This page’s logo (SVG), highlighted with Prism: This page’s HTML, highlighted with Prism: This page’s CSS code, highlighted with Prism: Though the official Hack typechecker just treats this as a string, Hakana treats it as a special type `literal-string`, a subtype of string that can only be concatenated or interpolated with other literal-strings.The Prism source, highlighted with Prism (don’t you just love how meta this is?): In Hack code we can define a type alias: > To do this, Hakana borrows the concept of literal string types from Psalm. Hakana also supports detecting one type of vulnerability (SQL injection) via intraprocedural analysis, just by examining types at function boundaries. Hakana’s security analysis mode is a form of interprocedural analysis - it looks at the way data flows between functions. To date, Hakana has found a number of exploitable vulnerabilities in production code at Slack (that were immediately fixed, and we checked our logs to ensure that the vulnerabilities had not actually ever been exploited). It examines how data can flow between different functions in a codebase, and checks if attacker-controlled data can show up in places it shouldn’t. Hakana works in much the same way as Zoncolan. Hakana isn’t the first security analysis tool for Hack - for years, Facebook has been using an internal, closed-source tool called Zoncolan - but Hakana is the first that everyone can use. Psalm, the type checker that Hakana is based on, already does security analysis, so it was relatively simple to add security analysis to Hakana as well. XHP is secure-by-default against cross-site scripting attacks, but it doesn’t stop you from leaking customer data, and Hack doesn’t prevent you from shooting yourself in the foot with a wide range of other security vulnerabilities.įor a host of reasons (including compliance obligations) Slack needed a tool that could discover those vulnerabilities. Hack improves on this slightly, by supporting a system for generating HTML output called XHP. PHP also makes it really easy to create an utterly insecure dynamically-rendered website. PHP makes it really easy to make a dynamically-rendered website. Thanks to Rust, those whole-codebase migrations are relatively quick. We also use Hakana to automate type-aware API migrations (again via plugin hooks) and to delete unused functions in bulk. It prevents misuse of internal Slack APIs (via plugin hooks).It warns us about potential SQL-injection attacks and cross-site scripting vulnerabilities (more on this below).It detects both impossible and redundant type-checks.It prevents unused assignments inside closures.It prevents unused functions and unused private methods.How we use HakanaĪt Slack we run Hakana in CI to enforce good code behavior in a range of areas. For example, it runs in your web browser via WASM. Hakana re-uses a Hack parser that’s bundled with the Hack interpreter.Ī bonus of writing it in Rust: with a bit of prodding, Hakana can run just about anywhere. Hakana is based on Psalm, an open-source PHP static analysis tool I created, and it’s written in Rust. We’ve dubbed that static analysis tool Hakana, and it’s now available on GitHub! We want to give them the best possible experience, so last year we started building a type checker that could fill those gaps. Slack has hundreds of developers writing Hack. But we’ve missed out on features provided by PHP typecheckers, including the ability to customize type inference rules to find issues specific to our codebase and automated security vulnerability detection. Sticking with Hack has given us access to additional runtime speed boosts, performance-enhancing language constructs like `async`, and a typechecker that’s more strict by default than PHP typecheckers. A great deal of the PHP community has also embraced type checking - there are now some great third-party type checkers to choose from. PHP is faster than it used to be, and it has borrowed a number of Hack features (such as constructor property promotion). Much has changed in PHP-land since we switched. It offered more type-safety than PHP, and it came with an interpreter (called HHVM) that could run PHP code faster than PHP’s own interpreter. Hack was created by Facebook after they had struggled to scale their operations with PHP. We started migrating to a different language called Hack in 2016. Slack launched in 2014, built with a lot of love and also a lot of PHP code. TL DR: We’re announcing a new open source type checker for Hack, called Hakana.