2019-08-04 16:37:36 +02:00
|
|
|
<?php
|
|
|
|
namespace Psalm\Tests;
|
|
|
|
|
|
|
|
use Psalm\Config;
|
|
|
|
use Psalm\Context;
|
|
|
|
|
|
|
|
class TaintTest extends TestCase
|
|
|
|
{
|
|
|
|
/**
|
2020-06-25 00:28:21 +02:00
|
|
|
* @dataProvider providerValidCodeParse
|
|
|
|
*
|
|
|
|
* @param string $code
|
|
|
|
*
|
2019-08-04 16:37:36 +02:00
|
|
|
* @return void
|
|
|
|
*/
|
2020-06-25 00:28:21 +02:00
|
|
|
public function testValidCode(string $code)
|
2019-08-04 16:37:36 +02:00
|
|
|
{
|
2020-06-25 00:28:21 +02:00
|
|
|
$test_name = $this->getTestName();
|
|
|
|
if (\strpos($test_name, 'SKIPPED-') !== false) {
|
|
|
|
$this->markTestSkipped('Skipped due to a bug.');
|
|
|
|
}
|
2020-05-23 05:53:37 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
$file_path = self::$src_dir_path . 'somefile.php';
|
2020-05-23 06:03:29 +02:00
|
|
|
|
|
|
|
$this->addFile(
|
2020-06-25 00:28:21 +02:00
|
|
|
$file_path,
|
|
|
|
$code
|
2020-05-23 06:03:29 +02:00
|
|
|
);
|
|
|
|
|
2019-08-05 16:21:23 +02:00
|
|
|
$this->project_analyzer->trackTaintedInputs();
|
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
$this->analyzeFile($file_path, new Context(), false);
|
2019-08-05 16:21:23 +02:00
|
|
|
}
|
|
|
|
|
2020-06-19 00:48:19 +02:00
|
|
|
/**
|
2020-06-25 00:28:21 +02:00
|
|
|
* @dataProvider providerInvalidCodeParse
|
|
|
|
*
|
|
|
|
* @param string $code
|
|
|
|
* @param string $error_message
|
|
|
|
*
|
2020-06-19 00:48:19 +02:00
|
|
|
* @return void
|
|
|
|
*/
|
2020-06-25 00:28:21 +02:00
|
|
|
public function testInvalidCode(string $code, string $error_message)
|
2020-06-19 00:48:19 +02:00
|
|
|
{
|
2020-06-25 00:28:21 +02:00
|
|
|
if (\strpos($this->getTestName(), 'SKIPPED-') !== false) {
|
|
|
|
$this->markTestSkipped();
|
|
|
|
}
|
2020-06-19 00:48:19 +02:00
|
|
|
|
|
|
|
$this->expectException(\Psalm\Exception\CodeException::class);
|
2020-06-25 00:28:21 +02:00
|
|
|
$this->expectExceptionMessageRegExp('/\b' . \preg_quote($error_message, '/') . '\b/');
|
2020-06-19 00:48:19 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
$file_path = self::$src_dir_path . 'somefile.php';
|
2020-06-19 00:48:19 +02:00
|
|
|
|
|
|
|
$this->addFile(
|
2020-06-25 00:28:21 +02:00
|
|
|
$file_path,
|
|
|
|
$code
|
2020-06-19 00:48:19 +02:00
|
|
|
);
|
|
|
|
|
|
|
|
$this->project_analyzer->trackTaintedInputs();
|
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
$this->analyzeFile($file_path, new Context(), false);
|
2020-06-19 00:48:19 +02:00
|
|
|
}
|
|
|
|
|
2019-08-04 16:37:36 +02:00
|
|
|
/**
|
2020-06-25 00:33:09 +02:00
|
|
|
* @return array<string, array{string}>
|
2019-08-04 16:37:36 +02:00
|
|
|
*/
|
2020-06-25 00:28:21 +02:00
|
|
|
public function providerValidCodeParse()
|
2019-08-04 16:37:36 +02:00
|
|
|
{
|
2020-06-25 00:28:21 +02:00
|
|
|
return [
|
|
|
|
'taintedInputInCreatedArrayNotEchoed' => [
|
|
|
|
'<?php
|
|
|
|
$name = $_GET["name"] ?? "unknown";
|
|
|
|
$id = (int) $_GET["id"];
|
|
|
|
|
|
|
|
$data = ["name" => $name, "id" => $id];
|
|
|
|
|
|
|
|
echo "<h1>" . htmlentities($data["name"]) . "</h1>";
|
|
|
|
echo "<p>" . $data["id"] . "</p>";'
|
|
|
|
],
|
|
|
|
'taintedInputInAssignedArrayNotEchoed' => [
|
|
|
|
'<?php
|
|
|
|
$name = $_GET["name"] ?? "unknown";
|
|
|
|
$id = (int) $_GET["id"];
|
|
|
|
|
|
|
|
$data = [];
|
|
|
|
$data["name"] = $name;
|
|
|
|
$data["id"] = $id;
|
|
|
|
|
|
|
|
echo "<h1>" . htmlentities($data["name"]) . "</h1>";
|
|
|
|
echo "<p>" . $data["id"] . "</p>";'
|
|
|
|
],
|
|
|
|
'taintedInputDirectlySuppressed' => [
|
|
|
|
'<?php
|
|
|
|
class A {
|
|
|
|
public function deleteUser(PDO $pdo) : void {
|
|
|
|
/** @psalm-taint-escape sql */
|
|
|
|
$userId = (string) $_GET["user_id"];
|
|
|
|
$pdo->exec("delete from users where user_id = " . $userId);
|
|
|
|
}
|
|
|
|
}'
|
|
|
|
],
|
|
|
|
'taintedInputDirectlySuppressedWithOtherUse' => [
|
|
|
|
'<?php
|
|
|
|
class A {
|
|
|
|
public function deleteUser(PDOWrapper $pdo) : void {
|
|
|
|
/**
|
|
|
|
* @psalm-taint-escape sql
|
|
|
|
*/
|
|
|
|
$userId = (string) $_GET["user_id"];
|
|
|
|
$pdo->exec("delete from users where user_id = " . $userId);
|
|
|
|
}
|
2019-08-04 16:37:36 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
public function deleteUserSafer(PDOWrapper $pdo) : void {
|
|
|
|
$userId = $this->getSafeId();
|
|
|
|
$pdo->exec("delete from users where user_id = " . $userId);
|
|
|
|
}
|
2019-08-04 16:37:36 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
public function getSafeId() : string {
|
|
|
|
return "5";
|
|
|
|
}
|
2019-08-04 16:37:36 +02:00
|
|
|
}
|
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
class PDOWrapper {
|
2020-05-22 04:47:58 +02:00
|
|
|
/**
|
2020-06-25 00:28:21 +02:00
|
|
|
* @psalm-taint-sink sql $sql
|
2020-05-22 04:47:58 +02:00
|
|
|
*/
|
2020-06-25 00:28:21 +02:00
|
|
|
public function exec(string $sql) : void {}
|
|
|
|
}'
|
|
|
|
],
|
|
|
|
'taintedInputToParamButSafe' => [
|
|
|
|
'<?php
|
|
|
|
class A {
|
|
|
|
public function getUserId(PDO $pdo) : void {
|
|
|
|
$this->deleteUser(
|
|
|
|
$pdo,
|
|
|
|
$this->getAppendedUserId((string) $_GET["user_id"])
|
|
|
|
);
|
|
|
|
}
|
2019-08-04 16:37:36 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
public function getAppendedUserId(string $user_id) : string {
|
|
|
|
return "aaa" . $user_id;
|
|
|
|
}
|
2019-08-04 16:37:36 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
