From bb2cf1f30ad32266a48f7ec3a61633e146e04b24 Mon Sep 17 00:00:00 2001
From: Mark McEver <mark@fastmail.net>
Date: Mon, 23 Jan 2023 15:09:29 -0600
Subject: [PATCH 1/3] Added @psalm-pure to filter_var()

---
 stubs/CoreGenericFunctions.phpstub | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/stubs/CoreGenericFunctions.phpstub b/stubs/CoreGenericFunctions.phpstub
index 90355efd5..51db73457 100644
--- a/stubs/CoreGenericFunctions.phpstub
+++ b/stubs/CoreGenericFunctions.phpstub
@@ -813,6 +813,8 @@ function array_sum(array $array) {}
 function array_product(array $array) {}
 
 /**
+ * @psalm-pure
+ *
  * 257 is FILTER_VALIDATE_INT
  * @psalm-taint-escape ($filter is 257 ? 'html' : null)
  *

From b5781c34e85a96a51f0ec5448a5c1e0249d92197 Mon Sep 17 00:00:00 2001
From: Mark McEver <mark@fastmail.net>
Date: Wed, 1 Feb 2023 15:41:52 -0600
Subject: [PATCH 2/3] Fixed a case where the conditional taint, specialize, &
 flow features were not playing nicely together

---
 .../Call/FunctionCallReturnTypeFetcher.php    |  2 +-
 stubs/CoreGenericFunctions.phpstub            | 60 +++++++++++++++++++
 tests/TaintTest.php                           | 36 +++++++----
 3 files changed, 85 insertions(+), 13 deletions(-)

