danog/psalm
1
0
Fork 0
mirror of https://github.com/danog/psalm.git synced 2024-11-30 04:39:00 +01:00
Code Issues Projects Releases Wiki Activity

Taint can't transmit through numerics nor bool

Browse Source
This commit is contained in:
orklah 2021-11-25 22:40:01 +01:00
parent b42c2814a9
commit 3bc06a8eab
3 changed files with 69 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

67
src/Psalm/Internal/Analyzer/FunctionLikeAnalyzer.php
View File

@ -1032,40 +1032,47 @@ abstract class FunctionLikeAnalyzer extends SourceAnalyzer
if ($statements_analyzer->data_flow_graph
&& $function_param->location
) {
$param_assignment = DataFlowNode::getForAssignment(
'$' . $function_param->name,
$function_param->location
);
$statements_analyzer->data_flow_graph->addNode($param_assignment);
if ($cased_method_id) {
$type_source = DataFlowNode::getForMethodArgument(
$cased_method_id,
$cased_method_id,
$offset,
$function_param->location,
null
);
$statements_analyzer->data_flow_graph->addPath($type_source, $param_assignment, 'param');
}
if ($function_param->by_ref
&& $codebase->find_unused_variables
if ($function_param->type === null
|| !$function_param->type->isSingle()
|| (!$function_param->type->isInt()
&& !$function_param->type->isFloat()
&& !$function_param->type->isBool())
) {
$statements_analyzer->data_flow_graph->addPath(
$param_assignment,
new DataFlowNode('variable-use', 'variable use', null),
'variable-use'
$param_assignment = DataFlowNode::getForAssignment(
'$' . $function_param->name,
$function_param->location
);
}
if ($storage->variadic) {
$this->param_nodes += [$param_assignment->id => $param_assignment];
}
$statements_analyzer->data_flow_graph->addNode($param_assignment);
$var_type->parent_nodes += [$param_assignment->id => $param_assignment];
if ($cased_method_id) {
$type_source = DataFlowNode::getForMethodArgument(
$cased_method_id,
$cased_method_id,
$offset,
$function_param->location,
null
);
$statements_analyzer->data_flow_graph->addPath($type_source, $param_assignment, 'param');
}
if ($function_param->by_ref
&& $codebase->find_unused_variables
) {
$statements_analyzer->data_flow_graph->addPath(
$param_assignment,
new DataFlowNode('variable-use', 'variable use', null),
'variable-use'
);
}
if ($storage->variadic) {
$this->param_nodes += [$param_assignment->id => $param_assignment];
}
$var_type->parent_nodes += [$param_assignment->id => $param_assignment];
}
}
$context->vars_in_scope['$' . $function_param->name] = $var_type;

4
src/Psalm/Internal/Analyzer/Statements/Expression/Call/ArgumentAnalyzer.php
View File

@ -1505,10 +1505,10 @@ class ArgumentAnalyzer
return $input_type;
}
// numeric types can't be tainted
// numeric types can't be tainted, neither can bool
if ($statements_analyzer->data_flow_graph instanceof TaintFlowGraph
&& $input_type->isSingle()
&& ($input_type->isInt() || $input_type->isFloat())
&& ($input_type->isInt() || $input_type->isFloat() || $input_type->isBool())
) {
return $input_type;
}

30
tests/TaintTest.php
View File

@ -671,6 +671,36 @@ class TaintTest extends TestCase
$var = $input + 1;
var_dump($var);'
],
'NoTaintForIntTypeHintUsingAnnotatedSink' => [
'<?php // --taint-analysis
function fetch(int $id): string
{
return query("SELECT * FROM table WHERE id=" . $id);
}
/**
* @return string
* @psalm-taint-sink sql $sql
* @psalm-taint-specialize
*/
function query(string $sql) {}
$value = $_GET["value"];
$result = fetch($value);'
],
'NoTaintForIntTypeCastUsingAnnotatedSink' => [
'<?php // --taint-analysis
function fetch($id): string
{
return query("SELECT * FROM table WHERE id=" . (int)$id);
}
/**
* @return string
* @psalm-taint-sink sql $sql
* @psalm-taint-specialize
*/
function query(string $sql) {}
$value = $_GET["value"];
$result = fetch($value);'
],
];
}