[BUGFIX] Specialize TaintSink in IncludeAnalyzer (#5986)

* [TEST] Assert more details in TaintTest * [TEST] Add test for multiple tainted includes * [BUGFIX] Specialize TaintSink in IncludeAnalyzer Fixes: #5986
2025-01-22 05:41:20 +01:00 · 2021-06-23 14:27:03 +02:00 · 2021-06-23 14:27:03 +02:00 · 38d3b15f8d
commit 38d3b15f8d
parent b07de1fefd
2 changed files with 29 additions and 4 deletions
--- a/src/Psalm/Internal/Analyzer/Statements/Expression/IncludeAnalyzer.php
+++ b/src/Psalm/Internal/Analyzer/Statements/Expression/IncludeAnalyzer.php
@ -116,6 +116,7 @@ class IncludeAnalyzer
                'include',
                'include',
                0,
+                $arg_location,
                $arg_location
            );

--- a/tests/TaintTest.php
+++ b/tests/TaintTest.php
@ -5,6 +5,8 @@ use Psalm\Context;
 use Psalm\Internal\Analyzer\IssueData;
 use Psalm\IssueBuffer;

+use function trim;
+
 use const DIRECTORY_SEPARATOR;

 class TaintTest extends TestCase
@ -2194,7 +2196,7 @@ class TaintTest extends TestCase

        $actualIssueTypes = \array_map(
            function (IssueData $issue): string {
-                return $issue->type;
+                return $issue->type . '{ ' . trim($issue->snippet) . ' }';
            },
            IssueBuffer::getIssuesDataForFile($filePath)
        );
@ -2220,7 +2222,10 @@ class TaintTest extends TestCase
                    $data = process((string)($_GET["inject"] ?? ""));
                    exec($data);
                ',
-                'expectedIssueTypes' => ['TaintedHtml', 'TaintedShell'],
+                'expectedIssueTypes' => [
+                    'TaintedHtml{ function process(string $value): string {} }',
+                    'TaintedShell{ exec($data); }',
+                ],
            ],
            'taintSinkCascade' => [
                '<?php
@ -2244,8 +2249,27 @@ class TaintTest extends TestCase
                    $value = triggerShell($value);
                    $value = triggerFile($value);
                ',
-                'expectedIssueTypes' => ['TaintedHtml', 'TaintedTextWithQuotes', 'TaintedShell', 'TaintedFile'],
-            ]
+                'expectedIssueTypes' => [
+                    'TaintedHtml{ echo $value; }',
+                    'TaintedTextWithQuotes{ echo $value; }',
+                    'TaintedShell{ exec($value); }',
+                    'TaintedFile{ file_get_contents($value); }',
+                ],
+            ],
+            'taintedIncludes' => [
+                '<?php
+                    $first = (string)($_GET["first"] ?? "");
+                    $second = (string)($_GET["second"] ?? "");
+                    require $first;
+                    require dirname(__DIR__)."/first.php";
+                    require $second;
+                    require dirname(__DIR__)."/second.php";
+                ',
+                'expectedIssueTypes' => [
+                    'TaintedInclude{ require $first; }',
+                    'TaintedInclude{ require $second; }',
+                ],
+            ],
        ];
    }
 }