Slack, the popular team communication and collaboration platform, has recently open-sourced its 'Hakana' type checker, a tool they created for internal use.
This move comes at a time when a good deal of proprietary software is being open-sourced.
Related Read 📖
In simpler terms, it is a tool that provides type checking for Hack by running several analytical methods.
Currently, Slack is using it to detect issues in their Hack code; they migrated from PHP to Hack in 2016 citing various inconsistencies with it.
Some of Hakana's abilities include:
- Prevents unused functions and private methods.
- Prevents unused assignments inside closures.
- Ability to detect impossible and redundant type-checks.
- Can warn about potential SQL injection attacks and cross-site scripting vulnerabilities.
- Prevents misuse of internal Slack APIs (via Plugin hooks).
Slack mentions more of its use cases as:
We also use Hakana to automate type-aware API migrations (again via plugin hooks) and to delete unused functions in bulk. Thanks to Rust, those whole-codebase migrations are relatively quick.
Furthermore, Hakana investigates how data moves between functions in a codebase and tries to verify whether any attacker-controlled data shows up in places it shouldn't.
Slack lists a couple of reasons why they decided to open-source Hakana:
- The broader programming language community may be able to help, especially in the case of security analysis.
- This serves to repay the favor to Psalm, the tool on which Hakana is based.
- They expect companies with massive PHP codebases to benefit from Hakana by forking and altering it to suit their needs.
I suggest you go through the announcement blog if you are interested to learn more about the technical bits of Hakana.
Suggested Read 📖