danog/psalm
1
0
Fork 0
mirror of https://github.com/danog/psalm.git synced 2024-11-26 20:34:47 +01:00
Code Issues Projects Releases Wiki Activity
ff990e5f8f
psalm/tests/TaintTest.php

1461 lines
53 KiB
PHP
Raw Normal View History

Add framework for taint analysis to Psalm Ref #611
2019-08-04 16:37:36 +02:00
<?php
namespace Psalm\Tests;
use Psalm\Config;
use Psalm\Context;
class TaintTest extends TestCase
{
/**
Use compact test format
2020-06-25 00:28:21 +02:00
* @dataProvider providerValidCodeParse
*
* @param string $code
*
Add framework for taint analysis to Psalm Ref #611
2019-08-04 16:37:36 +02:00
* @return void
*/
Use compact test format
2020-06-25 00:28:21 +02:00
public function testValidCode(string $code)
Add framework for taint analysis to Psalm Ref #611
2019-08-04 16:37:36 +02:00
{
Use compact test format
2020-06-25 00:28:21 +02:00
$test_name = $this->getTestName();
if (\strpos($test_name, 'SKIPPED-') !== false) {
$this->markTestSkipped('Skipped due to a bug.');
}
Detect taints in include calls
2020-05-23 05:53:37 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
$file_path = self::$src_dir_path . 'somefile.php';
Add eval sink
2020-05-23 06:03:29 +02:00
$this->addFile(
Use compact test format
2020-06-25 00:28:21 +02:00
$file_path,
$code
Add eval sink
2020-05-23 06:03:29 +02:00
);
Fix echo checks
2019-08-05 16:21:23 +02:00
$this->project_analyzer->trackTaintedInputs();
Use compact test format
2020-06-25 00:28:21 +02:00
$this->analyzeFile($file_path, new Context(), false);
Fix echo checks
2019-08-05 16:21:23 +02:00
}
Improve tracking of array taints
2020-06-19 00:48:19 +02:00
/**
Use compact test format
2020-06-25 00:28:21 +02:00
* @dataProvider providerInvalidCodeParse
*
* @param string $code
* @param string $error_message
*
Improve tracking of array taints
2020-06-19 00:48:19 +02:00
* @return void
*/
Use compact test format
2020-06-25 00:28:21 +02:00
public function testInvalidCode(string $code, string $error_message)
Improve tracking of array taints
2020-06-19 00:48:19 +02:00
{
Use compact test format
2020-06-25 00:28:21 +02:00
if (\strpos($this->getTestName(), 'SKIPPED-') !== false) {
$this->markTestSkipped();
}
Improve tracking of array taints
2020-06-19 00:48:19 +02:00
$this->expectException(\Psalm\Exception\CodeException::class);
Use compact test format
2020-06-25 00:28:21 +02:00
$this->expectExceptionMessageRegExp('/\b' . \preg_quote($error_message, '/') . '\b/');
Improve tracking of array taints
2020-06-19 00:48:19 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
$file_path = self::$src_dir_path . 'somefile.php';
Improve tracking of array taints
2020-06-19 00:48:19 +02:00
$this->addFile(
Use compact test format
2020-06-25 00:28:21 +02:00
$file_path,
$code
Improve tracking of array taints
2020-06-19 00:48:19 +02:00
);
$this->project_analyzer->trackTaintedInputs();
Use compact test format
2020-06-25 00:28:21 +02:00
$this->analyzeFile($file_path, new Context(), false);
Improve tracking of array taints
2020-06-19 00:48:19 +02:00
}
Add framework for taint analysis to Psalm Ref #611
2019-08-04 16:37:36 +02:00
/**
Fix return type
2020-06-25 00:33:09 +02:00
* @return array<string, array{string}>
Add framework for taint analysis to Psalm Ref #611
2019-08-04 16:37:36 +02:00
*/
Use compact test format
2020-06-25 00:28:21 +02:00
public function providerValidCodeParse()
Add framework for taint analysis to Psalm Ref #611
2019-08-04 16:37:36 +02:00
{
Use compact test format
2020-06-25 00:28:21 +02:00
return [
'taintedInputInCreatedArrayNotEchoed' => [
'<?php
$name = $_GET["name"] ?? "unknown";
$id = (int) $_GET["id"];
$data = ["name" => $name, "id" => $id];
echo "<h1>" . htmlentities($data["name"]) . "</h1>";
echo "<p>" . $data["id"] . "</p>";'
],
'taintedInputInAssignedArrayNotEchoed' => [
'<?php
$name = $_GET["name"] ?? "unknown";
$id = (int) $_GET["id"];
$data = [];
$data["name"] = $name;
$data["id"] = $id;
echo "<h1>" . htmlentities($data["name"]) . "</h1>";
echo "<p>" . $data["id"] . "</p>";'
],
'taintedInputDirectlySuppressed' => [
'<?php
class A {
public function deleteUser(PDO $pdo) : void {
/** @psalm-taint-escape sql */
$userId = (string) $_GET["user_id"];
$pdo->exec("delete from users where user_id = " . $userId);
}
}'
],
'taintedInputDirectlySuppressedWithOtherUse' => [
'<?php
class A {
public function deleteUser(PDOWrapper $pdo) : void {
/**
* @psalm-taint-escape sql
*/
$userId = (string) $_GET["user_id"];
$pdo->exec("delete from users where user_id = " . $userId);
}
Add framework for taint analysis to Psalm Ref #611
2019-08-04 16:37:36 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
public function deleteUserSafer(PDOWrapper $pdo) : void {
$userId = $this->getSafeId();
$pdo->exec("delete from users where user_id = " . $userId);
}
Add framework for taint analysis to Psalm Ref #611
2019-08-04 16:37:36 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
public function getSafeId() : string {
return "5";
}
Add framework for taint analysis to Psalm Ref #611
2019-08-04 16:37:36 +02:00
}
Use compact test format
2020-06-25 00:28:21 +02:00
class PDOWrapper {
Add faster taint analysis
2020-05-22 04:47:58 +02:00
/**
Use compact test format
2020-06-25 00:28:21 +02:00
* @psalm-taint-sink sql $sql
Add faster taint analysis
2020-05-22 04:47:58 +02:00
*/
Use compact test format
2020-06-25 00:28:21 +02:00
public function exec(string $sql) : void {}
}'
],
'taintedInputToParamButSafe' => [
'<?php
class A {
public function getUserId(PDO $pdo) : void {
$this->deleteUser(
$pdo,
$this->getAppendedUserId((string) $_GET["user_id"])
);
}
Add framework for taint analysis to Psalm Ref #611
2019-08-04 16:37:36 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
public function getAppendedUserId(string $user_id) : string {
return "aaa" . $user_id;
}
Add framework for taint analysis to Psalm Ref #611
2019-08-04 16:37:36 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
public function deleteUser(PDO $pdo, string $userId) : void {
$userId2 = strlen($userId);
