July 17, 2024
Hakana: Taking Hack Critically – Slack Engineering

TL; DR: We’re saying a brand new open supply sort checker for Hack, known as Hakana.


Slack launched in 2014, constructed with lots of love and in addition lots of PHP code.

We began migrating to a distinct language known as Hack in 2016. Hack was created by Fb after they’d struggled to scale their operations with PHP. It supplied extra type-safety than PHP, and it got here with an interpreter (known as HHVM) that might run PHP code sooner than PHP’s personal interpreter.

A lot has modified in PHP-land since we switched. PHP is quicker than it was once, and it has borrowed quite a few Hack options (resembling constructor property promotion). Quite a lot of the PHP group has additionally embraced sort checking — there are actually some nice third-party sort checkers to select from.

Sticking with Hack has given us entry to further runtime pace boosts, performance-enhancing language constructs like `async`, and a typechecker that’s extra strict by default than PHP typecheckers. However we’ve missed out on options supplied by PHP typecheckers, together with the flexibility to customise sort inference guidelines to seek out points particular to our codebase and automatic safety vulnerability detection.

Slack has a whole lot of builders writing Hack. We need to give them the very best expertise, so final 12 months we began constructing a sort checker that might fill these gaps.

We’ve dubbed that static evaluation software Hakana, and it’s now available on GitHub!

Hakana is predicated on Psalm, an open-source PHP static evaluation software I created, and it’s written in Rust. Hakana re-uses a Hack parser that’s bundled with the Hack interpreter.

A bonus of writing it in Rust: with a little bit of prodding, Hakana can run nearly anyplace. For instance, it runs in your web browser through WASM.

How we use Hakana

At Slack we run Hakana in CI to implement good code conduct in a variety of areas. Right here’s an incomplete record:

  • It prevents unused capabilities and unused personal strategies.
  • It prevents unused assignments inside closures.
  • It detects each unattainable and redundant type-checks.
  • It warns us about potential SQL-injection assaults and cross-site scripting vulnerabilities (extra on this under).
  • It prevents misuse of inner Slack APIs (through plugin hooks).

We additionally use Hakana to automate type-aware API migrations (once more through plugin hooks) and to delete unused capabilities in bulk. Because of Rust, these whole-codebase migrations are comparatively fast.

Safety

PHP makes it very easy to make a dynamically-rendered web site. PHP additionally makes it very easy to create an totally insecure dynamically-rendered web site.

Hack improves on this barely, by supporting a system for producing HTML output known as XHP. XHP is secure-by-default in opposition to cross-site scripting assaults, but it surely doesn’t cease you from leaking buyer information, and Hack doesn’t stop you from taking pictures your self within the foot with a variety of different safety vulnerabilities.

For a number of causes (together with compliance obligations) Slack wanted a software that might uncover these vulnerabilities. Psalm, the kind checker that Hakana is predicated on, already does safety evaluation, so it was comparatively easy so as to add safety evaluation to Hakana as properly.

Hakana isn’t the primary safety evaluation software for Hack — for years, Fb has been utilizing an inner, closed-source software called Zoncolan — however Hakana is the primary that everybody can use.

Hakana works in a lot the identical method as Zoncolan. It examines how information can movement between completely different capabilities in a codebase, and checks if attacker-controlled information can present up in locations it shouldn’t.

To this point, Hakana has discovered quite a few exploitable vulnerabilities in manufacturing code at Slack (that have been instantly fastened, and we checked our logs to make sure that the vulnerabilities had not truly ever been exploited).

Safety within the sort system

Hakana’s safety evaluation mode is a type of interprocedural evaluation — it seems to be on the method information flows between capabilities. Hakana additionally helps detecting one sort of vulnerability (SQL injection) through intraprocedural evaluation, simply by inspecting varieties at operate boundaries.

To do that, Hakana borrows the idea of literal string varieties from Psalm. In Hack code we are able to outline a sort alias:

<<HakanaSpecialTypesLiteralString()>>
sort db_query_string = string;

Although the official Hack typechecker simply treats this as a string, Hakana treats it as a particular sort `literal-string`, a subtype of string that may solely be concatenated or interpolated with different literal-strings. Passing a string right into a operate that expects a literal-string causes Hakana to emit an error:

operate get_id_query(string $id): db_query_string 
    return "choose * from customers the place id = '$id'";
    // Error: The kind `string` is extra normal
    // than the declared return sort `literal-string`

Extending Hakana

PHP static evaluation instruments are usually highly-customisable. Customisable static evaluation is absolutely helpful for PHP, as a result of its interpreter permits plenty of tips (e.g. magic methods) that may confound one-size-fits-all static evaluation instruments.

Most of these tips don’t work in Hack code, so there’s far much less of a necessity for customisable static evaluation. Even so, we’ve discovered lots of worth in extending Hakana with plugins.

For instance, we use a customized plugin to inform Hakana {that a} methodology name on our inner End result object, $some_result->is_ok(), is equal to the extra verbose $some_result is ResultSuccess<_> typecheck.

We additionally use customized plugins to carry out type-aware migrations at pace throughout the complete codebase.

Constructing a plugin system for Rust just isn’t easy — our customized model of Hakana wraps the open-source core as a library, utilizing its plugin hooks the place mandatory — but it surely’s an necessary function for us.

Pace

Hakana was tailored from Psalm, a sort checker written in PHP. Whereas PHP is quick for an interpreted language, it could possibly’t compete with a compiled software. To research a codebase of Slack’s dimension — many thousands and thousands of strains of code — we wanted a software that’s as quick as doable.

Hakana, written in Rust, runs about 5x sooner than the PHP-based software on which it’s modeled.

We haven’t spent a lot time tuning efficiency, however when analyzing the total Slack codebase (about 5 million strains of code) efficiency is on par with the official Hack typechecker. That’s ok for us, for now.

Why open-source Hakana?

Hack form of seems to be like PHP however with extra varieties. In that respect it’s been in comparison with TypeScript. However not like TypeScript, which compiles right down to JavaScript, Hack requires its customers to alter lots of their server infrastructure too.

Attributable to that prime switching value, at present Hack is barely used at a number of corporations. It’s doable that no person else other than Slack could have a motive to make use of Hakana.

Even so, there are a number of explanation why we expect it’s value open-sourcing:

  • 🔍 The broader programming language group might have helpful enter — particularly on the subject of safety evaluation.
  • 🤝 Psalm, one other open-source software, was the premise for Hakana. By open-sourcing our personal software we’re returning the favor.
  • 🏢 Although it wouldn’t be straightforward, corporations with extraordinarily massive PHP codebases may contemplate forking Hakana and altering it to investigate PHP code.

Conclusion

Slack is an indispensable software for thousands and thousands around the globe. Hack is now an integral a part of Slack, and so we’ve created a software that we hope will turn out to be indispensable to our Hack builders. We’re open-sourcing it today with the hope that others will discover it helpful and fascinating.