public function deleteUser(PDO $pdo, string $userId) : void {
|
|
|
|
$userId2 = strlen($userId);
|
|
|
|
$pdo->exec("delete from users where user_id = " . $userId2);
|
|
|
|
}
|
|
|
|
}'
|
|
|
|
],
|
|
|
|
'ValidatedInputFromParam' => [
|
|
|
|
'<?php
|
2019-08-04 16:37:36 +02:00
|
|
|
/**
|
2020-06-25 00:28:21 +02:00
|
|
|
* @psalm-assert-untainted $userId
|
2019-08-04 16:37:36 +02:00
|
|
|
*/
|
2020-06-25 00:28:21 +02:00
|
|
|
function validateUserId(string $userId) : void {
|
|
|
|
if (!is_numeric($userId)) {
|
|
|
|
throw new \Exception("bad");
|
2019-08-04 16:37:36 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
class A {
|
|
|
|
public function getUserId() : string {
|
|
|
|
return (string) $_GET["user_id"];
|
|
|
|
}
|
2019-08-04 16:37:36 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
public function doDelete(PDO $pdo) : void {
|
|
|
|
$userId = $this->getUserId();
|
|
|
|
validateUserId($userId);
|
|
|
|
$this->deleteUser($pdo, $userId);
|
|
|
|
}
|
2019-08-04 16:37:36 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
public function deleteUser(PDO $pdo, string $userId) : void {
|
|
|
|
$pdo->exec("delete from users where user_id = " . $userId);
|
|
|
|
}
|
|
|
|
}'
|
|
|
|
],
|
|
|
|
'untaintedInput' => [
|
|
|
|
'<?php
|
|
|
|
class A {
|
|
|
|
public function getUserId() : int {
|
|
|
|
return (int) $_GET["user_id"];
|
|
|
|
}
|
2019-08-04 16:37:36 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
public function getAppendedUserId() : string {
|
|
|
|
return "aaaa" . $this->getUserId();
|
|
|
|
}
|
2019-08-04 16:37:36 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
public function deleteUser(PDO $pdo) : void {
|
|
|
|
$userId = $this->getAppendedUserId();
|
|
|
|
$pdo->exec("delete from users where user_id = " . $userId);
|
|
|
|
}
|
|
|
|
}'
|
|
|
|
],
|
|
|
|
'specializedCoreFunctionCall' => [
|
|
|
|
'<?php
|
|
|
|
$a = (string) $_GET["user_id"];
|
|
|
|
|
|
|
|
echo print_r([], true);
|
|
|
|
|
|
|
|
$b = print_r($a, true);'
|
|
|
|
],
|
|
|
|
'untaintedInputViaStaticFunctionWithSafePath' => [
|
|
|
|
'<?php
|
|
|
|
class Utils {
|
|
|
|
/**
|
|
|
|
* @psalm-pure
|
|
|
|
*/
|
|
|
|
public static function shorten(string $str) : string {
|
|
|
|
return $str;
|
|
|
|
}
|
2019-08-04 16:37:36 +02:00
|
|
|
}
|
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
class A {
|
|
|
|
public function foo() : void {
|
|
|
|
echo(htmlentities(Utils::shorten((string) $_GET["user_id"])));
|
|
|
|
}
|
2019-08-04 16:37:36 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
public function bar() : void {
|
|
|
|
echo(Utils::shorten("hello"));
|
|
|
|
}
|
|
|
|
}'
|
|
|
|
],
|
|
|
|
'taintHtmlEntities' => [
|
|
|
|
'<?php
|
|
|
|
function foo() : void {
|
|
|
|
$a = htmlentities((string) $_GET["bad"]);
|
|
|
|
echo $a;
|
|
|
|
}'
|
|
|
|
],
|
|
|
|
'taintOnStrReplaceCallRemovedInFunction' => [
|
|
|
|
'<?php
|
|
|
|
class U {
|
|
|
|
/**
|
|
|
|
* @psalm-pure
|
|
|
|
* @psalm-taint-escape html
|
|
|
|
*/
|
|
|
|
public static function shorten(string $s) : string {
|
|
|
|
return str_replace("foo", "bar", $s);
|
|
|
|
}
|
2019-08-04 16:37:36 +02:00
|
|
|
}
|
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
class V {}
|
2019-08-04 16:37:36 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
class O1 {
|
|
|
|
public string $s;
|
2019-08-04 16:37:36 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
public function __construct() {
|
|
|
|
$this->s = (string) $_GET["FOO"];
|
|
|
|
}
|
2019-08-04 16:37:36 +02:00
|
|
|
}
|
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
class V1 extends V {
|
|
|
|
public function foo(O1 $o) : void {
|
|
|
|
echo U::shorten($o->s);
|
|
|
|
}
|
|
|
|
}'
|
|
|
|
],
|
|
|
|
'taintOnPregReplaceCallRemovedInFunction' => [
|
|
|
|
'<?php
|
|
|
|
class U {
|
|
|
|
/**
|
|
|
|
* @psalm-pure
|
|
|
|
*/
|
|
|
|
public static function shorten(string $s) : string {
|
|
|
|
return preg_replace("/[^_a-z\/\.A-Z0-9]/", "bar", $s);
|
|
|
|
}
|
2019-08-04 16:37:36 +02:00
|
|
|
}
|
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
class V {}
|
|
|
|
|
|
|
|
class O1 {
|
|
|
|
public string $s;
|
2019-08-04 16:37:36 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
public function __construct() {
|
|
|
|
$this->s = (string) $_GET["FOO"];
|
|
|
|
}
|
2019-08-04 16:37:36 +02:00
|
|
|
}
|
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
class V1 extends V {
|
|
|
|
public function foo(O1 $o) : void {
|
|
|
|
echo U::shorten($o->s);
|
2019-08-04 16:37:36 +02:00
|
|
|
}
|
2020-06-25 00:28:21 +02:00
|
|
|
}'
|
|
|
|
],
|
|
|
|
'taintOnStrReplaceCallRemovedInline' => [
|
|
|
|
'<?php
|
|
|
|
class V {}
|
2019-10-12 05:28:17 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
class O1 {
|
|
|
|
public string $s;
|
2019-10-14 23:10:30 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
public function __construct() {
|
|
|
|
$this->s = (string) $_GET["FOO"];
|
|
|
|
}
|
2019-10-14 23:10:30 +02:00
|
|
|
}
|
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
class V1 extends V {
|
|
|
|
public function foo(O1 $o) : void {
|
|
|
|
/**
|
|
|
|
* @psalm-taint-escape html
|
|
|
|
*/
|
|
|
|
$a = str_replace("foo", "bar", $o->s);
|
|
|
|
echo $a;
|
|
|
|
}
|
|
|
|
}'
|
|
|
|
],
|
|
|
|
'NoTaintsOnSimilarPureCall' => [
|
|
|
|
'<?php
|
|
|
|
class U {
|
|
|
|
/** @psalm-pure */
|
|
|
|
public static function shorten(string $s) : string {
|
|
|
|
return substr($s, 0, 15);
|
|
|
|
}
|