$pdo->exec("delete from users where user_id = " . $userId2);
}
}'
],
'ValidatedInputFromParam' => [
'<?php
Add framework for taint analysis to Psalm Ref #611
2019-08-04 16:37:36 +02:00
/**
Use compact test format
2020-06-25 00:28:21 +02:00
* @psalm-assert-untainted $userId
Add framework for taint analysis to Psalm Ref #611
2019-08-04 16:37:36 +02:00
*/
Use compact test format
2020-06-25 00:28:21 +02:00
function validateUserId(string $userId) : void {
if (!is_numeric($userId)) {
throw new \Exception("bad");
Add framework for taint analysis to Psalm Ref #611
2019-08-04 16:37:36 +02:00
}
}
Use compact test format
2020-06-25 00:28:21 +02:00
class A {
public function getUserId() : string {
return (string) $_GET["user_id"];
}
Add framework for taint analysis to Psalm Ref #611
2019-08-04 16:37:36 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
public function doDelete(PDO $pdo) : void {
$userId = $this->getUserId();
validateUserId($userId);
$this->deleteUser($pdo, $userId);
}
Add framework for taint analysis to Psalm Ref #611
2019-08-04 16:37:36 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
public function deleteUser(PDO $pdo, string $userId) : void {
$pdo->exec("delete from users where user_id = " . $userId);
}
}'
],
'untaintedInput' => [
'<?php
class A {
public function getUserId() : int {
return (int) $_GET["user_id"];
}
Add framework for taint analysis to Psalm Ref #611
2019-08-04 16:37:36 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
public function getAppendedUserId() : string {
return "aaaa" . $this->getUserId();
}
Add framework for taint analysis to Psalm Ref #611
2019-08-04 16:37:36 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
public function deleteUser(PDO $pdo) : void {
$userId = $this->getAppendedUserId();
$pdo->exec("delete from users where user_id = " . $userId);
}
}'
],
'specializedCoreFunctionCall' => [
'<?php
$a = (string) $_GET["user_id"];
echo print_r([], true);
$b = print_r($a, true);'
],
'untaintedInputViaStaticFunctionWithSafePath' => [
'<?php
class Utils {
/**
* @psalm-pure
*/
public static function shorten(string $str) : string {
return $str;
}
Add framework for taint analysis to Psalm Ref #611
2019-08-04 16:37:36 +02:00
}
Use compact test format
2020-06-25 00:28:21 +02:00
class A {
public function foo() : void {
echo(htmlentities(Utils::shorten((string) $_GET["user_id"])));
}
Add framework for taint analysis to Psalm Ref #611
2019-08-04 16:37:36 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
public function bar() : void {
echo(Utils::shorten("hello"));
}
}'
],
'taintHtmlEntities' => [
'<?php
function foo() : void {
$a = htmlentities((string) $_GET["bad"]);
echo $a;
}'
],
'taintOnStrReplaceCallRemovedInFunction' => [
'<?php
class U {
/**
* @psalm-pure
* @psalm-taint-escape html
*/
public static function shorten(string $s) : string {
return str_replace("foo", "bar", $s);
}
Add framework for taint analysis to Psalm Ref #611
2019-08-04 16:37:36 +02:00
}
Use compact test format
2020-06-25 00:28:21 +02:00
class V {}
Add framework for taint analysis to Psalm Ref #611
2019-08-04 16:37:36 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
class O1 {
public string $s;
Add framework for taint analysis to Psalm Ref #611
2019-08-04 16:37:36 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
public function __construct() {
$this->s = (string) $_GET["FOO"];
}
Add framework for taint analysis to Psalm Ref #611
2019-08-04 16:37:36 +02:00
}
Use compact test format
2020-06-25 00:28:21 +02:00
class V1 extends V {
public function foo(O1 $o) : void {
echo U::shorten($o->s);
}
}'
],
'taintOnPregReplaceCallRemovedInFunction' => [
'<?php
class U {
/**
* @psalm-pure
*/
public static function shorten(string $s) : string {
return preg_replace("/[^_a-z\/\.A-Z0-9]/", "bar", $s);
}
Add framework for taint analysis to Psalm Ref #611
2019-08-04 16:37:36 +02:00
}
Use compact test format
2020-06-25 00:28:21 +02:00
class V {}
class O1 {
public string $s;
Add framework for taint analysis to Psalm Ref #611
2019-08-04 16:37:36 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
public function __construct() {
$this->s = (string) $_GET["FOO"];
}
Add framework for taint analysis to Psalm Ref #611
2019-08-04 16:37:36 +02:00
}
Use compact test format
2020-06-25 00:28:21 +02:00
class V1 extends V {
public function foo(O1 $o) : void {
echo U::shorten($o->s);
Add framework for taint analysis to Psalm Ref #611
2019-08-04 16:37:36 +02:00
}
Use compact test format
2020-06-25 00:28:21 +02:00
}'
],
'taintOnStrReplaceCallRemovedInline' => [
'<?php
class V {}
Taint arrays in creation
2019-10-12 05:28:17 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
class O1 {
public string $s;
Fix erroneous return type resolution
2019-10-14 23:10:30 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
public function __construct() {
$this->s = (string) $_GET["FOO"];
}
Fix erroneous return type resolution
2019-10-14 23:10:30 +02:00
}
Use compact test format
2020-06-25 00:28:21 +02:00
class V1 extends V {
public function foo(O1 $o) : void {
/**
* @psalm-taint-escape html
*/
$a = str_replace("foo", "bar", $o->s);
echo $a;
}
}'
],
'NoTaintsOnSimilarPureCall' => [
'<?php
class U {
/** @psalm-pure */
public static function shorten(string $s) : string {
return substr($s, 0, 15);
}
Fix erroneous return type resolution
2019-10-14 23:10:30 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
/** @psalm-pure */
public static function escape(string $s) : string {
return htmlentities($s);
}
Fix erroneous return type resolution
2019-10-14 23:10:30 +02:00
}
Use compact test format
2020-06-25 00:28:21 +02:00
class O1 {
public string $s;
public function __construct(string $s) {
$this->s = $s;
}
Fix erroneous return type resolution
2019-10-14 23:10:30 +02:00
}
Use compact test format
2020-06-25 00:28:21 +02:00
class O2 {
public string $t;
Fix erroneous return type resolution
2019-10-14 23:10:30 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
public function __construct() {
$this->t = (string) $_GET["FOO"];
}
}
