Mark print() statement as the same sink type as echo (#3669)

2024-11-26 20:34:47 +01:00 · 2020-06-24 17:23:16 -04:00 · 2020-06-24 17:23:16 -04:00 · 1670848267
commit 1670848267
parent de85e7c539
2 changed files with 39 additions and 0 deletions
--- a/src/Psalm/Internal/Analyzer/Statements/Expression/PrintAnalyzer.php
+++ b/src/Psalm/Internal/Analyzer/Statements/Expression/PrintAnalyzer.php
@ -4,6 +4,7 @@ namespace Psalm\Internal\Analyzer\Statements\Expression;
 use PhpParser;
 use Psalm\Internal\Analyzer\Statements\ExpressionAnalyzer;
 use Psalm\Internal\Analyzer\StatementsAnalyzer;
+use Psalm\Internal\Taint\Sink;
 use Psalm\CodeLocation;
 use Psalm\Context;
 use Psalm\Issue\ForbiddenCode;
@ -24,6 +25,28 @@ class PrintAnalyzer
            return false;
        }

+        if ($codebase->taint
+            && $codebase->config->trackTaintsInPath($statements_analyzer->getFilePath())
+        ) {
+            $call_location = new CodeLocation($statements_analyzer->getSource(), $stmt);
+
+            $print_param_sink = Sink::getForMethodArgument(
+                'print',
+                'print',
+                0,
+                null,
+                $call_location
+            );
+
+            $print_param_sink->taints = [
+                Type\TaintKind::INPUT_HTML,
+                Type\TaintKind::USER_SECRET,
+                Type\TaintKind::SYSTEM_SECRET
+            ];
+
+            $codebase->taint->addSink($print_param_sink);
+        }
+
        if ($stmt_expr_type = $statements_analyzer->node_data->getType($stmt->expr)) {
            if (Call\ArgumentAnalyzer::verifyType(
                $statements_analyzer,
--- a/tests/TaintTest.php
+++ b/tests/TaintTest.php
@ -1878,4 +1878,20 @@ class TaintTest extends TestCase

        $this->analyzeFile('somefile.php', new Context());
    }
+
+    public function testTaintedInstancePrint() : void
+    {
+        $this->expectException(\Psalm\Exception\CodeException::class);
+        $this->expectExceptionMessage('TaintedInput - somefile.php:2:23 - Detected tainted html in path: $_GET -> $_GET[\'name\'] (somefile.php:2:23) -> call to print (somefile.php:2:23) -> print#1');
+
+        $this->project_analyzer->trackTaintedInputs();
+
+        $this->addFile(
+            'somefile.php',
+            '<?php
+                print($_GET["name"]);'
+        );
+
+        $this->analyzeFile('somefile.php', new Context());
+    }
 }