2019-10-14 23:10:30 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
/** @psalm-pure */
|
|
|
|
public static function escape(string $s) : string {
|
|
|
|
return htmlentities($s);
|
|
|
|
}
|
2019-10-14 23:10:30 +02:00
|
|
|
}
|
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
class O1 {
|
|
|
|
public string $s;
|
|
|
|
|
|
|
|
public function __construct(string $s) {
|
|
|
|
$this->s = $s;
|
|
|
|
}
|
2019-10-14 23:10:30 +02:00
|
|
|
}
|
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
class O2 {
|
|
|
|
public string $t;
|
2019-10-14 23:10:30 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
public function __construct() {
|
|
|
|
$this->t = (string) $_GET["FOO"];
|
|
|
|
}
|
|
|
|
}
|
2019-10-14 23:10:30 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
class V1 {
|
|
|
|
public function foo() : void {
|
|
|
|
$o = new O1((string) $_GET["FOO"]);
|
|
|
|
echo U::escape(U::shorten($o->s));
|
|
|
|
}
|
2019-10-14 23:10:30 +02:00
|
|
|
}
|
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
class V2 {
|
|
|
|
public function foo(O2 $o) : void {
|
|
|
|
echo U::shorten(U::escape($o->t));
|
|
|
|
}
|
|
|
|
}'
|
|
|
|
],
|
|
|
|
'taintPropertyPassingObjectWithDifferentValue' => [
|
|
|
|
'<?phps
|
|
|
|
/** @psalm-immutable */
|
|
|
|
class User {
|
|
|
|
public string $id;
|
|
|
|
public $name = "Luke";
|
|
|
|
|
|
|
|
public function __construct(string $userId) {
|
|
|
|
$this->id = $userId;
|
|
|
|
}
|
2019-10-14 23:10:30 +02:00
|
|
|
}
|
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
class UserUpdater {
|
|
|
|
public static function doDelete(PDO $pdo, User $user) : void {
|
|
|
|
self::deleteUser($pdo, $user->name);
|
|
|
|
}
|
2019-10-14 23:10:30 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
public static function deleteUser(PDO $pdo, string $userId) : void {
|
|
|
|
$pdo->exec("delete from users where user_id = " . $userId);
|
|
|
|
}
|
2019-10-14 23:10:30 +02:00
|
|
|
}
|
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
$userObj = new User((string) $_GET["user_id"]);
|
|
|
|
UserUpdater::doDelete(new PDO(), $userObj);'
|
|
|
|
],
|
|
|
|
'taintPropertyWithoutPassingObject' => [
|
|
|
|
'<?phps
|
|
|
|
/** @psalm-immutable */
|
|
|
|
class User {
|
|
|
|
public string $id;
|
2019-10-14 23:10:30 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
public function __construct(string $userId) {
|
|
|
|
$this->id = $userId;
|
|
|
|
}
|
2019-10-14 23:10:30 +02:00
|
|
|
}
|
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
class UserUpdater {
|
|
|
|
public static function doDelete(PDO $pdo, User $user) : void {
|
|
|
|
self::deleteUser($pdo, $user->id);
|
|
|
|
}
|
|
|
|
|
|
|
|
public static function deleteUser(PDO $pdo, string $userId) : void {
|
|
|
|
$pdo->exec("delete from users where user_id = " . $userId);
|
|
|
|
}
|
2019-10-14 23:10:30 +02:00
|
|
|
}
|
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
$userObj = new User((string) $_GET["user_id"]);',
|
|
|
|
],
|
|
|
|
'specializeStaticMethod' => [
|
|
|
|
'<?php
|
|
|
|
StringUtility::foo($_GET["c"]);
|
|
|
|
|
|
|
|
class StringUtility {
|
|
|
|
/**
|
|
|
|
* @psalm-taint-specialize
|
|
|
|
*/
|
|
|
|
public static function foo(string $str) : string
|
|
|
|
{
|
|
|
|
return $str;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* @psalm-taint-specialize
|
|
|
|
*/
|
|
|
|
public static function slugify(string $url) : string {
|
|
|
|
return self::foo($url);
|
|
|
|
}
|
2019-10-14 23:10:30 +02:00
|
|
|
}
|
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
echo StringUtility::slugify("hello");'
|
|
|
|
],
|
|
|
|
];
|
2019-10-14 23:10:30 +02:00
|
|
|
}
|
2020-05-25 23:10:53 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
/**
|
2020-06-25 00:33:09 +02:00
|
|
|
* @return array<string, array{0: string, error_message: string}>
|
2020-06-25 00:28:21 +02:00
|
|
|
*/
|
|
|
|
public function providerInvalidCodeParse()
|
2020-05-25 23:10:53 +02:00
|
|
|
{
|
2020-06-25 00:28:21 +02:00
|
|
|
return [
|
|
|
|
'taintedInputFromMethodReturnTypeSimple' => [
|
|
|
|
'<?php
|
|
|
|
class A {
|
|
|
|
public function getUserId() : string {
|
|
|
|
return (string) $_GET["user_id"];
|
|
|
|
}
|
2020-05-25 23:10:53 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
public function getAppendedUserId() : string {
|
|
|
|
return "aaaa" . $this->getUserId();
|
|
|
|
}
|
2020-05-25 23:10:53 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
public function deleteUser(PDO $pdo) : void {
|
|
|
|
$userId = $this->getAppendedUserId();
|
|
|
|
$pdo->exec("delete from users where user_id = " . $userId);
|
|
|
|
}
|
|
|
|
}',
|
|
|
|
'error_message' => 'TaintedInput',
|
|
|
|
],
|
|
|
|
'taintedInputFromFunctionReturnType' => [
|
|
|
|
'<?php
|
|
|
|
function getName() : string {
|
|
|
|
return $_GET["name"] ?? "unknown";
|
|
|
|
}
|
|
|
|
|
|
|
|
echo getName();',
|
|
|
|
'error_message' => 'TaintedInput - src/somefile.php:6:26 - Detected tainted html in path: $_GET -> $_GET[\'name\'] (src/somefile.php:3:32) -> getname (src/somefile.php:6:26) -> call to echo (src/somefile.php:6:26) -> echo#1',
|
|
|
|
],
|
|
|
|
'taintedInputFromExplicitTaintSource' => [
|
|
|
|
'<?php
|
2020-05-25 23:10:53 +02:00
|
|
|
/**
|
2020-06-25 00:28:21 +02:00
|
|
|
* @psalm-taint-source input
|
2020-05-25 23:10:53 +02:00
|
|
|
*/
|
2020-06-25 00:28:21 +02:00
|
|
|
function getName() : string {
|
|
|
|
return "";
|
|
|
|
}
|