Fix erroneous return type resolution
2019-10-14 23:10:30 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
class V1 {
public function foo() : void {
$o = new O1((string) $_GET["FOO"]);
echo U::escape(U::shorten($o->s));
}
Fix erroneous return type resolution
2019-10-14 23:10:30 +02:00
}
Use compact test format
2020-06-25 00:28:21 +02:00
class V2 {
public function foo(O2 $o) : void {
echo U::shorten(U::escape($o->t));
}
}'
],
'taintPropertyPassingObjectWithDifferentValue' => [
'<?phps
/** @psalm-immutable */
class User {
public string $id;
public $name = "Luke";
public function __construct(string $userId) {
$this->id = $userId;
}
Fix erroneous return type resolution
2019-10-14 23:10:30 +02:00
}
Use compact test format
2020-06-25 00:28:21 +02:00
class UserUpdater {
public static function doDelete(PDO $pdo, User $user) : void {
self::deleteUser($pdo, $user->name);
}
Fix erroneous return type resolution
2019-10-14 23:10:30 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
public static function deleteUser(PDO $pdo, string $userId) : void {
$pdo->exec("delete from users where user_id = " . $userId);
}
Fix erroneous return type resolution
2019-10-14 23:10:30 +02:00
}
Use compact test format
2020-06-25 00:28:21 +02:00
$userObj = new User((string) $_GET["user_id"]);
UserUpdater::doDelete(new PDO(), $userObj);'
],
'taintPropertyWithoutPassingObject' => [
'<?phps
/** @psalm-immutable */
class User {
public string $id;
Fix erroneous return type resolution
2019-10-14 23:10:30 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
public function __construct(string $userId) {
$this->id = $userId;
}
Fix erroneous return type resolution
2019-10-14 23:10:30 +02:00
}
Use compact test format
2020-06-25 00:28:21 +02:00
class UserUpdater {
public static function doDelete(PDO $pdo, User $user) : void {
self::deleteUser($pdo, $user->id);
}
public static function deleteUser(PDO $pdo, string $userId) : void {
$pdo->exec("delete from users where user_id = " . $userId);
}
Fix erroneous return type resolution
2019-10-14 23:10:30 +02:00
}
Use compact test format
2020-06-25 00:28:21 +02:00
$userObj = new User((string) $_GET["user_id"]);',
],
'specializeStaticMethod' => [
'<?php
StringUtility::foo($_GET["c"]);
class StringUtility {
/**
* @psalm-taint-specialize
*/
public static function foo(string $str) : string
{
return $str;
}
/**
* @psalm-taint-specialize
*/
public static function slugify(string $url) : string {
return self::foo($url);
}
Fix erroneous return type resolution
2019-10-14 23:10:30 +02:00
}
Use compact test format
2020-06-25 00:28:21 +02:00
echo StringUtility::slugify("hello");'
],
Improve accuracy of array nesting checks
2020-06-25 06:50:52 +02:00
'taintFreeNestedArray' => [
'<?php
$a = [];
$a[] = ["a" => $_GET["name"], "b" => "foo"];
foreach ($a as $m) {
echo $m["b"];
}'
],
Add a bit more accuracy
2020-06-25 07:00:11 +02:00
'taintFreeNestedArrayWithOffsetAccessedExplicitly' => [
'<?php
$a = [];
$a[] = ["a" => $_GET["name"], "b" => "foo"];
echo $a[0]["b"];',
],
Reconciling should preserve taints Fixes #3680
2020-06-25 23:04:18 +02:00
'intUntainted' => [
'<?php
$input = $_GET[\'input\'];
if (is_int($input)) {
echo "$input";
}',
],
Specialize constructor taints cc @TysonAndre
2020-06-30 03:08:43 +02:00
'dontTaintSpecializedInstanceProperty' => [
'<?php
/** @psalm-taint-specialize */
class StringHolder {
public $x;
public function __construct(string $x) {
$this->x = $x;
}
}
$a = new StringHolder("a");
$b = new StringHolder($_GET["x"]);
echo $a->x;'
],
Use compact test format
2020-06-25 00:28:21 +02:00
];
Fix erroneous return type resolution
2019-10-14 23:10:30 +02:00
}
Make taint checks more thorough
2020-05-25 23:10:53 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
/**
Fix return type
2020-06-25 00:33:09 +02:00
* @return array<string, array{0: string, error_message: string}>
Use compact test format
2020-06-25 00:28:21 +02:00
*/
public function providerInvalidCodeParse()
Make taint checks more thorough
2020-05-25 23:10:53 +02:00
{
Use compact test format
2020-06-25 00:28:21 +02:00
return [
'taintedInputFromMethodReturnTypeSimple' => [
'<?php
class A {
public function getUserId() : string {
return (string) $_GET["user_id"];
}
Make taint checks more thorough
2020-05-25 23:10:53 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
public function getAppendedUserId() : string {
return "aaaa" . $this->getUserId();
}
Make taint checks more thorough
2020-05-25 23:10:53 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
public function deleteUser(PDO $pdo) : void {
$userId = $this->getAppendedUserId();
$pdo->exec("delete from users where user_id = " . $userId);
}
}',
'error_message' => 'TaintedInput',
],
'taintedInputFromFunctionReturnType' => [
'<?php
function getName() : string {
return $_GET["name"] ?? "unknown";
}
echo getName();',
'error_message' => 'TaintedInput - src/somefile.php:6:26 - Detected tainted html in path: $_GET -> $_GET[\'name\'] (src/somefile.php:3:32) -> getname (src/somefile.php:6:26) -> call to echo (src/somefile.php:6:26) -> echo#1',
],
'taintedInputFromExplicitTaintSource' => [
'<?php
Make taint checks more thorough
2020-05-25 23:10:53 +02:00
/**
Use compact test format
2020-06-25 00:28:21 +02:00
* @psalm-taint-source input
Make taint checks more thorough
2020-05-25 23:10:53 +02:00
*/
Use compact test format
2020-06-25 00:28:21 +02:00
function getName() : string {
return "";
}
Make taint checks more thorough
2020-05-25 23:10:53 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
echo getName();',
'error_message' => 'TaintedInput',
],
'taintedInputFromExplicitTaintSourceStaticMethod' => [
'<?php
class Request {
/**
* @psalm-taint-source input
*/
public static function getName() : string {
return "";
Make taint checks more thorough
2020-05-25 23:10:53 +02:00
}
}
Use compact test format
2020-06-25 00:28:21 +02:00
echo Request::getName();',
'error_message' => 'TaintedInput',
],
'taintedInputFromGetArray' => [
'<?php
function getName(array $data) : string {
return $data["name"] ?? "unknown";
