Add Taint Analysis test

2024-11-26 20:34:48 +01:00 · 2020-06-21 18:15:07 -04:00 · 2020-06-21 18:15:07 -04:00 · 29e1fee5f5
commit 29e1fee5f5
parent 9a5cdb49c6
4 changed files with 78 additions and 0 deletions
--- a/src/Stubs/DBFacade.stubphp
+++ b/src/Stubs/DBFacade.stubphp
@ -0,0 +1,16 @@
+<?php
+
+namespace Illuminate\Support\Facades;
+
+class DB extends Facade
+{
+	/**
+     * Create a raw database expression.
+     *
+     * @param  mixed  $value
+     * @return void
+     *
+     * @psalm-taint-sink sql $value
+     */
+    public function raw($value) {}
+}
--- a/src/Stubs/InteractsWithInput.stubphp
+++ b/src/Stubs/InteractsWithInput.stubphp
@ -16,6 +16,8 @@ trait InteractsWithInput
     * @param  string|null  $key
     * @param  mixed  $default
     * @return mixed
+     *
+     * @psalm-taint-source input
     */
    public function input($key = null, $default = null) { }
 }
--- a/src/Stubs/QueryBuilder.phphp
+++ b/src/Stubs/QueryBuilder.phphp
@ -0,0 +1,24 @@
+<?php
+
+namespace Illuminate\Database\Query;
+
+use Illuminate\Contracts\Support\Arrayable;
+use Illuminate\Support\Traits\ForwardsCalls;
+use Illuminate\Support\Traits\Macroable;
+
+class Builder
+{
+    use BuildsQueries, ForwardsCalls, Macroable {
+        __call as macroCall;
+    }
+
+    /**
+     * Create a raw database expression.
+     *
+     * @param  mixed  $value
+     * @return \Illuminate\Database\Query\Expression
+     *
+     * @psalm-taint-sink sql $value
+     */
+    public function raw($value) {}
+}
--- a/tests/acceptance/TaintAnalysis.feature
+++ b/tests/acceptance/TaintAnalysis.feature
@ -0,0 +1,36 @@
+Feature: taint
+  Want to check that taint analysis works properly
+
+  Background:
+    Given I have the following config
+      """
+      <?xml version="1.0"?>
+      <psalm totallyTyped="false">
+        <projectFiles>
+          <directory name="."/>
+          <ignoreFiles> <directory name="../../vendor"/> </ignoreFiles>
+        </projectFiles>
+        <plugins>
+          <pluginClass class="Psalm\LaravelPlugin\Plugin"/>
+        </plugins>
+      </psalm>
+      """
+
+  Scenario: input returns various types
+    Given I have the following code
+    """
+    <?php declare(strict_types=1);
+
+    namespace Tests\Psalm\LaravelPlugin\Sandbox;
+
+    use \Illuminate\Http\Request;
+    use Illuminate\Support\Facades\DB;
+
+    function test(Request $request): void {
+      $input = $request->input('foo', false);
+      DB::raw($input);
+    }
+    """
+    When I run Psalm with taint analysis
+    Then I see these errors
+      | TaintedInput | Detected tainted sql in path: Illuminate\Http\Request::input (/Users/brownma/Desktop/git/laravel-psalm-plugin/src/Stubs/InteractsWithInput.stubphp:22:21) -> $input (somefile.php:9:3) -> Illuminate\Support\Facades\DB::raw#1 (/Users/brownma/Desktop/git/laravel-psalm-plugin/src/Stubs/DBFacade.stubphp:15:25) |