psalm/src/Psalm/Internal/Analyzer/Statements/EchoAnalyzer.php

<?php
namespace Psalm\Internal\Analyzer\Statements;

use PhpParser;
use Psalm\Internal\Analyzer\Statements\ExpressionAnalyzer;
use Psalm\Internal\Analyzer\Statements\Expression\Call\ArgumentAnalyzer;
use Psalm\Internal\Analyzer\StatementsAnalyzer;
use Psalm\Internal\Taint\Sink;
use Psalm\CodeLocation;
use Psalm\Context;
use Psalm\Issue\ForbiddenCode;
use Psalm\Issue\ForbiddenEcho;
use Psalm\Issue\ImpureFunctionCall;
use Psalm\IssueBuffer;
use Psalm\Storage\FunctionLikeParameter;
use Psalm\Type;

class EchoAnalyzer
{
    public static function analyze(
        StatementsAnalyzer $statements_analyzer,
        PhpParser\Node\Stmt\Echo_ $stmt,
        Context $context
    ) : bool {
        $echo_param = new FunctionLikeParameter(
            'var',
            false
        );

        $codebase = $statements_analyzer->getCodebase();

        foreach ($stmt->exprs as $i => $expr) {
            $context->inside_call = true;
            ExpressionAnalyzer::analyze($statements_analyzer, $expr, $context);
            $context->inside_call = false;

            if ($codebase->taint
                && $codebase->config->trackTaintsInPath($statements_analyzer->getFilePath())
            ) {
                $call_location = new CodeLocation($statements_analyzer->getSource(), $stmt);

                $echo_param_sink = Sink::getForMethodArgument(
                    'echo',
                    'echo',
                    (int) $i,
                    null,
                    $call_location
                );

                $echo_param_sink->taints = [
                    Type\TaintKind::INPUT_HTML,
                    Type\TaintKind::USER_SECRET,
                    Type\TaintKind::SYSTEM_SECRET
                ];

                $codebase->taint->addSink($echo_param_sink);
            }

            if ($expr_type = $statements_analyzer->node_data->getType($expr)) {
                if (ArgumentAnalyzer::verifyType(
                    $statements_analyzer,
                    $expr_type,
                    Type::getString(),
                    null,
                    'echo',
                    (int)$i,
                    new CodeLocation($statements_analyzer->getSource(), $expr),
                    $expr,
                    $context,
                    $echo_param,
                    false,
                    null,
                    true,
                    true,
                    new CodeLocation($statements_analyzer, $stmt)
                ) === false) {
                    return false;
                }
            }
        }

        if ($codebase->config->forbid_echo) {
            if (IssueBuffer::accepts(
                new ForbiddenEcho(
                    'Use of echo',
                    new CodeLocation($statements_analyzer, $stmt)
                ),
                $statements_analyzer->getSource()->getSuppressedIssues()
            )) {
                return false;
            }
        } elseif (isset($codebase->config->forbidden_functions['echo'])) {
            if (IssueBuffer::accepts(
                new ForbiddenCode(
                    'Use of echo',
                    new CodeLocation($statements_analyzer, $stmt)
                ),
                $statements_analyzer->getSource()->getSuppressedIssues()
            )) {
                // continue
            }
        }

        if (!$context->collect_initializations
            && !$context->collect_mutations
            && ($context->mutation_free
                || $context->external_mutation_free)
        ) {
            if (IssueBuffer::accepts(
                new ImpureFunctionCall(
                    'Cannot call echo from a mutation-free context',
                    new CodeLocation($statements_analyzer, $stmt)
                ),
                $statements_analyzer->getSuppressedIssues()
            )) {
                // fall through
            }
        }

        return true;
    }
}
Break up StatementsAnalyzer 2020-05-19 18:56:23 +02:00			`<?php`
			`namespace Psalm\Internal\Analyzer\Statements;`

			`use PhpParser;`
			`use Psalm\Internal\Analyzer\Statements\ExpressionAnalyzer;`
			`use Psalm\Internal\Analyzer\Statements\Expression\Call\ArgumentAnalyzer;`
			`use Psalm\Internal\Analyzer\StatementsAnalyzer;`
Add faster taint analysis 2020-05-22 04:47:58 +02:00			`use Psalm\Internal\Taint\Sink;`
Break up StatementsAnalyzer 2020-05-19 18:56:23 +02:00			`use Psalm\CodeLocation;`
			`use Psalm\Context;`
			`use Psalm\Issue\ForbiddenCode;`
			`use Psalm\Issue\ForbiddenEcho;`
			`use Psalm\Issue\ImpureFunctionCall;`
			`use Psalm\IssueBuffer;`
			`use Psalm\Storage\FunctionLikeParameter;`
			`use Psalm\Type;`