2020-05-25 23:10:53 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
echo getName();',
|
|
|
|
'error_message' => 'TaintedInput',
|
|
|
|
],
|
|
|
|
'taintedInputFromExplicitTaintSourceStaticMethod' => [
|
|
|
|
'<?php
|
|
|
|
class Request {
|
|
|
|
/**
|
|
|
|
* @psalm-taint-source input
|
|
|
|
*/
|
|
|
|
public static function getName() : string {
|
|
|
|
return "";
|
2020-05-25 23:10:53 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
echo Request::getName();',
|
|
|
|
'error_message' => 'TaintedInput',
|
|
|
|
],
|
|
|
|
'taintedInputFromGetArray' => [
|
|
|
|
'<?php
|
|
|
|
function getName(array $data) : string {
|
|
|
|
return $data["name"] ?? "unknown";
|
|
|
|
}
|
|
|
|
|
|
|
|
$name = getName($_GET);
|
|
|
|
|
|
|
|
echo $name;',
|
|
|
|
'error_message' => 'TaintedInput',
|
|
|
|
],
|
|
|
|
'taintedInputFromReturnToInclude' => [
|
|
|
|
'<?php
|
|
|
|
$a = (string) $_GET["file"];
|
|
|
|
$b = "hello" . $a;
|
|
|
|
include str_replace("a", "b", $b);',
|
|
|
|
'error_message' => 'TaintedInput',
|
|
|
|
],
|
|
|
|
'taintedInputFromReturnToEval' => [
|
|
|
|
'<?php
|
|
|
|
$a = $_GET["file"];
|
|
|
|
eval("<?php" . $a);',
|
|
|
|
'error_message' => 'TaintedInput',
|
|
|
|
],
|
|
|
|
'taintedInputFromReturnTypeToEcho' => [
|
|
|
|
'<?php
|
|
|
|
class A {
|
|
|
|
public function getUserId() : string {
|
|
|
|
return (string) $_GET["user_id"];
|
2020-05-25 23:10:53 +02:00
|
|
|
}
|
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
public function getAppendedUserId() : string {
|
|
|
|
return "aaaa" . $this->getUserId();
|
2020-05-25 23:10:53 +02:00
|
|
|
}
|
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
public function deleteUser(PDO $pdo) : void {
|
|
|
|
$userId = $this->getAppendedUserId();
|
|
|
|
echo $userId;
|
|
|
|
}
|
|
|
|
}',
|
|
|
|
'error_message' => 'TaintedInput',
|
|
|
|
],
|
|
|
|
'taintedInputInCreatedArrayIsEchoed' => [
|
|
|
|
'<?php
|
|
|
|
$name = $_GET["name"] ?? "unknown";
|
|
|
|
|
|
|
|
$data = ["name" => $name];
|
|
|
|
|
|
|
|
echo "<h1>" . $data["name"] . "</h1>";',
|
|
|
|
'error_message' => 'TaintedInput',
|
|
|
|
],
|
|
|
|
'testTaintedInputInAssignedArrayIsEchoed' => [
|
|
|
|
'<?php
|
|
|
|
$name = $_GET["name"] ?? "unknown";
|
|
|
|
|
|
|
|
$data = [];
|
|
|
|
$data["name"] = $name;
|
|
|
|
|
|
|
|
echo "<h1>" . $data["name"] . "</h1>";',
|
|
|
|
'error_message' => 'TaintedInput',
|
|
|
|
],
|
|
|
|
'taintedInputDirectly' => [
|
|
|
|
'<?php
|
|
|
|
class A {
|
|
|
|
public function deleteUser(PDO $pdo) : void {
|
|
|
|
$userId = (string) $_GET["user_id"];
|
|
|
|
$pdo->exec("delete from users where user_id = " . $userId);
|
|
|
|
}
|
|
|
|
}',
|
|
|
|
'error_message' => 'TaintedInput',
|
|
|
|
],
|
|
|
|
'taintedInputFromReturnTypeWithBranch' => [
|
|
|
|
'<?php
|
|
|
|
class A {
|
|
|
|
public function getUserId() : string {
|
|
|
|
return (string) $_GET["user_id"];
|
2020-05-25 23:10:53 +02:00
|
|
|
}
|
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
public function getAppendedUserId() : string {
|
|
|
|
$userId = $this->getUserId();
|
2020-05-25 23:10:53 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
if (rand(0, 1)) {
|
|
|
|
$userId .= "aaa";
|
|
|
|
} else {
|
|
|
|
$userId .= "bb";
|
|
|
|
}
|
2020-06-19 07:22:51 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
return $userId;
|
|
|
|
}
|
2020-06-19 07:22:51 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
public function deleteUser(PDO $pdo) : void {
|
|
|
|
$userId = $this->getAppendedUserId();
|
|
|
|
$pdo->exec("delete from users where user_id = " . $userId);
|
|
|
|
}
|
|
|
|
}',
|
|
|
|
'error_message' => 'TaintedInput',
|
|
|
|
],
|
|
|
|
'sinkAnnotation' => [
|
|
|
|
'<?php
|
|
|
|
class A {
|
|
|
|
public function getUserId() : string {
|
|
|
|
return (string) $_GET["user_id"];
|
|
|
|
}
|
2020-06-19 07:22:51 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
public function getAppendedUserId() : string {
|
|
|
|
return "aaaa" . $this->getUserId();
|
|
|
|
}
|
2020-06-19 07:22:51 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
public function deleteUser(PDOWrapper $pdo) : void {
|
|
|
|
$userId = $this->getAppendedUserId();
|
|
|
|
$pdo->exec("delete from users where user_id = " . $userId);
|
|
|
|
}
|
2020-06-19 07:22:51 +02:00
|
|
|
}
|
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
class PDOWrapper {
|
|
|
|
/**
|
|
|
|
* @psalm-taint-sink sql $sql
|
|
|
|
*/
|
|
|
|
public function exec(string $sql) : void {}
|
|
|
|
}',
|
|
|
|
'error_message' => 'TaintedInput',
|
|
|
|
],
|
|
|
|
'taintedInputFromParam' => [
|
|
|
|
'<?php
|
|
|
|
class A {
|
|
|
|
public function getUserId() : string {
|
|
|
|
return (string) $_GET["user_id"];
|
|
|
|
}
|
2020-06-19 07:22:51 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
public function getAppendedUserId() : string {
|
|
|
|
return "aaaa" . $this->getUserId();
|
|
|
|
}
|
2020-06-19 07:22:51 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
public function doDelete(PDO $pdo) : void {
|
|
|
|
$userId = $this->getAppendedUserId();
|
|
|
|
$this->deleteUser($pdo, $userId);
|
|
|
|
}
|
2020-06-19 07:22:51 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
public function deleteUser(PDO $pdo, string $userId) : void {
|
|
|
|
$pdo->exec("delete from users where user_id = " . $userId);
|
|
|
|
}
|
|
|
|
}',
|
|
|
|