diff --git a/src/Psalm/Internal/Analyzer/Statements/Expression/Call/FunctionCallReturnTypeFetcher.php b/src/Psalm/Internal/Analyzer/Statements/Expression/Call/FunctionCallReturnTypeFetcher.php
index bd54e0f90..0a8322e3c 100644
--- a/src/Psalm/Internal/Analyzer/Statements/Expression/Call/FunctionCallReturnTypeFetcher.php
+++ b/src/Psalm/Internal/Analyzer/Statements/Expression/Call/FunctionCallReturnTypeFetcher.php
@@ -658,7 +658,7 @@ class FunctionCallReturnTypeFetcher
                 $stmt->getArgs(),
                 $node_location,
                 $function_call_node,
-                $removed_taints,
+                [...$removed_taints, ...$conditionally_removed_taints],
                 $added_taints,
             );
         }
diff --git a/stubs/CoreGenericFunctions.phpstub b/stubs/CoreGenericFunctions.phpstub
index 51db73457..abd7d6219 100644
--- a/stubs/CoreGenericFunctions.phpstub
+++ b/stubs/CoreGenericFunctions.phpstub
@@ -816,19 +816,79 @@ function array_product(array $array) {}
  * @psalm-pure
  *
  * 257 is FILTER_VALIDATE_INT
+ * @psalm-taint-escape ($filter is 257 ? 'callable' : null)
+ * @psalm-taint-escape ($filter is 257 ? 'unserialize' : null)
+ * @psalm-taint-escape ($filter is 257 ? 'include' : null)
+ * @psalm-taint-escape ($filter is 257 ? 'eval' : null)
+ * @psalm-taint-escape ($filter is 257 ? 'ldap' : null)
+ * @psalm-taint-escape ($filter is 257 ? 'sql' : null)
  * @psalm-taint-escape ($filter is 257 ? 'html' : null)
+ * @psalm-taint-escape ($filter is 257 ? 'has_quotes' : null)
+ * @psalm-taint-escape ($filter is 257 ? 'shell' : null)
+ * @psalm-taint-escape ($filter is 257 ? 'ssrf' : null)
+ * @psalm-taint-escape ($filter is 257 ? 'file' : null)
+ * @psalm-taint-escape ($filter is 257 ? 'cookie' : null)
+ * @psalm-taint-escape ($filter is 257 ? 'header' : null)
  *
  * 258 is FILTER_VALIDATE_BOOLEAN
+ * @psalm-taint-escape ($filter is 258 ? 'callable' : null)
+ * @psalm-taint-escape ($filter is 258 ? 'unserialize' : null)
+ * @psalm-taint-escape ($filter is 258 ? 'include' : null)
+ * @psalm-taint-escape ($filter is 258 ? 'eval' : null)
+ * @psalm-taint-escape ($filter is 258 ? 'ldap' : null)
+ * @psalm-taint-escape ($filter is 258 ? 'sql' : null)
  * @psalm-taint-escape ($filter is 258 ? 'html' : null)
+ * @psalm-taint-escape ($filter is 258 ? 'has_quotes' : null)
+ * @psalm-taint-escape ($filter is 258 ? 'shell' : null)
+ * @psalm-taint-escape ($filter is 258 ? 'ssrf' : null)
+ * @psalm-taint-escape ($filter is 258 ? 'file' : null)
+ * @psalm-taint-escape ($filter is 258 ? 'cookie' : null)
+ * @psalm-taint-escape ($filter is 258 ? 'header' : null)
  *
  * 259 is FILTER_VALIDATE_FLOAT
+ * @psalm-taint-escape ($filter is 259 ? 'callable' : null)
+ * @psalm-taint-escape ($filter is 259 ? 'unserialize' : null)
+ * @psalm-taint-escape ($filter is 259 ? 'include' : null)
+ * @psalm-taint-escape ($filter is 259 ? 'eval' : null)
+ * @psalm-taint-escape ($filter is 259 ? 'ldap' : null)
+ * @psalm-taint-escape ($filter is 259 ? 'sql' : null)
  * @psalm-taint-escape ($filter is 259 ? 'html' : null)
+ * @psalm-taint-escape ($filter is 259 ? 'has_quotes' : null)
+ * @psalm-taint-escape ($filter is 259 ? 'shell' : null)
+ * @psalm-taint-escape ($filter is 259 ? 'ssrf' : null)
+ * @psalm-taint-escape ($filter is 259 ? 'file' : null)
+ * @psalm-taint-escape ($filter is 259 ? 'cookie' : null)
+ * @psalm-taint-escape ($filter is 259 ? 'header' : null)
  *
  * 519 is FILTER_SANITIZE_NUMBER_INT
+ * @psalm-taint-escape ($filter is 519 ? 'callable' : null)
+ * @psalm-taint-escape ($filter is 519 ? 'unserialize' : null)
+ * @psalm-taint-escape ($filter is 519 ? 'include' : null)
+ * @psalm-taint-escape ($filter is 519 ? 'eval' : null)
+ * @psalm-taint-escape ($filter is 519 ? 'ldap' : null)
+ * @psalm-taint-escape ($filter is 519 ? 'sql' : null)
  * @psalm-taint-escape ($filter is 519 ? 'html' : null)
+ * @psalm-taint-escape ($filter is 519 ? 'has_quotes' : null)
+ * @psalm-taint-escape ($filter is 519 ? 'shell' : null)
+ * @psalm-taint-escape ($filter is 519 ? 'ssrf' : null)
+ * @psalm-taint-escape ($filter is 519 ? 'file' : null)
+ * @psalm-taint-escape ($filter is 519 ? 'cookie' : null)
