Add rule to detect Symfony\Component\Yaml\Yaml::parse() usage (#978)

* Add rule to detect Symfony\Component\Yaml\Yaml::parse() usage

Flags direct calls to Symfony's YAML parser and suggests
\Drupal\Component\Serialization\Yaml::decode() instead, which respects
the yaml_parser_class setting in Drupal's settings.php.

Closes #642

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* Fix rule message: yaml_parser_class is no longer a Drupal setting

The actual benefit of Drupal\Component\Serialization\Yaml::decode() over
Symfony\Component\Yaml\Yaml::parse() is consistent exception handling
(InvalidDataTypeException) and correct parse flags.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* Make SymfonyYamlParseRule opt-in via drupal.rules.symfonyYamlParseRule

Follows the same pattern as all other rules in this package: disabled
by default, enabled in bleedingEdge.neon.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* Use Scope::resolveName() to handle all Name node variants

Handles both FullyQualified and plain Name nodes (from use imports),
making the class name resolution explicit rather than relying on the
NameResolver having already run.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: mglaman

bleedingEdge.neon

@@ -12,3 +12,4 @@ parameters:
 			hookRules: true
 			loggerFromFactoryPropertyAssignmentRule: true
 			entityStorageDirectInjectionRule: true
+			symfonyYamlParseRule: true

extension.neon

@@ -37,6 +37,7 @@ parameters:
 			hookRules: false
 			loggerFromFactoryPropertyAssignmentRule: false
 			entityStorageDirectInjectionRule: false
+			symfonyYamlParseRule: false
 		entityMapping:
 			aggregator_feed:
 				class: Drupal\aggregator\Entity\Feed
@@ -275,6 +276,7 @@ parametersSchema:
 			hookRules: boolean()
 			loggerFromFactoryPropertyAssignmentRule: boolean()
 			entityStorageDirectInjectionRule: boolean()
+			symfonyYamlParseRule: boolean()
 		])
 		entityMapping: arrayOf(anyOf(
 			structure([

rules.neon

@@ -34,6 +34,8 @@ conditionalTags:
 		phpstan.rules.rule: %drupal.rules.entityStorageDirectInjectionRule%
 	mglaman\PHPStanDrupal\Rules\Drupal\EntityStoragePropertyAssignmentRule:
 		phpstan.rules.rule: %drupal.rules.entityStorageDirectInjectionRule%
+	mglaman\PHPStanDrupal\Rules\Drupal\SymfonyYamlParseRule:
+		phpstan.rules.rule: %drupal.rules.symfonyYamlParseRule%
 
 services:
 	-
@@ -58,3 +60,5 @@ services:
 		class: mglaman\PHPStanDrupal\Rules\Drupal\EntityStorageDirectInjectionRule
 	-
 		class: mglaman\PHPStanDrupal\Rules\Drupal\EntityStoragePropertyAssignmentRule
+	-
+		class: mglaman\PHPStanDrupal\Rules\Drupal\SymfonyYamlParseRule

src/Rules/Drupal/SymfonyYamlParseRule.php

@@ -0,0 +1,54 @@
+<?php declare(strict_types=1);
+
+namespace mglaman\PHPStanDrupal\Rules\Drupal;
+
+use PhpParser\Node;
+use PhpParser\Node\Expr\StaticCall;
+use PHPStan\Analyser\Scope;
+use PHPStan\Rules\Rule;
+use PHPStan\Rules\RuleErrorBuilder;
+
+/**
+ * Detects direct usage of Symfony's YAML parser and suggests the Drupal wrapper.
+ *
+ * Drupal\Component\Serialization\Yaml::decode() should be used instead of
+ * Symfony\Component\Yaml\Yaml::parse() because it wraps exceptions as
+ * InvalidDataTypeException and applies consistent parse flags.
+ *
+ * @implements Rule<StaticCall>
+ */
+class SymfonyYamlParseRule implements Rule
+{
+    public function getNodeType(): string
+    {
+        return StaticCall::class;
+    }
+
+    public function processNode(Node $node, Scope $scope): array
+    {
+        if (!($node->class instanceof Node\Name)) {
+            return [];
+        }
+
+        $className = $scope->resolveName($node->class);
+        if ($className !== 'Symfony\Component\Yaml\Yaml') {
+            return [];
+        }
+
+        if (!($node->name instanceof Node\Identifier)) {
+            return [];
+        }
+
+        if ((string) $node->name !== 'parse') {
+            return [];
+        }
+
+        return [
+            RuleErrorBuilder::message(
+                'Avoid calling Symfony\Component\Yaml\Yaml::parse() directly. Use \Drupal\Component\Serialization\Yaml::decode() instead, which handles exceptions consistently and applies the correct parse flags.'
+            )
+            ->identifier('drupal.symfonyYamlParse')
+            ->build(),
+        ];
+    }
+}

tests/src/Rules/SymfonyYamlParseRuleTest.php

@@ -0,0 +1,31 @@
+<?php declare(strict_types=1);
+
+namespace mglaman\PHPStanDrupal\Tests\Rules;
+
+use mglaman\PHPStanDrupal\Rules\Drupal\SymfonyYamlParseRule;
+use mglaman\PHPStanDrupal\Tests\DrupalRuleTestCase;
+
+final class SymfonyYamlParseRuleTest extends DrupalRuleTestCase
+{
+    protected function getRule(): \PHPStan\Rules\Rule
+    {
+        return new SymfonyYamlParseRule();
+    }
+
+    public function testRule(): void
+    {
+        $this->analyse(
+            [__DIR__ . '/data/symfony-yaml-parse.php'],
+            [
+                [
+                    'Avoid calling Symfony\Component\Yaml\Yaml::parse() directly. Use \Drupal\Component\Serialization\Yaml::decode() instead, which handles exceptions consistently and applies the correct parse flags.',
+                    6,
+                ],
+                [
+                    'Avoid calling Symfony\Component\Yaml\Yaml::parse() directly. Use \Drupal\Component\Serialization\Yaml::decode() instead, which handles exceptions consistently and applies the correct parse flags.',
+                    9,
+                ],
+            ]
+        );
+    }
+}

tests/src/Rules/data/symfony-yaml-parse.php

@@ -0,0 +1,12 @@
+<?php
+
+use Symfony\Component\Yaml\Yaml;
+
+// Direct call — should be flagged.
+$data = Yaml::parse('foo: bar');
+
+// Fully-qualified call — should be flagged.
+$data = \Symfony\Component\Yaml\Yaml::parse('foo: bar');
+
+// Drupal's wrapper — should not be flagged.
+$data = \Drupal\Component\Serialization\Yaml::decode('foo: bar');