'error_message' => 'TaintedInput - src/somefile.php:17:40 - Detected tainted sql in path: $_GET -> $_GET[\'user_id\'] (src/somefile.php:4:45) -> A::getUserId (src/somefile.php:3:55) -> concat (src/somefile.php:8:36) -> A::getAppendedUserId (src/somefile.php:7:63) -> $userId (src/somefile.php:12:29) -> call to A::deleteUser (src/somefile.php:13:53) -> A::deleteUser#2 (src/somefile.php:16:69) -> concat (src/somefile.php:17:40) -> call to PDO::exec (src/somefile.php:17:40) -> PDO::exec#1',
|
|
|
|
],
|
|
|
|
'taintedInputToParam' => [
|
|
|
|
'<?php
|
|
|
|
class A {
|
|
|
|
public function getUserId(PDO $pdo) : void {
|
|
|
|
$this->deleteUser(
|
|
|
|
$pdo,
|
|
|
|
$this->getAppendedUserId((string) $_GET["user_id"])
|
|
|
|
);
|
|
|
|
}
|
2020-06-19 07:59:45 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
public function getAppendedUserId(string $user_id) : string {
|
|
|
|
return "aaa" . $user_id;
|
|
|
|
}
|
2020-06-19 07:59:45 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
public function deleteUser(PDO $pdo, string $userId) : void {
|
|
|
|
$pdo->exec("delete from users where user_id = " . $userId);
|
|
|
|
}
|
|
|
|
}',
|
|
|
|
'error_message' => 'TaintedInput',
|
|
|
|
],
|
|
|
|
'taintedInputToParamAfterAssignment' => [
|
|
|
|
'<?php
|
|
|
|
class A {
|
|
|
|
public function getUserId(PDO $pdo) : void {
|
|
|
|
$this->deleteUser(
|
|
|
|
$pdo,
|
|
|
|
$this->getAppendedUserId((string) $_GET["user_id"])
|
|
|
|
);
|
|
|
|
}
|
2020-06-19 07:59:45 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
public function getAppendedUserId(string $user_id) : string {
|
|
|
|
return "aaa" . $user_id;
|
|
|
|
}
|
2020-06-19 07:59:45 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
public function deleteUser(PDO $pdo, string $userId) : void {
|
|
|
|
$userId2 = $userId;
|
|
|
|
$pdo->exec("delete from users where user_id = " . $userId2);
|
|
|
|
}
|
|
|
|
}',
|
|
|
|
'error_message' => 'TaintedInput',
|
|
|
|
],
|
|
|
|
'taintedInputToParamAlternatePath' => [
|
|
|
|
'<?php
|
|
|
|
class A {
|
|
|
|
public function getUserId(PDO $pdo) : void {
|
|
|
|
$this->deleteUser(
|
|
|
|
$pdo,
|
|
|
|
self::doFoo(),
|
|
|
|
$this->getAppendedUserId((string) $_GET["user_id"])
|
|
|
|
);
|
|
|
|
}
|
2020-06-19 07:59:45 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
public function getAppendedUserId(string $user_id) : string {
|
|
|
|
return "aaa" . $user_id;
|
|
|
|
}
|
2020-06-19 07:59:45 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
public static function doFoo() : string {
|
|
|
|
return "hello";
|
|
|
|
}
|
2020-06-19 07:59:45 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
public function deleteUser(PDO $pdo, string $userId, string $userId2) : void {
|
|
|
|
$pdo->exec("delete from users where user_id = " . $userId);
|
2020-06-19 07:59:45 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
if (rand(0, 1)) {
|
|
|
|
$pdo->exec("delete from users where user_id = " . $userId2);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}',
|
|
|
|
'error_message' => 'TaintedInput - src/somefile.php:23:44 - Detected tainted sql in path: $_GET -> $_GET[\'user_id\'] (src/somefile.php:7:67) -> call to A::getAppendedUserId (src/somefile.php:7:58) -> A::getAppendedUserId#1 (src/somefile.php:11:66) -> concat (src/somefile.php:12:36) -> A::getAppendedUserId (src/somefile.php:11:41) -> call to A::deleteUser (src/somefile.php:7:33) -> A::deleteUser#3 (src/somefile.php:19:85) -> concat (src/somefile.php:23:44) -> call to PDO::exec (src/somefile.php:23:44) -> PDO::exec#1',
|
|
|
|
],
|
|
|
|
'taintedInParentLoader' => [
|
|
|
|
'<?php
|
|
|
|
abstract class A {
|
|
|
|
abstract public static function loadPartial(string $sink) : void;
|
|
|
|
|
|
|
|
public static function loadFull(string $sink) : void {
|
|
|
|
static::loadPartial($sink);
|
|
|
|
}
|
|
|
|
}
|
2020-06-19 07:22:51 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
function getPdo() : PDO {
|
|
|
|
return new PDO("connectionstring");
|
2020-06-19 07:22:51 +02:00
|
|
|
}
|
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
class AChild extends A {
|
|
|
|
public static function loadPartial(string $sink) : void {
|
|
|
|
getPdo()->exec("select * from foo where bar = " . $sink);
|
|
|
|
}
|
2020-06-19 07:22:51 +02:00
|
|
|
}
|
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
class AGrandChild extends AChild {}
|
|
|
|
|
|
|
|
class C {
|
|
|
|
public function foo(string $user_id) : void {
|
|
|
|
AGrandChild::loadFull($user_id);
|
|
|
|
}
|
2020-06-19 07:22:51 +02:00
|
|
|
}
|
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
(new C)->foo((string) $_GET["user_id"]);',
|
|
|
|
'error_message' => 'TaintedInput - src/somefile.php:16:44 - Detected tainted sql in path: $_GET -> $_GET[\'user_id\'] (src/somefile.php:28:43) -> call to C::foo (src/somefile.php:28:34) -> C::foo#1 (src/somefile.php:23:52) -> call to AGrandChild::loadFull (src/somefile.php:24:51) -> AGrandChild::loadFull#1 (src/somefile.php:5:64) -> A::loadFull#1 (src/somefile.php:24:51) -> call to A::loadPartial (src/somefile.php:6:49) -> A::loadPartial#1 (src/somefile.php:3:76) -> AChild::loadPartial#1 (src/somefile.php:6:49) -> concat (src/somefile.php:16:44) -> call to PDO::exec (src/somefile.php:16:44) -> PDO::exec#1',
|
|
|
|
],
|
|
|
|
'taintedInputFromProperty' => [
|
|
|
|
'<?php
|
|
|
|
class A {
|
|
|
|
public string $userId;
|
2020-06-19 07:22:51 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
public function __construct() {
|
|
|
|
$this->userId = (string) $_GET["user_id"];
|
|