}
$name = getName($_GET);
echo $name;',
'error_message' => 'TaintedInput',
],
'taintedInputFromReturnToInclude' => [
'<?php
$a = (string) $_GET["file"];
$b = "hello" . $a;
include str_replace("a", "b", $b);',
'error_message' => 'TaintedInput',
],
'taintedInputFromReturnToEval' => [
'<?php
$a = $_GET["file"];
eval("<?php" . $a);',
'error_message' => 'TaintedInput',
],
'taintedInputFromReturnTypeToEcho' => [
'<?php
class A {
public function getUserId() : string {
return (string) $_GET["user_id"];
Make taint checks more thorough
2020-05-25 23:10:53 +02:00
}
Use compact test format
2020-06-25 00:28:21 +02:00
public function getAppendedUserId() : string {
return "aaaa" . $this->getUserId();
Make taint checks more thorough
2020-05-25 23:10:53 +02:00
}
Use compact test format
2020-06-25 00:28:21 +02:00
public function deleteUser(PDO $pdo) : void {
$userId = $this->getAppendedUserId();
echo $userId;
}
}',
'error_message' => 'TaintedInput',
],
'taintedInputInCreatedArrayIsEchoed' => [
'<?php
$name = $_GET["name"] ?? "unknown";
$data = ["name" => $name];
echo "<h1>" . $data["name"] . "</h1>";',
'error_message' => 'TaintedInput',
],
'testTaintedInputInAssignedArrayIsEchoed' => [
'<?php
$name = $_GET["name"] ?? "unknown";
$data = [];
$data["name"] = $name;
echo "<h1>" . $data["name"] . "</h1>";',
'error_message' => 'TaintedInput',
],
'taintedInputDirectly' => [
'<?php
class A {
public function deleteUser(PDO $pdo) : void {
$userId = (string) $_GET["user_id"];
$pdo->exec("delete from users where user_id = " . $userId);
}
}',
'error_message' => 'TaintedInput',
],
'taintedInputFromReturnTypeWithBranch' => [
'<?php
class A {
public function getUserId() : string {
return (string) $_GET["user_id"];
Make taint checks more thorough
2020-05-25 23:10:53 +02:00
}
Use compact test format
2020-06-25 00:28:21 +02:00
public function getAppendedUserId() : string {
$userId = $this->getUserId();
Make taint checks more thorough
2020-05-25 23:10:53 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
if (rand(0, 1)) {
$userId .= "aaa";
} else {
$userId .= "bb";
}
Improve tainting of specializable classes
2020-06-19 07:22:51 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
return $userId;
}
Improve tainting of specializable classes
2020-06-19 07:22:51 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
public function deleteUser(PDO $pdo) : void {
$userId = $this->getAppendedUserId();
$pdo->exec("delete from users where user_id = " . $userId);
}
}',
'error_message' => 'TaintedInput',
],
'sinkAnnotation' => [
'<?php
class A {
public function getUserId() : string {
return (string) $_GET["user_id"];
}
Improve tainting of specializable classes
2020-06-19 07:22:51 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
public function getAppendedUserId() : string {
return "aaaa" . $this->getUserId();
}
Improve tainting of specializable classes
2020-06-19 07:22:51 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
public function deleteUser(PDOWrapper $pdo) : void {
$userId = $this->getAppendedUserId();
$pdo->exec("delete from users where user_id = " . $userId);
}
Improve tainting of specializable classes
2020-06-19 07:22:51 +02:00
}
Use compact test format
2020-06-25 00:28:21 +02:00
class PDOWrapper {
/**
* @psalm-taint-sink sql $sql
*/
public function exec(string $sql) : void {}
}',
'error_message' => 'TaintedInput',
],
'taintedInputFromParam' => [
'<?php
class A {
public function getUserId() : string {
return (string) $_GET["user_id"];
}
Improve tainting of specializable classes
2020-06-19 07:22:51 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
public function getAppendedUserId() : string {
return "aaaa" . $this->getUserId();
}
Improve tainting of specializable classes
2020-06-19 07:22:51 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
public function doDelete(PDO $pdo) : void {
$userId = $this->getAppendedUserId();
$this->deleteUser($pdo, $userId);
}
Improve tainting of specializable classes
2020-06-19 07:22:51 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
public function deleteUser(PDO $pdo, string $userId) : void {
$pdo->exec("delete from users where user_id = " . $userId);
}
}',
'error_message' => 'TaintedInput - src/somefile.php:17:40 - Detected tainted sql in path: $_GET -> $_GET[\'user_id\'] (src/somefile.php:4:45) -> A::getUserId (src/somefile.php:3:55) -> concat (src/somefile.php:8:36) -> A::getAppendedUserId (src/somefile.php:7:63) -> $userId (src/somefile.php:12:29) -> call to A::deleteUser (src/somefile.php:13:53) -> A::deleteUser#2 (src/somefile.php:16:69) -> concat (src/somefile.php:17:40) -> call to PDO::exec (src/somefile.php:17:40) -> PDO::exec#1',
],
'taintedInputToParam' => [
'<?php
class A {
public function getUserId(PDO $pdo) : void {
$this->deleteUser(
$pdo,
$this->getAppendedUserId((string) $_GET["user_id"])
);
}
Improve specialisation after call
2020-06-19 07:59:45 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
public function getAppendedUserId(string $user_id) : string {
return "aaa" . $user_id;
}
Improve specialisation after call
2020-06-19 07:59:45 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
public function deleteUser(PDO $pdo, string $userId) : void {
$pdo->exec("delete from users where user_id = " . $userId);
}
}',
'error_message' => 'TaintedInput',
],
'taintedInputToParamAfterAssignment' => [
'<?php
class A {
public function getUserId(PDO $pdo) : void {
$this->deleteUser(
$pdo,
$this->getAppendedUserId((string) $_GET["user_id"])
);
}
Improve specialisation after call
2020-06-19 07:59:45 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
public function getAppendedUserId(string $user_id) : string {
return "aaa" . $user_id;
}
Improve specialisation after call
2020-06-19 07:59:45 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
public function deleteUser(PDO $pdo, string $userId) : void {
$userId2 = $userId;
$pdo->exec("delete from users where user_id = " . $userId2);
}
}',
'error_message' => 'TaintedInput',
],
