feat: add NoSessionInPaymentHandlerAndStoreApiRule to PHPStan rules

Author: shyim

rules.neon

@@ -8,6 +8,7 @@ rules:
     - Shopware\PhpStan\Rule\InternalMethodCallRule
     - Shopware\PhpStan\Rule\MethodBecomesAbstractRule
     - Shopware\PhpStan\Rule\NoDALFilterByID
+    - Shopware\PhpStan\Rule\NoSessionInPaymentHandlerAndStoreApiRule
     - Shopware\PhpStan\Rule\NoSymfonySessionInConstructor
     - Shopware\PhpStan\Rule\NoUserEntityGetStoreTokenRule
     - Shopware\PhpStan\Rule\ScheduledTaskTooLowIntervalRule

src/Rule/NoSessionInPaymentHandlerAndStoreApiRule.php

@@ -0,0 +1,77 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Shopware\PhpStan\Rule;
+
+use PhpParser\Node;
+use PhpParser\Node\Expr\MethodCall;
+use PHPStan\Analyser\Scope;
+use PHPStan\Rules\Rule;
+use PHPStan\Rules\RuleErrorBuilder;
+use PHPStan\Type\ObjectType;
+use Shopware\Core\Checkout\Payment\Cart\PaymentHandler\AbstractPaymentHandler;
+use Symfony\Component\HttpFoundation\Session\SessionInterface;
+use Symfony\Component\Routing\Annotation\Route as RouteAnnotation;
+use Symfony\Component\Routing\Attribute\Route as RouteAttribute;
+
+/**
+ * @implements Rule<MethodCall>
+ */
+class NoSessionInPaymentHandlerAndStoreApiRule implements Rule
+{
+    public function getNodeType(): string
+    {
+        return MethodCall::class;
+    }
+
+    public function processNode(Node $node, Scope $scope): array
+    {
+        $type = $scope->getType($node->var);
+
+        // @phpstan-ignore-next-line
+        if (!$type instanceof ObjectType) {
+            return [];
+        }
+
+        if (!$type->isInstanceOf(SessionInterface::class)->yes()) {
+            return [];
+        }
+
+        $classReflection = $scope->getClassReflection();
+
+        if ($classReflection === null) {
+            return [];
+        }
+
+        // Check if class extends AbstractPaymentHandler
+        if ($classReflection->isSubclassOf(AbstractPaymentHandler::class)) {
+            return [
+                RuleErrorBuilder::message('Session usage is not allowed in payment handlers.')
+                    ->identifier('shopware.sessionUsageInPaymentHandler')
+                    ->build(),
+            ];
+        }
+
+        // Check for Store-API route attribute
+        $nativeReflection = $classReflection->getNativeReflection();
+        $attributes = array_merge(
+            $nativeReflection->getAttributes(RouteAnnotation::class),
+            $nativeReflection->getAttributes(RouteAttribute::class),
+        );
+
+        foreach ($attributes as $attribute) {
+            /** @var array{defaults?: array{_routeScope?: array<string>}} $args */
+            $args = $attribute->getArguments();
+            if (isset($args['defaults']['_routeScope']) && in_array('store-api', (array) $args['defaults']['_routeScope'], true)) {
+                return [
+                    RuleErrorBuilder::message('Session usage is not allowed in Store-API controllers.')
+                        ->identifier('shopware.sessionUsageInStoreApi')
+                        ->build(),
+                ];
+            }
+        }
+
+        return [];
+    }
+}

tests/Rule/NoSessionInPaymentHandlerAndStoreApiRuleTest.php

@@ -0,0 +1,37 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Shopware\PhpStan\Tests\Rule;
+
+use PHPStan\Rules\Rule;
+use PHPStan\Testing\RuleTestCase;
+use Shopware\PhpStan\Rule\NoSessionInPaymentHandlerAndStoreApiRule;
+
+/**
+ * @extends RuleTestCase<NoSessionInPaymentHandlerAndStoreApiRule>
+ */
+class NoSessionInPaymentHandlerAndStoreApiRuleTest extends RuleTestCase
+{
+    protected function getRule(): Rule
+    {
+        return new NoSessionInPaymentHandlerAndStoreApiRule();
+    }
+
+    public function testRule(): void
+    {
+        $this->analyse([__DIR__ . '/fixtures/NoSessionInPaymentHandlerAndStoreApi/PaymentHandlerWithSession.php'], [
+            [
+                'Session usage is not allowed in payment handlers.',
+                25,
+            ],
+        ]);
+
+        $this->analyse([__DIR__ . '/fixtures/NoSessionInPaymentHandlerAndStoreApi/StoreApiControllerWithSession.php'], [
+            [
+                'Session usage is not allowed in Store-API controllers.',
+                20,
+            ],
+        ]);
+    }
+}

tests/Rule/fixtures/NoSessionInPaymentHandlerAndStoreApi/PaymentHandlerWithSession.php

@@ -0,0 +1,34 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Shopware\PhpStan\Tests\Rule\Fixtures\NoSessionInPaymentHandlerAndStoreApi;
+
+use Shopware\Core\Checkout\Payment\Cart\PaymentHandler\AbstractPaymentHandler;
+use Shopware\Core\Checkout\Payment\Cart\PaymentHandler\PaymentHandlerInterface;
+use Shopware\Core\Checkout\Payment\Cart\PaymentHandler\PaymentHandlerType;
+use Shopware\Core\Checkout\Payment\Cart\PaymentTransactionStruct;
+use Shopware\Core\Framework\Context;
+use Shopware\Core\Framework\Struct\Struct;
+use Symfony\Component\HttpFoundation\RedirectResponse;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Session\SessionInterface;
+
+class PaymentHandlerWithSession extends AbstractPaymentHandler implements PaymentHandlerInterface
+{
+    public function __construct(
+        private readonly SessionInterface $session,
+    ) {}
+
+    public function pay(Request $request, PaymentTransactionStruct $transaction, Context $context, ?Struct $validateStruct = null): ?RedirectResponse
+    {
+        $this->session->get('foo');
+
+        return null;
+    }
+
+    public function supports(PaymentHandlerType $type, string $paymentMethodId, Context $context): bool
+    {
+        return true;
+    }
+}

tests/Rule/fixtures/NoSessionInPaymentHandlerAndStoreApi/StoreApiControllerWithSession.php

@@ -0,0 +1,22 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Shopware\PhpStan\Tests\Rule\Fixtures\NoSessionInPaymentHandlerAndStoreApi;
+
+use Symfony\Component\HttpFoundation\Session\SessionInterface;
+use Symfony\Component\Routing\Annotation\Route;
+
+#[Route(defaults: ['_routeScope' => ['store-api']])]
+class StoreApiControllerWithSession
+{
+    public function __construct(
+        private readonly SessionInterface $session,
+    ) {}
+
+    #[Route(path: '/store-api/test', name: 'store-api.test', methods: ['GET'])]
+    public function testAction(): void
+    {
+        $this->session->get('foo');
+    }
+}