|
|
}
|
2020-06-19 07:22:51 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
public function getAppendedUserId() : string {
|
|
|
|
return "aaaa" . $this->userId;
|
|
|
|
}
|
2020-06-19 07:22:51 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
public function doDelete(PDO $pdo) : void {
|
|
|
|
$userId = $this->getAppendedUserId();
|
|
|
|
$this->deleteUser($pdo, $userId);
|
|
|
|
}
|
2020-06-19 07:22:51 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
public function deleteUser(PDO $pdo, string $userId) : void {
|
|
|
|
$pdo->exec("delete from users where user_id = " . $userId);
|
|
|
|
}
|
|
|
|
}',
|
|
|
|
'error_message' => 'TaintedInput',
|
|
|
|
],
|
|
|
|
'taintedInputFromPropertyViaMixin' => [
|
|
|
|
'<?php
|
|
|
|
class A {
|
|
|
|
public string $userId;
|
|
|
|
|
|
|
|
public function __construct() {
|
|
|
|
$this->userId = (string) $_GET["user_id"];
|
|
|
|
}
|
2020-06-19 07:22:51 +02:00
|
|
|
}
|
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
/** @mixin A */
|
|
|
|
class B {
|
|
|
|
private A $a;
|
|
|
|
|
|
|
|
public function __construct(A $a) {
|
|
|
|
$this->a = $a;
|
|
|
|
}
|
|
|
|
|
|
|
|
public function __get(string $name) {
|
|
|
|
return $this->a->$name;
|
|
|
|
}
|
2020-06-19 07:22:51 +02:00
|
|
|
}
|
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
class C {
|
|
|
|
private B $b;
|
2020-06-19 07:22:51 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
public function __construct(B $b) {
|
|
|
|
$this->b = $b;
|
|
|
|
}
|
2020-06-22 23:53:03 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
public function getAppendedUserId() : string {
|
|
|
|
return "aaaa" . $this->b->userId;
|
|
|
|
}
|
2020-06-22 23:53:03 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
public function doDelete(PDO $pdo) : void {
|
|
|
|
$userId = $this->getAppendedUserId();
|
|
|
|
$this->deleteUser($pdo, $userId);
|
|
|
|
}
|
2020-06-22 23:53:03 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
public function deleteUser(PDO $pdo, string $userId) : void {
|
|
|
|
$pdo->exec("delete from users where user_id = " . $userId);
|
|
|
|
}
|
|
|
|
}',
|
|
|
|
'error_message' => 'TaintedInput',
|
|
|
|
],
|
|
|
|
'taintedInputViaStaticFunction' => [
|
|
|
|
'<?php
|
|
|
|
class Utils {
|
|
|
|
public static function shorten(string $str) : string {
|
|
|
|
return $str;
|
|
|
|
}
|
|
|
|
}
|
2020-06-22 23:53:03 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
class A {
|
|
|
|
public function foo() : void {
|
|
|
|
echo(Utils::shorten((string) $_GET["user_id"]));
|
|
|
|
}
|
|
|
|
}',
|
|
|
|
'error_message' => 'TaintedInput',
|
|
|
|
],
|
|
|
|
'taintedInputViaPureStaticFunction' => [
|
|
|
|
'<?php
|
|
|
|
class Utils {
|
|
|
|
/**
|
|
|
|
* @psalm-pure
|
|
|
|
*/
|
|
|
|
public static function shorten(string $str) : string {
|
|
|
|
return substr($str, 0, 100);
|
|
|
|
}
|
|
|
|
}
|
2020-06-23 00:40:35 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
class A {
|
|
|
|
public function foo() : void {
|
|
|
|
echo(Utils::shorten((string) $_GET["user_id"]));
|
|
|
|
}
|
|
|
|
}',
|
|
|
|
'error_message' => 'TaintedInput',
|
|
|
|
],
|
|
|
|
'untaintedInputViaStaticFunctionWithoutSafePath' => [
|
|
|
|
'<?php
|
|
|
|
class Utils {
|
|
|
|
/**
|
|
|
|
* @psalm-pure
|
|
|
|
*/
|
|
|
|
public static function shorten(string $str) : string {
|
|
|
|
return $str;
|
|
|
|
}
|
|
|
|
}
|
2020-06-23 00:40:35 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
class A {
|
|
|
|
public function foo() : void {
|
|
|
|
echo(Utils::shorten((string) $_GET["user_id"]));
|
|
|
|
}
|
2020-06-23 00:40:35 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
public function bar() : void {
|
|
|
|
echo(Utils::shorten("hello"));
|
|
|
|
}
|
|
|
|
}',
|
|
|
|
'error_message' => 'TaintedInput',
|
|
|
|
],
|
|
|
|
'taintedInputFromMagicProperty' => [
|
|
|
|
'<?php
|
2020-06-23 00:40:35 +02:00
|
|
|
/**
|
2020-06-25 00:28:21 +02:00
|
|
|
* @property string $userId
|
2020-06-23 00:40:35 +02:00
|
|
|
*/
|
2020-06-25 00:28:21 +02:00
|
|
|
class A {
|
|
|
|
/** @var array<string, string> */
|
|
|
|
private $vars = [];
|
|
|
|
|
|
|
|
public function __get(string $s) : string {
|
|
|
|
return $this->vars[$s];
|
|
|
|
}
|
|
|
|
|
|
|
|
public function __set(string $s, string $t) {
|
|
|
|
$this->vars[$s] = $t;
|
|
|
|
}
|
2020-06-23 00:40:35 +02:00
|
|
|
}
|
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
function getAppendedUserId() : void {
|
|
|
|
$a = new A();
|
|
|
|
$a->userId = (string) $_GET["user_id"];
|
|
|
|
echo $a->userId;
|
|
|
|
}',
|
|
|
|
'error_message' => 'TaintedInput',
|
|
|
|
],
|
|
|
|
'taintOverMixed' => [
|
|
|
|
'<?php
|
2020-06-23 00:40:35 +02:00
|
|
|
/**
|
2020-06-25 00:28:21 +02:00
|
|
|
* @psalm-suppress MixedAssignment
|
|
|
|
* @psalm-suppress MixedArgument
|
2020-06-23 00:40:35 +02:00
|
|
|
*/
|
2020-06-25 00:28:21 +02:00
|
|
|
function foo() : void {
|
|
|
|
$a = $_GET["bad"];
|
|
|
|
echo $a;
|
|
|
|
}',
|
|
|
|
'error_message' => 'TaintedInput',
|
|
|
|
],
|
|
|
|
'taintStrConversion' => [
|
|
|
|
'<?php
|
|
|
|
function foo() : void {
|
|
|
|
$a = strtoupper(strtolower((string) $_GET["bad"]));
|
|
|
|
echo $a;
|
|
|
|
}',
|
|
|
|
'error_message' => 'TaintedInput',
|
|
|
|
],
|
|
|
|
'taintIntoExec' => [
|
|
|
|
'<?php
|
|
|
|
function foo() : void {
|
|
|
|
$a = (string) $_GET["bad"];
|
|
|
|
exec($a);
|
|
|
|
}',
|
|
|
|
'error_message' => 'TaintedInput',
|
|
|
|
],