'taintedInputToParamAlternatePath' => [
'<?php
class A {
public function getUserId(PDO $pdo) : void {
$this->deleteUser(
$pdo,
self::doFoo(),
$this->getAppendedUserId((string) $_GET["user_id"])
);
}
Improve specialisation after call
2020-06-19 07:59:45 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
public function getAppendedUserId(string $user_id) : string {
return "aaa" . $user_id;
}
Improve specialisation after call
2020-06-19 07:59:45 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
public static function doFoo() : string {
return "hello";
}
Improve specialisation after call
2020-06-19 07:59:45 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
public function deleteUser(PDO $pdo, string $userId, string $userId2) : void {
$pdo->exec("delete from users where user_id = " . $userId);
Improve specialisation after call
2020-06-19 07:59:45 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
if (rand(0, 1)) {
$pdo->exec("delete from users where user_id = " . $userId2);
}
}
}',
'error_message' => 'TaintedInput - src/somefile.php:23:44 - Detected tainted sql in path: $_GET -> $_GET[\'user_id\'] (src/somefile.php:7:67) -> call to A::getAppendedUserId (src/somefile.php:7:58) -> A::getAppendedUserId#1 (src/somefile.php:11:66) -> concat (src/somefile.php:12:36) -> A::getAppendedUserId (src/somefile.php:11:41) -> call to A::deleteUser (src/somefile.php:7:33) -> A::deleteUser#3 (src/somefile.php:19:85) -> concat (src/somefile.php:23:44) -> call to PDO::exec (src/somefile.php:23:44) -> PDO::exec#1',
],
'taintedInParentLoader' => [
'<?php
abstract class A {
abstract public static function loadPartial(string $sink) : void;
public static function loadFull(string $sink) : void {
static::loadPartial($sink);
}
}
Improve tainting of specializable classes
2020-06-19 07:22:51 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
function getPdo() : PDO {
return new PDO("connectionstring");
Improve tainting of specializable classes
2020-06-19 07:22:51 +02:00
}
Use compact test format
2020-06-25 00:28:21 +02:00
class AChild extends A {
public static function loadPartial(string $sink) : void {
getPdo()->exec("select * from foo where bar = " . $sink);
}
Improve tainting of specializable classes
2020-06-19 07:22:51 +02:00
}
Use compact test format
2020-06-25 00:28:21 +02:00
class AGrandChild extends AChild {}
class C {
public function foo(string $user_id) : void {
AGrandChild::loadFull($user_id);
}
Improve tainting of specializable classes
2020-06-19 07:22:51 +02:00
}
Use compact test format
2020-06-25 00:28:21 +02:00
(new C)->foo((string) $_GET["user_id"]);',
'error_message' => 'TaintedInput - src/somefile.php:16:44 - Detected tainted sql in path: $_GET -> $_GET[\'user_id\'] (src/somefile.php:28:43) -> call to C::foo (src/somefile.php:28:34) -> C::foo#1 (src/somefile.php:23:52) -> call to AGrandChild::loadFull (src/somefile.php:24:51) -> AGrandChild::loadFull#1 (src/somefile.php:5:64) -> A::loadFull#1 (src/somefile.php:24:51) -> call to A::loadPartial (src/somefile.php:6:49) -> A::loadPartial#1 (src/somefile.php:3:76) -> AChild::loadPartial#1 (src/somefile.php:6:49) -> concat (src/somefile.php:16:44) -> call to PDO::exec (src/somefile.php:16:44) -> PDO::exec#1',
],
'taintedInputFromProperty' => [
'<?php
class A {
public string $userId;
Improve tainting of specializable classes
2020-06-19 07:22:51 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
public function __construct() {
$this->userId = (string) $_GET["user_id"];
}
Improve tainting of specializable classes
2020-06-19 07:22:51 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
public function getAppendedUserId() : string {
return "aaaa" . $this->userId;
}
Improve tainting of specializable classes
2020-06-19 07:22:51 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
public function doDelete(PDO $pdo) : void {
$userId = $this->getAppendedUserId();
$this->deleteUser($pdo, $userId);
}
Improve tainting of specializable classes
2020-06-19 07:22:51 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
public function deleteUser(PDO $pdo, string $userId) : void {
$pdo->exec("delete from users where user_id = " . $userId);
}
}',
'error_message' => 'TaintedInput',
],
'taintedInputFromPropertyViaMixin' => [
'<?php
class A {
public string $userId;
public function __construct() {
$this->userId = (string) $_GET["user_id"];
}
Improve tainting of specializable classes
2020-06-19 07:22:51 +02:00
}
Use compact test format
2020-06-25 00:28:21 +02:00
/** @mixin A */
class B {
private A $a;
public function __construct(A $a) {
$this->a = $a;
}
public function __get(string $name) {
return $this->a->$name;
}
Improve tainting of specializable classes
2020-06-19 07:22:51 +02:00
}
Use compact test format
2020-06-25 00:28:21 +02:00
class C {
private B $b;
Improve tainting of specializable classes
2020-06-19 07:22:51 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
public function __construct(B $b) {
$this->b = $b;
}
Support taint flows in more functions
2020-06-22 23:53:03 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
public function getAppendedUserId() : string {
return "aaaa" . $this->b->userId;
}
Support taint flows in more functions
2020-06-22 23:53:03 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
public function doDelete(PDO $pdo) : void {
$userId = $this->getAppendedUserId();
$this->deleteUser($pdo, $userId);
}
Support taint flows in more functions
2020-06-22 23:53:03 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
public function deleteUser(PDO $pdo, string $userId) : void {
$pdo->exec("delete from users where user_id = " . $userId);
}
}',
'error_message' => 'TaintedInput',
],
'taintedInputViaStaticFunction' => [
'<?php
class Utils {
public static function shorten(string $str) : string {
return $str;
}
}
Support taint flows in more functions
2020-06-22 23:53:03 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
class A {
public function foo() : void {
echo(Utils::shorten((string) $_GET["user_id"]));
}
}',
'error_message' => 'TaintedInput',
