danog/psalm
1
0
Fork 0
mirror of https://github.com/danog/psalm.git synced 2025-01-21 21:31:13 +01:00
Code Issues Projects Releases Wiki Activity

don't taint the result of most binary operations

Browse Source
This commit is contained in:
orklah 2021-11-03 20:19:29 +01:00
parent 73fb04fce7
commit 3b01713257
2 changed files with 19 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
src/Psalm/Internal/Analyzer/Statements/Expression/BinaryOpAnalyzer.php
View File

@ -6,6 +6,7 @@ use Psalm\CodeLocation;
use Psalm\Context;
use Psalm\Internal\Analyzer\Statements\ExpressionAnalyzer;
use Psalm\Internal\Analyzer\StatementsAnalyzer;
use Psalm\Internal\Codebase\TaintFlowGraph;
use Psalm\Internal\Codebase\VariableUseGraph;
use Psalm\Internal\DataFlow\DataFlowNode;
use Psalm\Issue\ImpureMethodCall;
@ -369,10 +370,20 @@ class BinaryOpAnalyzer
throw new \UnexpectedValueException('bad');
}
$result_type = $statements_analyzer->node_data->getType($stmt);
if (!$result_type) {
return;
}
if ($statements_analyzer->data_flow_graph
&& $result_type
if ($statements_analyzer->data_flow_graph instanceof TaintFlowGraph
&& $stmt instanceof PhpParser\Node\Expr\BinaryOp
&& !$stmt instanceof PhpParser\Node\Expr\BinaryOp\Concat
&& !$stmt instanceof PhpParser\Node\Expr\BinaryOp\Coalesce
) {
//among BinaryOp, only Concat and Coalesce can pass tainted value to the result
return;
}
if ($statements_analyzer->data_flow_graph) {
$stmt_left_type = $statements_analyzer->node_data->getType($left);
$stmt_right_type = $statements_analyzer->node_data->getType($right);

6
tests/TaintTest.php
View File

@ -644,6 +644,12 @@ class TaintTest extends TestCase
takesArray(["good" => $_GET["bad"]]);'
],
'resultOfComparisonIsNotTainted' => [
'<?php
$input = $_GET["foo"];
$var = $input === "x";
var_dump($var);'
],
];
}