From 29e1fee5f5913549187cd1242068c9bbc765a394 Mon Sep 17 00:00:00 2001
From: Matt Brown <github@muglug.com>
Date: Sun, 21 Jun 2020 18:15:07 -0400
Subject: [PATCH] Add Taint Analysis test

---
 src/Stubs/DBFacade.stubphp             | 16 ++++++++++++
 src/Stubs/InteractsWithInput.stubphp   |  2 ++
 src/Stubs/QueryBuilder.phphp           | 24 +++++++++++++++++
 tests/acceptance/TaintAnalysis.feature | 36 ++++++++++++++++++++++++++
 4 files changed, 78 insertions(+)
 create mode 100644 src/Stubs/DBFacade.stubphp
 create mode 100644 src/Stubs/QueryBuilder.phphp
 create mode 100644 tests/acceptance/TaintAnalysis.feature

diff --git a/src/Stubs/DBFacade.stubphp b/src/Stubs/DBFacade.stubphp
new file mode 100644
index 0000000..6cdaedd
--- /dev/null
+++ b/src/Stubs/DBFacade.stubphp
@@ -0,0 +1,16 @@
+<?php
+
+namespace Illuminate\Support\Facades;
+
+class DB extends Facade
+{
+	/**
+     * Create a raw database expression.
+     *
+     * @param  mixed  $value
+     * @return void
+     *
+     * @psalm-taint-sink sql $value
+     */
+    public function raw($value) {}
+}
\ No newline at end of file
diff --git a/src/Stubs/InteractsWithInput.stubphp b/src/Stubs/InteractsWithInput.stubphp
index 441069d..ef6833d 100644
--- a/src/Stubs/InteractsWithInput.stubphp
+++ b/src/Stubs/InteractsWithInput.stubphp
@@ -16,6 +16,8 @@ trait InteractsWithInput
      * @param  string|null  $key
      * @param  mixed  $default
      * @return mixed
+     *
+     * @psalm-taint-source input
      */
     public function input($key = null, $default = null) { }
 }
diff --git a/src/Stubs/QueryBuilder.phphp b/src/Stubs/QueryBuilder.phphp
new file mode 100644
index 0000000..081cba9
--- /dev/null
+++ b/src/Stubs/QueryBuilder.phphp
@@ -0,0 +1,24 @@
+<?php
+
+namespace Illuminate\Database\Query;
+
+use Illuminate\Contracts\Support\Arrayable;
+use Illuminate\Support\Traits\ForwardsCalls;
+use Illuminate\Support\Traits\Macroable;
+
+class Builder
+{
+    use BuildsQueries, ForwardsCalls, Macroable {
+        __call as macroCall;
+    }
+
+    /**
+     * Create a raw database expression.
+     *
+     * @param  mixed  $value
+     * @return \Illuminate\Database\Query\Expression
+     *
+     * @psalm-taint-sink sql $value
+     */
+    public function raw($value) {}
+}
diff --git a/tests/acceptance/TaintAnalysis.feature b/tests/acceptance/TaintAnalysis.feature
new file mode 100644
index 0000000..bb61ad9
--- /dev/null
+++ b/tests/acceptance/TaintAnalysis.feature
@@ -0,0 +1,36 @@
+Feature: taint
+  Want to check that taint analysis works properly
+
+  Background:
+    Given I have the following config
+      """
+      <?xml version="1.0"?>
+      <psalm totallyTyped="false">
+        <projectFiles>
+          <directory name="."/>
+          <ignoreFiles> <directory name="../../vendor"/> </ignoreFiles>
+        </projectFiles>
+        <plugins>
+          <pluginClass class="Psalm\LaravelPlugin\Plugin"/>
+        </plugins>
+      </psalm>
+      """
+
+  Scenario: input returns various types
+    Given I have the following code
+    """
+    <?php declare(strict_types=1);
+
+    namespace Tests\Psalm\LaravelPlugin\Sandbox;
+
+    use \Illuminate\Http\Request;
+    use Illuminate\Support\Facades\DB;
+
+    function test(Request $request): void {
+      $input = $request->input('foo', false);
+      DB::raw($input);
+    }
+    """
+    When I run Psalm with taint analysis
+    Then I see these errors
+      | TaintedInput | Detected tainted sql in path: Illuminate\Http\Request::input (/Users/brownma/Desktop/git/laravel-psalm-plugin/src/Stubs/InteractsWithInput.stubphp:22:21) -> $input (somefile.php:9:3) -> Illuminate\Support\Facades\DB::raw#1 (/Users/brownma/Desktop/git/laravel-psalm-plugin/src/Stubs/DBFacade.stubphp:15:25) |