danog/psalm
1
0
Fork 0
mirror of https://github.com/danog/psalm.git synced 2025-01-21 21:31:13 +01:00
Code Issues Projects Releases Wiki Activity

Fix tainting of function calls absent taintable params

Browse Source
This commit is contained in:
Brown 2020-06-15 20:59:48 -04:00
parent 56ef220e49
commit 03e9649d49
2 changed files with 64 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

79
src/Psalm/Internal/Analyzer/Statements/Expression/Call/FunctionCallAnalyzer.php
View File

@ -1025,49 +1025,50 @@ class FunctionCallAnalyzer extends CallAnalyzer
if ($codebase->taint
&& $function_storage
&& $function_storage->return_source_params
&& $stmt_type
&& $codebase->config->trackTaintsInPath($statements_analyzer->getFilePath())
) {
foreach ($function_storage->return_source_params as $i) {
if (!isset($stmt->args[$i])) {
continue;
$return_location = new CodeLocation($statements_analyzer->getSource(), $stmt);
$function_return_sink = TaintNode::getForMethodReturn(
$function_id,
$function_id,
$return_location,
$function_storage->specialize_call ? $return_location : null
);
$codebase->taint->addTaintNode($function_return_sink);
$stmt_type->parent_nodes[] = $function_return_sink;
if ($function_storage->return_source_params) {
foreach ($function_storage->return_source_params as $i) {
if (!isset($stmt->args[$i])) {
continue;
}
$arg_location = new CodeLocation(
$statements_analyzer->getSource(),
$stmt->args[$i]->value
);
$function_param_sink = TaintNode::getForMethodArgument(
$function_id,
$function_id,
$i,
$arg_location,
$function_storage->specialize_call ? $return_location : null
);
$codebase->taint->addTaintNode($function_param_sink);
$codebase->taint->addPath(
$function_param_sink,
$function_return_sink,
$function_storage->added_taints,
$function_storage->removed_taints
);
}
$arg_location = new CodeLocation(
$statements_analyzer->getSource(),
$stmt->args[$i]->value
);
$return_location = new CodeLocation($statements_analyzer->getSource(), $stmt);
$function_param_sink = TaintNode::getForMethodArgument(
$function_id,
$function_id,
$i,
$arg_location,
$function_storage->specialize_call ? $return_location : null
);
$codebase->taint->addTaintNode($function_param_sink);
$function_return_sink = TaintNode::getForMethodReturn(
$function_id,
$function_id,
$return_location,
$function_storage->specialize_call ? $return_location : null
);
$codebase->taint->addTaintNode($function_return_sink);
$codebase->taint->addPath(
$function_param_sink,
$function_return_sink,
$function_storage->added_taints,
$function_storage->removed_taints
);
$stmt_type->parent_nodes[] = $function_return_sink;
}
}

25
tests/TaintTest.php
View File

@ -9,7 +9,7 @@ class TaintTest extends TestCase
/**
* @return void
*/
public function testTaintedInputFromReturnTypeSimple()
public function testTaintedInputFromMethodReturnTypeSimple()
{
$this->expectException(\Psalm\Exception\CodeException::class);
$this->expectExceptionMessage('TaintedInput');
@ -38,6 +38,29 @@ class TaintTest extends TestCase
$this->analyzeFile('somefile.php', new Context());
}
/**
* @return void
*/
public function testTaintedInputFromFunctionReturnType()
{
$this->expectException(\Psalm\Exception\CodeException::class);
$this->expectExceptionMessage('TaintedInput');
$this->project_analyzer->trackTaintedInputs();
$this->addFile(
'somefile.php',
'<?php
function getName() : string {
return $_GET["name"] ?? "unknown";
}
echo getName();'
);
$this->analyzeFile('somefile.php', new Context());
}
/**
* @return void
*/