|
|
|
|
'taintIntoExecMultipleConcat' => [
|
|
|
|
'<?php
|
|
|
|
function foo() : void {
|
|
|
|
$a = "9" . "a" . "b" . "c" . ((string) $_GET["bad"]) . "d" . "e" . "f";
|
|
|
|
exec($a);
|
|
|
|
}',
|
|
|
|
'error_message' => 'TaintedInput',
|
|
|
|
],
|
|
|
|
'taintIntoNestedArrayUnnestedSeparately' => [
|
|
|
|
'<?php
|
|
|
|
function foo() : void {
|
|
|
|
$a = [[(string) $_GET["bad"]]];
|
|
|
|
exec($a[0][0]);
|
|
|
|
}',
|
|
|
|
'error_message' => 'TaintedInput',
|
|
|
|
],
|
|
|
|
'taintIntoArrayAndThenOutAgain' => [
|
|
|
|
'<?php
|
|
|
|
class C {
|
|
|
|
public static function foo() : array {
|
|
|
|
$a = (string) $_GET["bad"];
|
|
|
|
return [$a];
|
|
|
|
}
|
2020-06-23 00:40:35 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
public static function bar() {
|
|
|
|
exec(self::foo()[0]);
|
|
|
|
}
|
|
|
|
}',
|
|
|
|
'error_message' => 'TaintedInput',
|
|
|
|
],
|
|
|
|
'taintAppendedToArray' => [
|
|
|
|
'<?php
|
|
|
|
class C {
|
|
|
|
public static function foo() : array {
|
|
|
|
$a = [];
|
|
|
|
$a[] = (string) $_GET["bad"];
|
|
|
|
return $a;
|
|
|
|
}
|
2020-06-23 21:28:31 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
public static function bar() {
|
|
|
|
exec(self::foo()[0]);
|
|
|
|
}
|
|
|
|
}',
|
|
|
|
'error_message' => 'TaintedInput',
|
|
|
|
],
|
|
|
|
'taintOnSubstrCall' => [
|
|
|
|
'<?php
|
|
|
|
class U {
|
|
|
|
/** @psalm-pure */
|
|
|
|
public static function shorten(string $s) : string {
|
|
|
|
return substr($s, 0, 15);
|
|
|
|
}
|
|
|
|
}
|
2020-06-23 21:28:31 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
class V {}
|
2020-06-23 21:28:31 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
class O1 {
|
|
|
|
public string $s;
|
2020-06-23 21:28:31 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
public function __construct() {
|
|
|
|
$this->s = (string) $_GET["FOO"];
|
|
|
|
}
|
|
|
|
}
|
2020-06-23 21:52:19 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
class V1 extends V {
|
|
|
|
public function foo(O1 $o) : void {
|
|
|
|
echo U::shorten($o->s);
|
|
|
|
}
|
|
|
|
}',
|
|
|
|
'error_message' => 'TaintedInput',
|
|
|
|
],
|
|
|
|
'taintOnStrReplaceCallSimple' => [
|
|
|
|
'<?php
|
|
|
|
class U {
|
|
|
|
/** @psalm-pure */
|
|
|
|
public static function shorten(string $s) : string {
|
|
|
|
return str_replace("foo", "bar", $s);
|
|
|
|
}
|
|
|
|
}
|
2020-06-23 21:52:19 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
class V {}
|
2020-06-23 21:52:19 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
class O1 {
|
|
|
|
public string $s;
|
2020-06-23 21:52:19 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
public function __construct() {
|
|
|
|
$this->s = (string) $_GET["FOO"];
|
|
|
|
}
|
|
|
|
}
|
2020-06-23 21:52:19 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
class V1 extends V {
|
|
|
|
public function foo(O1 $o) : void {
|
|
|
|
echo U::shorten($o->s);
|
|
|
|
}
|
|
|
|
}',
|
|
|
|
'error_message' => 'TaintedInput',
|
|
|
|
],
|
|
|
|
'taintOnPregReplaceCall' => [
|
|
|
|
'<?php
|
|
|
|
class U {
|
|
|
|
/** @psalm-pure */
|
|
|
|
public static function shorten(string $s) : string {
|
|
|
|
return preg_replace("/foo/", "bar", $s);
|
|
|
|
}
|
|
|
|
}
|
2020-06-23 21:52:19 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
class V {}
|
2020-06-23 21:52:19 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
class O1 {
|
|
|
|
public string $s;
|
2020-06-23 21:52:19 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
public function __construct() {
|
|
|
|
$this->s = (string) $_GET["FOO"];
|
|
|
|
}
|
2020-06-23 21:52:19 +02:00
|
|
|
}
|
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
class V1 extends V {
|
|
|
|
public function foo(O1 $o) : void {
|
|
|
|
echo U::shorten($o->s);
|
|
|
|
}
|
|
|
|
}',
|
|
|
|
'error_message' => 'TaintedInput',
|
|
|
|
],
|
|
|
|
'IndirectGetAssignment' => [
|
|
|
|
'<?php
|
|
|
|
class InputFilter {
|
|
|
|
public string $name;
|
|
|
|
|
|
|
|
public function __construct(string $name) {
|
|
|
|
$this->name = $name;
|
|
|
|
}
|
2020-06-23 21:52:19 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
/**
|
|
|
|
* @psalm-specialize-call
|
|
|
|
*/
|
|
|
|
public function getArg(string $method, string $type)
|
|
|
|
{
|
|
|
|
$arg = null;
|
2020-06-23 21:52:19 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
switch ($method) {
|
|
|
|
case "post":
|
|
|
|
if (isset($_POST[$this->name])) {
|
|
|
|
$arg = $_POST[$this->name];
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
case "get":
|
|
|
|
if (isset($_GET[$this->name])) {
|
|
|
|
$arg = $_GET[$this->name];
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
return $this->filterInput($type, $arg);
|
|
|
|
}
|
2020-06-23 21:52:19 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
protected function filterInput(string $type, $arg)
|
|
|
|
{
|
|
|
|
// input is null
|
|
|
|
if ($arg === null) {
|
|
|
|
return null;
|
|
|
|
}
|
2020-06-23 21:52:19 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
// set to null if sanitize clears arg
|
|
|
|
if ($arg === "") {
|
|
|
|
$arg = null;
|
|
|
|
}
|
2020-06-23 21:52:19 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
// type casting
|
|
|
|
if ($arg !== null) {
|
|
|
|
$arg = $this->typeCastInput($type, $arg);
|
|
|
|
}
|
2020-06-23 21:52:19 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
return $arg;
|
|
|
|
}
|
2020-06-23 22:38:59 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