],
'taintedInputViaPureStaticFunction' => [
'<?php
class Utils {
/**
* @psalm-pure
*/
public static function shorten(string $str) : string {
return substr($str, 0, 100);
}
}
Fix static call specialisation via annotation
2020-06-23 00:40:35 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
class A {
public function foo() : void {
echo(Utils::shorten((string) $_GET["user_id"]));
}
}',
'error_message' => 'TaintedInput',
],
'untaintedInputViaStaticFunctionWithoutSafePath' => [
'<?php
class Utils {
/**
* @psalm-pure
*/
public static function shorten(string $str) : string {
return $str;
}
}
Fix static call specialisation via annotation
2020-06-23 00:40:35 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
class A {
public function foo() : void {
echo(Utils::shorten((string) $_GET["user_id"]));
}
Fix static call specialisation via annotation
2020-06-23 00:40:35 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
public function bar() : void {
echo(Utils::shorten("hello"));
}
}',
'error_message' => 'TaintedInput',
],
'taintedInputFromMagicProperty' => [
'<?php
Fix static call specialisation via annotation
2020-06-23 00:40:35 +02:00
/**
Use compact test format
2020-06-25 00:28:21 +02:00
* @property string $userId
Fix static call specialisation via annotation
2020-06-23 00:40:35 +02:00
*/
Use compact test format
2020-06-25 00:28:21 +02:00
class A {
/** @var array<string, string> */
private $vars = [];
public function __get(string $s) : string {
return $this->vars[$s];
}
public function __set(string $s, string $t) {
$this->vars[$s] = $t;
}
Fix static call specialisation via annotation
2020-06-23 00:40:35 +02:00
}
Use compact test format
2020-06-25 00:28:21 +02:00
function getAppendedUserId() : void {
$a = new A();
$a->userId = (string) $_GET["user_id"];
echo $a->userId;
}',
'error_message' => 'TaintedInput',
],
'taintOverMixed' => [
'<?php
Fix static call specialisation via annotation
2020-06-23 00:40:35 +02:00
/**
Use compact test format
2020-06-25 00:28:21 +02:00
* @psalm-suppress MixedAssignment
* @psalm-suppress MixedArgument
Fix static call specialisation via annotation
2020-06-23 00:40:35 +02:00
*/
Use compact test format
2020-06-25 00:28:21 +02:00
function foo() : void {
$a = $_GET["bad"];
echo $a;
}',
'error_message' => 'TaintedInput',
],
'taintStrConversion' => [
'<?php
function foo() : void {
$a = strtoupper(strtolower((string) $_GET["bad"]));
echo $a;
}',
'error_message' => 'TaintedInput',
],
'taintIntoExec' => [
'<?php
function foo() : void {
$a = (string) $_GET["bad"];
exec($a);
}',
'error_message' => 'TaintedInput',
],
'taintIntoExecMultipleConcat' => [
'<?php
function foo() : void {
$a = "9" . "a" . "b" . "c" . ((string) $_GET["bad"]) . "d" . "e" . "f";
exec($a);
}',
'error_message' => 'TaintedInput',
],
'taintIntoNestedArrayUnnestedSeparately' => [
'<?php
function foo() : void {
$a = [[(string) $_GET["bad"]]];
exec($a[0][0]);
}',
'error_message' => 'TaintedInput',
],
'taintIntoArrayAndThenOutAgain' => [
'<?php
class C {
public static function foo() : array {
$a = (string) $_GET["bad"];
return [$a];
}
Fix static call specialisation via annotation
2020-06-23 00:40:35 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
public static function bar() {
exec(self::foo()[0]);
}
}',
'error_message' => 'TaintedInput',
],
'taintAppendedToArray' => [
'<?php
class C {
public static function foo() : array {
$a = [];
$a[] = (string) $_GET["bad"];
return $a;
}
Taint flows through preg_replace_callback
2020-06-23 21:28:31 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
public static function bar() {
exec(self::foo()[0]);
}
}',
'error_message' => 'TaintedInput',
],
'taintOnSubstrCall' => [
'<?php
class U {
/** @psalm-pure */
public static function shorten(string $s) : string {
return substr($s, 0, 15);
}
}
Taint flows through preg_replace_callback
2020-06-23 21:28:31 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
class V {}
Taint flows through preg_replace_callback
2020-06-23 21:28:31 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
class O1 {
public string $s;
Taint flows through preg_replace_callback
2020-06-23 21:28:31 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
public function __construct() {
$this->s = (string) $_GET["FOO"];
}
}
Allow taints to flow where no return type exists Fixes #3652
2020-06-23 21:52:19 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
class V1 extends V {
public function foo(O1 $o) : void {
echo U::shorten($o->s);
}
}',
'error_message' => 'TaintedInput',
],
'taintOnStrReplaceCallSimple' => [
'<?php
class U {
/** @psalm-pure */
public static function shorten(string $s) : string {
return str_replace("foo", "bar", $s);
}
}
Allow taints to flow where no return type exists Fixes #3652
2020-06-23 21:52:19 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
class V {}
Allow taints to flow where no return type exists Fixes #3652
2020-06-23 21:52:19 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
class O1 {
public string $s;
Allow taints to flow where no return type exists Fixes #3652
2020-06-23 21:52:19 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
public function __construct() {
$this->s = (string) $_GET["FOO"];
}
}
Allow taints to flow where no return type exists Fixes #3652
2020-06-23 21:52:19 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
class V1 extends V {
public function foo(O1 $o) : void {
echo U::shorten($o->s);
}
}',
'error_message' => 'TaintedInput',
],
'taintOnPregReplaceCall' => [
'<?php
class U {
/** @psalm-pure */
public static function shorten(string $s) : string {
return preg_replace("/foo/", "bar", $s);
}
}
Allow taints to flow where no return type exists Fixes #3652
2020-06-23 21:52:19 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
class V {}
Allow taints to flow where no return type exists Fixes #3652
2020-06-23 21:52:19 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
class O1 {
public string $s;
Allow taints to flow where no return type exists Fixes #3652
