PSUKISS

A simple, "Keep It Secure, Students!" static analysis security linter for PHP. This extension helps you identify risky code patterns and potential vulnerabilities directly in your VS Code editor.

This extension finds potential security issues by reading your code; it does not execute it. It's designed to be a fast, lightweight first line of defense to help you catch simple mistakes before they're committed.

✨ Features

• Instant Feedback: Vulnerabilities are highlighted with squiggly lines as you type.
• Popup Notifications: Get an immediate popup notification in the corner of your editor when a new vulnerability is detected.
• Problem Panel Integration: All security warnings are aggregated in the VS Code "Problems" panel for easy review.
• Rich Detail Webviews: Click on a vulnerability (either the squiggly line in the code or the item in the Problems panel) to open a detailed webview explaining the risk, how to fix it, and links to additional learning materials.
• Quick Fix to Ignore: Believe a flag is incorrect? Hover over the squiggly line, click "Quick Fix...", and select "PSUKISS: Ignore This Line" to add a comment (// kiss-linter-ignore) and suppress the warning.

🚀 How to Use (Tutorial)

1. Install the "PSUKISS" extension from the VS Code Marketplace.
2. Open a PHP file (.php). The extension activates automatically.
3. Find a Vulnerability: As you type, the extension will highlight risky code with squiggly lines.
4. Get Notified: A popup notification will appear (usually bottom-right) alerting you to the new issue. This popup includes a button to quickly open the "View Problem Panel".
5. Get Detailed Info: Click directly on the squiggly line in your code. A Webview panel will automatically open on the side of your editor.
6. Learn and Fix: The webview provides a detailed explanation of the vulnerability, example code for a secure fix, and links to additional learning materials to understand the "why."
7. Ignore a Line (If Needed):
   • If you believe an issue was flagged incorrectly, click on the code with the squiggly line.
   • A lightbulb icon will appear. Click it (or use Ctrl+. / Cmd+.).
   • Select "PSUKISS: Ignore This Line" from the menu to suppress the warning for that specific line.

🔎 What We Check For

This linter checks for a wide range of common PHP security vulnerabilities, including:

Injection, Traversal & Redirects:

• SQLI: Detects patterns vulnerable to SQL Injection.
• XSS: Flags potential Cross-Site Scripting vulnerabilities from unsanitized output.
• RCE: Identifies insecure function calls (like eval(), shell_exec()) that could lead to Remote Code Execution.
• PATH_TRAVERSAL: Looks for insecure file path handling that could allow access to unintended directories.
• OPEN_REDIRECT: Warns against redirects that can be controlled by user input.
• JS_REDIRECT: Finds JavaScript-based redirects that may be insecure.
• META_REDIRECT: Detects redirects using meta refresh tags.
• FORM_REDIRECT: Warns about HTML forms that redirect to untrusted locations.
• LINK_INJECTION / EMAIL_LINK_MISUSE: Checks for insecurely constructed links or email content.

Data, Credential & File Handling:

• HARDCODED_SECRET: Finds hardcoded passwords, API keys, or other secrets.
• SENSITIVE_DATA_LEAK / INFO_DISCLOSURE: Detects functions (like phpinfo()) or settings that can leak sensitive configuration or data.
• FILE_UPLOAD_INSECURE: Warns about insecure file upload handling logic that could allow malicious file execution.

Authentication & Session Management:

• AUTH_FLAW: Identifies common flaws in authentication or authorization logic.
• SESSION_FIXATION: Looks for patterns that could lead to session fixation attacks.

Code & Function Misuse:

• DEPRECATED_API_MYSQL: Warns against using old, insecure mysql_* functions (recommending mysqli or PDO).
• ERROR_SUPPRESSION: Flags the use of the error suppression operator (@) which can hide critical errors and security issues.

Cryptography:

• WEAK_ENCRYPTION: Detects the use of weak or outdated encryption algorithms (like MD5 or SHA1 for passwords).

Other Risks:

• INSECURE_LOGGING: Warns if potentially sensitive information (like passwords or credit cards) is being written to logs.
• FILE_TOO_LONG: Flags files that are excessively long, which is a code quality and maintainability risk.

🧑‍💻 For Developers: Running Locally

1. Run npm install in this root folder. This installs all necessary npm modules in both the client and server folders (including php-parser).
2. Open the project's root folder in VS Code.
3. Press Ctrl+Shift+B (or Cmd+Shift+B on Mac) to start compiling the client and server in watch mode.
4. Switch to the "Run and Debug" View in the Sidebar (Ctrl+Shift+D).
5. Select Launch Client from the drop-down menu.
6. Press F5 to run the launch config. This will open a new [Extension Development Host] window.
7. In the new window, open a workspace and create or open a PHP file to test the extension.

📂 Project Structure

This extension is built using the Language Server Protocol (LSP).

├── client/ # Language Client
│ ├── src/
│ │ ├── test/ # End-to-end tests for Language Client / Server
│ │ └── extension.ts # Language Client entry point
│ └── package.json # The extension manifest
└── server/ # Language Server
└── src/
└── server.ts # Language Server entry point

📄 License

This project is licensed under the MIT License. See the LICENSE file for details.