[Resolved] What is IntegrationTestCase doing?

[Author]

Posts

[Stina]

Hi,
My security plugin reacts to some files, and says "The function eval called at line XX column XX, which should be avoided whenever possible."
/types/vendor/toolset/toolset-common/lib/Twig/src/Test/IntegrationTestCase.php
/types-access/vendor/toolset/toolset-common/lib/Twig/src/Test/IntegrationTestCase.php
/wp-views/vendor/toolset/toolset-common/lib/Twig/src/Test/IntegrationTestCase.php
/types-access/vendor/toolset/toolset-common/lib/Twig/src/Environment.php
/wp-views/vendor/toolset/toolset-common/lib/Twig/src/Environment.php

I suppose that I don't have to worry about the "eval", but I wonder what the Test files are doing?

Thank you!
Stina

[Christian Cox]

Hi, our developers are certain that eval statement flags in security evaluations can be considered false positives. The eval() function is actually part of the requirements for using Toolset:
https://toolset.com/toolset-requirements/
https://toolset.com/documentation/programmer-reference/list-of-toolset-files-where-eval-php-function-is-used/
We use the Twig PHP library for PHP templating, and some of the PHP files in that library include the eval function. What these specific files do isn't clear to me as a supporter, but our developers have assured us they are aware of the use of eval() in this library, and there's nothing to worry about here. XSS scripting prevention is in place to prevent the types of issues your security evaluation has reported.