			`class EchoAnalyzer`
			`{`
			`public static function analyze(`
			`StatementsAnalyzer $statements_analyzer,`
			`PhpParser\Node\Stmt\Echo_ $stmt,`
			`Context $context`
			`) : bool {`
			`$echo_param = new FunctionLikeParameter(`
			`'var',`
			`false`
			`);`

Add faster taint analysis 2020-05-22 04:47:58 +02:00			`$codebase = $statements_analyzer->getCodebase();`
Break up StatementsAnalyzer 2020-05-19 18:56:23 +02:00
			`foreach ($stmt->exprs as $i => $expr) {`
			`$context->inside_call = true;`
			`ExpressionAnalyzer::analyze($statements_analyzer, $expr, $context);`
			`$context->inside_call = false;`

Allow limiting connected taint paths 2020-05-26 05:28:11 +02:00			`if ($codebase->taint`
			`&& $codebase->config->trackTaintsInPath($statements_analyzer->getFilePath())`
			`) {`
Add faster taint analysis 2020-05-22 04:47:58 +02:00			`$call_location = new CodeLocation($statements_analyzer->getSource(), $stmt);`

			`$echo_param_sink = Sink::getForMethodArgument(`
			`'echo',`
			`'echo',`
			`(int) $i,`
Add explicit path object 2020-06-22 08:10:03 +02:00			`null,`
Add faster taint analysis 2020-05-22 04:47:58 +02:00			`$call_location`
			`);`

			`$echo_param_sink->taints = [`
Simplify sink mapping for internal calls 2020-05-25 19:10:06 +02:00			`Type\TaintKind::INPUT_HTML,`
			`Type\TaintKind::USER_SECRET,`
			`Type\TaintKind::SYSTEM_SECRET`
Add faster taint analysis 2020-05-22 04:47:58 +02:00			`];`

			`$codebase->taint->addSink($echo_param_sink);`
			`}`

Break up StatementsAnalyzer 2020-05-19 18:56:23 +02:00			`if ($expr_type = $statements_analyzer->node_data->getType($expr)) {`
			`if (ArgumentAnalyzer::verifyType(`
			`$statements_analyzer,`
			`$expr_type,`
			`Type::getString(),`
			`null,`
			`'echo',`
			`(int)$i,`
			`new CodeLocation($statements_analyzer->getSource(), $expr),`
			`$expr,`
			`$context,`
			`$echo_param,`
			`false,`
			`null,`
Add faster taint analysis 2020-05-22 04:47:58 +02:00			`true,`
Break up StatementsAnalyzer 2020-05-19 18:56:23 +02:00			`true,`
			`new CodeLocation($statements_analyzer, $stmt)`
			`) === false) {`
			`return false;`
			`}`
			`}`
			`}`

			`if ($codebase->config->forbid_echo) {`
			`if (IssueBuffer::accepts(`
			`new ForbiddenEcho(`
			`'Use of echo',`
			`new CodeLocation($statements_analyzer, $stmt)`
			`),`
			`$statements_analyzer->getSource()->getSuppressedIssues()`
			`)) {`
			`return false;`
			`}`
			`} elseif (isset($codebase->config->forbidden_functions['echo'])) {`
			`if (IssueBuffer::accepts(`
			`new ForbiddenCode(`
			`'Use of echo',`
			`new CodeLocation($statements_analyzer, $stmt)`
			`),`
			`$statements_analyzer->getSource()->getSuppressedIssues()`
			`)) {`
			`// continue`
			`}`
			`}`

			`if (!$context->collect_initializations`
			`&& !$context->collect_mutations`
			`&& ($context->mutation_free`
			`\|\| $context->external_mutation_free)`
			`) {`
			`if (IssueBuffer::accepts(`
			`new ImpureFunctionCall(`
			`'Cannot call echo from a mutation-free context',`
			`new CodeLocation($statements_analyzer, $stmt)`
			`),`
			`$statements_analyzer->getSuppressedIssues()`
			`)) {`
			`// fall through`
			`}`
			`}`

			`return true;`
			`}`
			`}`