protected function typeCastInput(string $type, $arg) {
|
|
|
|
if ($type === "string") {
|
|
|
|
return (string) $arg;
|
|
|
|
}
|
2020-06-23 22:38:59 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
return null;
|
|
|
|
}
|
|
|
|
}
|
2020-06-23 22:38:59 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
echo (new InputFilter("hello"))->getArg("get", "string");',
|
|
|
|
'error_message' => 'TaintedInput',
|
|
|
|
],
|
|
|
|
'taintPropertyPassingObject' => [
|
|
|
|
'<?php
|
|
|
|
/** @psalm-immutable */
|
|
|
|
class User {
|
|
|
|
public string $id;
|
2020-06-23 22:38:59 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
public function __construct(string $userId) {
|
|
|
|
$this->id = $userId;
|
|
|
|
}
|
|
|
|
}
|
2020-06-23 22:53:11 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
class UserUpdater {
|
|
|
|
public static function doDelete(PDO $pdo, User $user) : void {
|
|
|
|
self::deleteUser($pdo, $user->id);
|
|
|
|
}
|
2020-06-23 22:53:11 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
public static function deleteUser(PDO $pdo, string $userId) : void {
|
|
|
|
$pdo->exec("delete from users where user_id = " . $userId);
|
|
|
|
}
|
|
|
|
}
|
2020-06-23 22:53:11 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
$userObj = new User((string) $_GET["user_id"]);
|
|
|
|
UserUpdater::doDelete(new PDO(), $userObj);',
|
|
|
|
'error_message' => 'TaintedInput',
|
|
|
|
],
|
|
|
|
'taintPropertyPassingObjectSettingValueLater' => [
|
|
|
|
'<?php
|
|
|
|
/** @psalm-taint-specialize */
|
|
|
|
class User {
|
|
|
|
public string $id;
|
2020-06-23 22:53:11 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
public function __construct(string $userId) {
|
|
|
|
$this->id = $userId;
|
|
|
|
}
|
2020-06-23 22:53:11 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
public function setId(string $userId) : void {
|
|
|
|
$this->id = $userId;
|
|
|
|
}
|
|
|
|
}
|
2020-06-23 22:53:11 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
class UserUpdater {
|
|
|
|
public static function doDelete(PDO $pdo, User $user) : void {
|
|
|
|
self::deleteUser($pdo, $user->id);
|
|
|
|
}
|
2020-06-24 23:23:16 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
public static function deleteUser(PDO $pdo, string $userId) : void {
|
|
|
|
$pdo->exec("delete from users where user_id = " . $userId);
|
|
|
|
}
|
|
|
|
}
|
2020-06-24 23:23:16 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
$userObj = new User("5");
|
|
|
|
$userObj->setId((string) $_GET["user_id"]);
|
|
|
|
UserUpdater::doDelete(new PDO(), $userObj);',
|
|
|
|
'error_message' => 'TaintedInput',
|
|
|
|
],
|
|
|
|
'ImplodeExplode' => [
|
|
|
|
'<?php
|
|
|
|
$a = $_GET["name"];
|
|
|
|
$b = explode(" ", $a);
|
|
|
|
$c = implode(" ", $b);
|
|
|
|
echo $c;',
|
|
|
|
'error_message' => 'TaintedInput',
|
|
|
|
],
|
|
|
|
'taintThroughPregReplaceCallback' => [
|
|
|
|
'<?php
|
|
|
|
$a = $_GET["bad"];
|
2020-06-24 23:23:16 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
$b = preg_replace_callback(
|
|
|
|
\'/foo/\',
|
|
|
|
function (array $matches) : string {
|
|
|
|
return $matches[1];
|
|
|
|
},
|
|
|
|
$a
|
|
|
|
);
|
|
|
|
|
|
|
|
echo $b;',
|
|
|
|
'error_message' => 'TaintedInput',
|
|
|
|
],
|
|
|
|
'taintedFunctionWithNoTypes' => [
|
|
|
|
'<?php
|
|
|
|
function rawinput() {
|
|
|
|
return $_GET[\'rawinput\'];
|
|
|
|
}
|
|
|
|
|
|
|
|
echo rawinput();',
|
|
|
|
'error_message' => 'TaintedInput',
|
|
|
|
],
|
|
|
|
'taintedStaticCallWithNoTypes' => [
|
|
|
|
'<?php
|
|
|
|
class A {
|
|
|
|
public static function rawinput() {
|
|
|
|
return $_GET[\'rawinput\'];
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
echo A::rawinput();',
|
|
|
|
'error_message' => 'TaintedInput',
|
|
|
|
],
|
|
|
|
'taintedInstanceCallWithNoTypes' => [
|
|
|
|
'<?php
|
|
|
|
class A {
|
|
|
|
public function rawinput() {
|
|
|
|
return $_GET[\'rawinput\'];
|
|
|
|
}
|
|
|
|
}
|
2020-06-24 23:23:16 +02:00
|
|
|
|
2020-06-25 00:28:21 +02:00
|
|
|
echo (new A())->rawinput();',
|
|
|
|
'error_message' => 'TaintedInput',
|
|
|
|
],
|
|
|
|
'encapsulatedString' => [
|
|
|
|
'<?php
|
|
|
|
$unsafe = $_GET[\'unsafe\'];
|
|
|
|
echo "$unsafe";',
|
|
|
|
'error_message' => 'TaintedInput',
|
|
|
|
],
|
|
|
|
'namespacedFunction' => [
|
|
|
|
'<?php
|
|
|
|
namespace ns;
|
|
|
|
|
|
|
|
function identity(string $s) : string {
|
|
|
|
return $s;
|
|
|
|
}
|
|
|
|
|
|
|
|
echo identity($_GET[\'userinput\']);',
|
|
|
|
'error_message' => 'TaintedInput',
|
|
|
|
],
|
2020-06-25 00:33:09 +02:00
|
|
|
'print' => [
|
2020-06-25 00:28:21 +02:00
|
|
|
'<?php
|
|
|
|
print($_GET["name"]);',
|
|
|
|
'error_message' => 'TaintedInput - src/somefile.php:2:27 - Detected tainted html in path: $_GET -> $_GET[\'name\'] (src/somefile.php:2:27) -> call to print (src/somefile.php:2:27) -> print#1',
|
|
|
|
],
|
2020-06-25 00:43:15 +02:00
|
|
|
'unpackArgs' => [
|
|
|
|
'<?php
|
|
|
|
function test(...$args) {
|
|
|
|
echo $args[0];
|
|
|
|
}
|
|
|
|
test(...$_GET["other"]);',
|
|
|
|
'error_message' => 'TaintedInput',
|
|
|
|
],
|
2020-06-25 01:16:30 +02:00
|
|
|
'foreachArg' => [
|
|
|
|
'<?php
|
|
|
|
$a = $_GET["bad"];
|
|
|
|
|
|
|
|
foreach ($a as $arg) {
|
|
|
|
echo $arg;
|
|
|
|
}',
|
|
|
|
'error_message' => 'TaintedInput',
|
|
|
|
],
|
2020-06-25 00:28:21 +02:00
|
|
|
];
|
2020-06-24 23:23:16 +02:00
|
|
|
}
|
2019-08-04 16:37:36 +02:00
|
|
|
}
|