2020-06-23 21:52:19 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
public function __construct() {
$this->s = (string) $_GET["FOO"];
}
Allow taints to flow where no return type exists Fixes #3652
2020-06-23 21:52:19 +02:00
}
Use compact test format
2020-06-25 00:28:21 +02:00
class V1 extends V {
public function foo(O1 $o) : void {
echo U::shorten($o->s);
}
}',
'error_message' => 'TaintedInput',
],
'IndirectGetAssignment' => [
'<?php
class InputFilter {
public string $name;
public function __construct(string $name) {
$this->name = $name;
}
Allow taints to flow where no return type exists Fixes #3652
2020-06-23 21:52:19 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
/**
* @psalm-specialize-call
*/
public function getArg(string $method, string $type)
{
$arg = null;
Allow taints to flow where no return type exists Fixes #3652
2020-06-23 21:52:19 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
switch ($method) {
case "post":
if (isset($_POST[$this->name])) {
$arg = $_POST[$this->name];
}
break;
case "get":
if (isset($_GET[$this->name])) {
$arg = $_GET[$this->name];
}
break;
}
return $this->filterInput($type, $arg);
}
Allow taints to flow where no return type exists Fixes #3652
2020-06-23 21:52:19 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
protected function filterInput(string $type, $arg)
{
// input is null
if ($arg === null) {
return null;
}
Allow taints to flow where no return type exists Fixes #3652
2020-06-23 21:52:19 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
// set to null if sanitize clears arg
if ($arg === "") {
$arg = null;
}
Allow taints to flow where no return type exists Fixes #3652
2020-06-23 21:52:19 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
// type casting
if ($arg !== null) {
$arg = $this->typeCastInput($type, $arg);
}
Allow taints to flow where no return type exists Fixes #3652
2020-06-23 21:52:19 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
return $arg;
}
Fix #3655 - taint encapsulated strings
2020-06-23 22:38:59 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
protected function typeCastInput(string $type, $arg) {
if ($type === "string") {
return (string) $arg;
}
Fix #3655 - taint encapsulated strings
2020-06-23 22:38:59 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
return null;
}
}
Fix #3655 - taint encapsulated strings
2020-06-23 22:38:59 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
echo (new InputFilter("hello"))->getArg("get", "string");',
'error_message' => 'TaintedInput',
],
'taintPropertyPassingObject' => [
'<?php
/** @psalm-immutable */
class User {
public string $id;
Fix #3655 - taint encapsulated strings
2020-06-23 22:38:59 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
public function __construct(string $userId) {
$this->id = $userId;
}
}
Fix #3654 - use correct function id for namespaced functions
2020-06-23 22:53:11 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
class UserUpdater {
public static function doDelete(PDO $pdo, User $user) : void {
self::deleteUser($pdo, $user->id);
}
Fix #3654 - use correct function id for namespaced functions
2020-06-23 22:53:11 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
public static function deleteUser(PDO $pdo, string $userId) : void {
$pdo->exec("delete from users where user_id = " . $userId);
}
}
Fix #3654 - use correct function id for namespaced functions
2020-06-23 22:53:11 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
$userObj = new User((string) $_GET["user_id"]);
UserUpdater::doDelete(new PDO(), $userObj);',
'error_message' => 'TaintedInput',
],
'taintPropertyPassingObjectSettingValueLater' => [
'<?php
/** @psalm-taint-specialize */
class User {
public string $id;
Fix #3654 - use correct function id for namespaced functions
2020-06-23 22:53:11 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
public function __construct(string $userId) {
$this->id = $userId;
}
Fix #3654 - use correct function id for namespaced functions
2020-06-23 22:53:11 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
public function setId(string $userId) : void {
$this->id = $userId;
}
}
Fix #3654 - use correct function id for namespaced functions
2020-06-23 22:53:11 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
class UserUpdater {
public static function doDelete(PDO $pdo, User $user) : void {
self::deleteUser($pdo, $user->id);
}
Mark print() statement as the same sink type as echo (#3669)
2020-06-24 23:23:16 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
public static function deleteUser(PDO $pdo, string $userId) : void {
$pdo->exec("delete from users where user_id = " . $userId);
}
}
Mark print() statement as the same sink type as echo (#3669)
2020-06-24 23:23:16 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
$userObj = new User("5");
$userObj->setId((string) $_GET["user_id"]);
UserUpdater::doDelete(new PDO(), $userObj);',
'error_message' => 'TaintedInput',
],
'ImplodeExplode' => [
'<?php
$a = $_GET["name"];
$b = explode(" ", $a);
$c = implode(" ", $b);
echo $c;',
'error_message' => 'TaintedInput',
],
'taintThroughPregReplaceCallback' => [
'<?php
$a = $_GET["bad"];
Mark print() statement as the same sink type as echo (#3669)
2020-06-24 23:23:16 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
$b = preg_replace_callback(
\'/foo/\',
function (array $matches) : string {
return $matches[1];
},
$a
);
echo $b;',
'error_message' => 'TaintedInput',
],
'taintedFunctionWithNoTypes' => [
'<?php
function rawinput() {
return $_GET[\'rawinput\'];
}
echo rawinput();',
'error_message' => 'TaintedInput',
],
'taintedStaticCallWithNoTypes' => [
'<?php
class A {
public static function rawinput() {
return $_GET[\'rawinput\'];
}
}
echo A::rawinput();',
'error_message' => 'TaintedInput',
],
'taintedInstanceCallWithNoTypes' => [
'<?php
class A {
public function rawinput() {
return $_GET[\'rawinput\'];
}
}
Mark print() statement as the same sink type as echo (#3669)
2020-06-24 23:23:16 +02:00
Use compact test format
2020-06-25 00:28:21 +02:00
