psalm/docs/security_analysis/custom_taint_sources.md

# Custom Taint Sources

You can define your own taint sources with an annotation or a plugin.

## Taint source annotation

You can use the annotation `@psalm-taint-source <taint-type>` to indicate a function or method that provides user input.

In the below example the `input` taint type is specified as a standin for input taints as defined in [Psalm\Type\TaintKindGroup](https://github.com/vimeo/psalm/blob/master/src/Psalm/Type/TaintKindGroup.php).

```php
<?php
/**
 * @psalm-taint-source input
 */
function getQueryParam(string $name) : string {}
```

## Custom taint plugin

For example this plugin treats all variables named `$bad_data` as taint sources.

```php
<?php

namespace Some\Ns;

use PhpParser;
use Psalm\CodeLocation;
use Psalm\Context;
use Psalm\FileManipulation;
use Psalm\Plugin\EventHandler\AfterExpressionAnalysisInterface;
use Psalm\Plugin\EventHandler\Event\AfterExpressionAnalysisEvent;
use Psalm\Type\TaintKindGroup;

class BadSqlTainter implements AfterExpressionAnalysisInterface
{
    /**
     * Called after an expression has been checked
     *
     * @param  PhpParser\Node\Expr  $expr
     * @param  Context              $context
     * @param  FileManipulation[]   $file_replacements
     *
     * @return void
     */
    public static function afterExpressionAnalysis(AfterExpressionAnalysisEvent $event): ?bool {
        $expr = $event->getExpr();
        $statements_source = $event->getStatementsSource();
        $codebase = $event->getCodebase();
        if ($expr instanceof PhpParser\Node\Expr\Variable
            && $expr->name === 'bad_data'
        ) {
            $expr_type = $statements_source->getNodeTypeProvider()->getType($expr);

            // should be a globally unique id
            // you can use its line number/start offset
            $expr_identifier = '$bad_data'
                . '-' . $statements_source->getFileName()
                . ':' . $expr->getAttribute('startFilePos');

            if ($expr_type) {
                $codebase->addTaintSource(
                    $expr_type,
                    $expr_identifier,
                    TaintKindGroup::ALL_INPUT,
                    new CodeLocation($statements_source, $expr)
                );
            }
        }
        return null;
    }
}
```
Add taint docs 2020-06-19 17:56:04 +02:00			`# Custom Taint Sources`

Improve docs 2020-06-21 07:02:00 +02:00			`You can define your own taint sources with an annotation or a plugin.`

Fix #3610 - add security analysis documeentation 2020-06-22 06:18:15 +02:00			`## Taint source annotation`
Improve docs 2020-06-21 07:02:00 +02:00
			You can use the annotation `@psalm-taint-source <taint-type>` to indicate a function or method that provides user input.

Update documentation for taints and global configuration (#5098) * [DOCS] Extend documentation on global variables configuration * [DOCS] Synchronize meaning of @psalm-taint-source input with source code * [DOCS] Add documentation for conditional @psalm-taint-escape * [DOCS] Add documentation for @psalm-taint-unescape 2021-01-25 17:04:00 +01:00			In the below example the `input` taint type is specified as a standin for input taints as defined in [Psalm\Type\TaintKindGroup](https://github.com/vimeo/psalm/blob/master/src/Psalm/Type/TaintKindGroup.php).
Improve docs 2020-06-21 07:02:00 +02:00
			```php
[TASK] Update documentation (#5163) * [TASK] Fix code highlighting in documentation * [TASK] Document stubs.file.preloadClasses configuration 2021-02-07 04:04:44 +01:00			`<?php`
Improve docs 2020-06-21 07:02:00 +02:00			`/**`
			`* @psalm-taint-source input`
			`*/`
			`function getQueryParam(string $name) : string {}`
			```

			`## Custom taint plugin`
Add taint docs 2020-06-19 17:56:04 +02:00
			For example this plugin treats all variables named `$bad_data` as taint sources.

			```php
			`<?php`

			`namespace Some\Ns;`

			`use PhpParser;`
			`use Psalm\CodeLocation;`
			`use Psalm\Context;`
			`use Psalm\FileManipulation;`
implement DTO for plugins (#4881) * implement DTO for plugins * introduce EventHandler + reintroduce legacy API for plugins 2021-01-06 15:05:53 +01:00			`use Psalm\Plugin\EventHandler\AfterExpressionAnalysisInterface;`
			`use Psalm\Plugin\EventHandler\Event\AfterExpressionAnalysisEvent;`
Add taint docs 2020-06-19 17:56:04 +02:00			`use Psalm\Type\TaintKindGroup;`

			`class BadSqlTainter implements AfterExpressionAnalysisInterface`
			`{`
			`/**`
			`* Called after an expression has been checked`
			`*`
			`* @param PhpParser\Node\Expr $expr`
			`* @param Context $context`
			`* @param FileManipulation[] $file_replacements`
			`*`
			`* @return void`
			`*/`
implement DTO for plugins (#4881) * implement DTO for plugins * introduce EventHandler + reintroduce legacy API for plugins 2021-01-06 15:05:53 +01:00			`public static function afterExpressionAnalysis(AfterExpressionAnalysisEvent $event): ?bool {`
			`$expr = $event->getExpr();`
			`$statements_source = $event->getStatementsSource();`
			`$codebase = $event->getCodebase();`
Add taint docs 2020-06-19 17:56:04 +02:00			`if ($expr instanceof PhpParser\Node\Expr\Variable`
$expr->name is not prefixed with $ (#4554) The example as-is would currently not flag the following code: ``` public function foo() { $foo = $bad_data; \shell_exec($foo); } ``` Switching it to `bad_data` made it work. 2020-11-16 02:28:24 +01:00			`&& $expr->name === 'bad_data'`
Add taint docs 2020-06-19 17:56:04 +02:00			`) {`
			`$expr_type = $statements_source->getNodeTypeProvider()->getType($expr);`

			`// should be a globally unique id`
			`// you can use its line number/start offset`
			`$expr_identifier = '$bad_data'`
			`. '-' . $statements_source->getFileName()`
			`. ':' . $expr->getAttribute('startFilePos');`

			`if ($expr_type) {`
			`$codebase->addTaintSource(`
			`$expr_type,`
			`$expr_identifier,`
			`TaintKindGroup::ALL_INPUT,`
			`new CodeLocation($statements_source, $expr)`
			`);`
			`}`
			`}`
Fix return of BadSqlTainter::afterExpressionAnalysis() 2023-10-09 14:27:36 +02:00			`return null;`
Add taint docs 2020-06-19 17:56:04 +02:00			`}`
			`}`
			```