+ * @psalm-taint-escape ($filter is 519 ? 'header' : null)
  *
  * 520 is FILTER_SANITIZE_NUMBER_FLOAT
+ * @psalm-taint-escape ($filter is 520 ? 'callable' : null)
+ * @psalm-taint-escape ($filter is 520 ? 'unserialize' : null)
+ * @psalm-taint-escape ($filter is 520 ? 'include' : null)
+ * @psalm-taint-escape ($filter is 520 ? 'eval' : null)
+ * @psalm-taint-escape ($filter is 520 ? 'ldap' : null)
+ * @psalm-taint-escape ($filter is 520 ? 'sql' : null)
  * @psalm-taint-escape ($filter is 520 ? 'html' : null)
+ * @psalm-taint-escape ($filter is 520 ? 'has_quotes' : null)
+ * @psalm-taint-escape ($filter is 520 ? 'shell' : null)
+ * @psalm-taint-escape ($filter is 520 ? 'ssrf' : null)
+ * @psalm-taint-escape ($filter is 520 ? 'file' : null)
+ * @psalm-taint-escape ($filter is 520 ? 'cookie' : null)
+ * @psalm-taint-escape ($filter is 520 ? 'header' : null)
  *
  * @psalm-flow ($value, $filter, $options) -> return
  */
diff --git a/tests/TaintTest.php b/tests/TaintTest.php
index 4034e9dc0..e0610c802 100644
--- a/tests/TaintTest.php
+++ b/tests/TaintTest.php
@@ -230,19 +230,31 @@ class TaintTest extends TestCase
                         echo $a;
                     }',
             ],
-            'taintFilterVarInt' => [
+            'taintFilterVar' => [
                 'code' => '<?php
-                    echo filter_var($_GET["bad"], FILTER_VALIDATE_INT);
-                    echo filter_var($_GET["bad"], FILTER_SANITIZE_NUMBER_INT);',
-            ],
-            'taintFilterVarBoolean' => [
-                'code' => '<?php
-                    echo filter_var($_GET["bad"], FILTER_VALIDATE_BOOLEAN);',
-            ],
-            'taintFilterVarFloat' => [
-                'code' => '<?php
-                    echo filter_var($_GET["bad"], FILTER_VALIDATE_FLOAT);
-                    echo filter_var($_GET["bad"], FILTER_SANITIZE_NUMBER_FLOAT);',
+                    $args = [
+                        filter_var($_GET["bad"], FILTER_VALIDATE_INT),
+                        filter_var($_GET["bad"], FILTER_VALIDATE_BOOLEAN),
+                        filter_var($_GET["bad"], FILTER_VALIDATE_FLOAT),
+                        filter_var($_GET["bad"], FILTER_SANITIZE_NUMBER_INT),
+                        filter_var($_GET["bad"], FILTER_SANITIZE_NUMBER_FLOAT),
+                    ];
+
+                    foreach($args as $arg){
+                        new $arg;
+                        unserialize($arg);
+                        require_once $arg;
+                        eval($arg);
+                        ldap_connect($arg);
+                        ldap_search("", "", $arg);
+                        mysqli_query($conn, $arg);
+                        echo $arg;
+                        system($arg);
+                        curl_init($arg);
+                        file_get_contents($arg);
+                        setcookie($arg);
+                        header($arg);
+                    }',
             ],
             'taintLdapEscape' => [
                 'code' => '<?php

From 77ea545244950b8bc5648197017aaedc3b964db8 Mon Sep 17 00:00:00 2001
From: Mark McEver <mark@fastmail.net>
Date: Wed, 1 Feb 2023 15:50:36 -0600
Subject: [PATCH 3/3] Attempted to avoid a psalm warning that was not accurate

---
 .../Expression/Call/FunctionCallReturnTypeFetcher.php           | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Psalm/Internal/Analyzer/Statements/Expression/Call/FunctionCallReturnTypeFetcher.php b/src/Psalm/Internal/Analyzer/Statements/Expression/Call/FunctionCallReturnTypeFetcher.php
index 0a8322e3c..6c40bf783 100644
--- a/src/Psalm/Internal/Analyzer/Statements/Expression/Call/FunctionCallReturnTypeFetcher.php
+++ b/src/Psalm/Internal/Analyzer/Statements/Expression/Call/FunctionCallReturnTypeFetcher.php
@@ -658,7 +658,7 @@ class FunctionCallReturnTypeFetcher
                 $stmt->getArgs(),
                 $node_location,
                 $function_call_node,
-                [...$removed_taints, ...$conditionally_removed_taints],
+                array_merge($removed_taints, $conditionally_removed_taints),
                 $added_taints,
             );
         }