echo (new A())->rawinput();',
'error_message' => 'TaintedInput',
],
'encapsulatedString' => [
'<?php
$unsafe = $_GET[\'unsafe\'];
echo "$unsafe";',
'error_message' => 'TaintedInput',
],
Fix #3697 - cast types via implied __toString method
2020-06-29 15:13:19 +02:00
'encapsulatedToStringMagic' => [
'<?php
class MyClass {
public function __toString() {
return $_GET["blah"];
}
}
$unsafe = new MyClass();
echo "unsafe: $unsafe";',
'error_message' => 'TaintedInput',
],
'castToStringMagic' => [
'<?php
class MyClass {
public function __toString() {
return $_GET["blah"];
}
}
$unsafe = new MyClass();
Fix #3709 - don’t crash on inherited __toString tainting
2020-06-29 18:11:11 +02:00
echo $unsafe;',
'error_message' => 'TaintedInput',
],
Perform string casting for taints in ArgumentAnalyzer
2020-06-29 19:21:33 +02:00
'castToStringViaArgument' => [
'<?php
class MyClass {
public function __toString() {
return $_GET["blah"];
}
}
function doesEcho(string $s) {
echo $s;
}
$unsafe = new MyClass();
doesEcho($unsafe);',
'error_message' => 'TaintedInput',
],
Fix #3709 - don’t crash on inherited __toString tainting
2020-06-29 18:11:11 +02:00
'toStringTaintInSubclass' => [
'<?php // --taint-analysis
class TaintedBaseClass {
/** @psalm-taint-source input */
public function __toString() {
return "x";
}
}
class TaintedSubclass extends TaintedBaseClass {}
$x = new TaintedSubclass();
echo "Caught: $x\n";',
Fix #3697 - cast types via implied __toString method
2020-06-29 15:13:19 +02:00
'error_message' => 'TaintedInput',
],
'implicitToStringMagic' => [
'<?php
class MyClass {
public function __toString() {
return $_GET["blah"];
}
}
$unsafe = new MyClass();
Remove string cast Cc @TysonAndre
2020-06-29 15:54:07 +02:00
echo $unsafe;',
Fix #3697 - cast types via implied __toString method
2020-06-29 15:13:19 +02:00
'error_message' => 'TaintedInput',
],
Use compact test format
2020-06-25 00:28:21 +02:00
'namespacedFunction' => [
'<?php
namespace ns;
function identity(string $s) : string {
return $s;
}
echo identity($_GET[\'userinput\']);',
'error_message' => 'TaintedInput',
],
Fix return type
2020-06-25 00:33:09 +02:00
'print' => [
Use compact test format
2020-06-25 00:28:21 +02:00
'<?php
print($_GET["name"]);',
'error_message' => 'TaintedInput - src/somefile.php:2:27 - Detected tainted html in path: $_GET -> $_GET[\'name\'] (src/somefile.php:2:27) -> call to print (src/somefile.php:2:27) -> print#1',
],
Add support for argument unpacking Ref #3670
2020-06-25 00:43:15 +02:00
'unpackArgs' => [
'<?php
function test(...$args) {
echo $args[0];
}
test(...$_GET["other"]);',
'error_message' => 'TaintedInput',
],
Fix #3670 - taint mixed foreach access
2020-06-25 01:16:30 +02:00
'foreachArg' => [
'<?php
$a = $_GET["bad"];
foreach ($a as $arg) {
echo $arg;
}',
'error_message' => 'TaintedInput',
],
Fix #3668 - taint property types for magic properties without @property
2020-06-25 06:24:37 +02:00
'magicPropertyType' => [
'<?php
class Magic {
private $params = [];
public function __get(string $a) {
return $this->params[$a];
}
public function __set(string $a, $value) {
$this->params[$a] = $value;
}
}
$m = new Magic();
$m->taint = $_GET["input"];
echo $m->taint;',
'error_message' => 'TaintedInput',
],
Add a bit more accuracy
2020-06-25 07:00:11 +02:00
'taintNestedArrayWithOffsetAccessedInForeach' => [
'<?php
$a = [];
$a[0] = ["a" => $_GET["name"], "b" => "foo"];
foreach ($a as $m) {
echo $m["a"];
}',
'error_message' => 'TaintedInput',
],
'taintNestedArrayWithOffsetAccessedExplicitly' => [
'<?php
$a = [];
$a[] = ["a" => $_GET["name"], "b" => "foo"];
echo $a[0]["a"];',
'error_message' => 'TaintedInput',
],
Improve handling of array_map, faking out calls where nececssary
2020-06-25 19:05:34 +02:00
'taintThroughArrayMapExplicitClosure' => [
'<?php
$get = array_map(function($str) { return trim($str);}, $_GET);
echo $get["test"];',
'error_message' => 'TaintedInput',
],
'taintThroughArrayMapExplicitTypedClosure' => [
'<?php
$get = array_map(function(string $str) : string { return trim($str);}, $_GET);
echo $get["test"];',
'error_message' => 'TaintedInput',
],
'taintThroughArrayMapExplicitArrowFunction' => [
'<?php
$get = array_map(fn($str) => trim($str), $_GET);
echo $get["test"];',
'error_message' => 'TaintedInput',
],
'taintThroughArrayMapImplicitFunctionCall' => [
'<?php
$a = ["test" => $_GET["name"]];
$get = array_map("trim", $a);
echo $get["test"];',
'error_message' => 'TaintedInput',
],
Fix #3675 - add taints to filter_var return Doesn’t yet take callback into account
2020-06-25 19:24:26 +02:00
'taintFilterVar' => [
'<?php
$get = filter_var($_GET, FILTER_CALLBACK, ["options" => "trim"]);
echo $get["test"];',
'error_message' => 'TaintedInput',
],
Reconciling should preserve taints Fixes #3680
2020-06-25 23:04:18 +02:00
'taintAfterReconciledType' => [
'<?php
$input = $_GET[\'input\'];
if (is_string($input)) {
echo "$input";
}',
'error_message' => 'TaintedInput',
],
Fix #3681 - taint exit like echo
2020-06-25 23:17:08 +02:00
'taintExit' => [
'<?php
if (rand(0, 1)) {
exit($_GET[\'a\']);
} else {
die($_GET[\'b\']);
}',
'error_message' => 'TaintedInput',
],
Fix #3711 - generalize call of specialized class without specializations
2020-06-29 23:42:01 +02:00
'taintSpecializedMethod' => [
'<?php
/** @psalm-taint-specialize */
class Unsafe {
public function isUnsafe() {
return $_GET["unsafe"];
}
}
$a = new Unsafe();
echo $a->isUnsafe();',
'error_message' => 'TaintedInput',
],
Specialize constructor taints cc @TysonAndre
2020-06-30 03:08:43 +02:00
'taintSpecializedInstanceProperty' => [
'<?php
/** @psalm-taint-specialize */
class StringHolder {
public $x;
public function __construct(string $x) {
$this->x = $x;
}
}
$b = new StringHolder($_GET["x"]);
echo $b->x;',
'error_message' => 'TaintedInput',
],
Use compact test format
2020-06-25 00:28:21 +02:00
];
Mark print() statement as the same sink type as echo (#3669)
2020-06-24 23:23:16 +02:00
}
Add framework for taint analysis to Psalm Ref #611
2019-08-04 16:37:36 +02:00
}
Reference in New Issue Copy Permalink