it in a dedicated major/breaking-change PR.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}