danog/psalm
1
0
Fork 0
mirror of https://github.com/danog/psalm.git synced 2025-01-21 21:31:13 +01:00
Code Issues Projects Releases Wiki Activity

No false-positives for tainting through array keys

Browse Source
This commit is contained in:
Matt Brown 2021-06-29 17:05:39 -04:00
parent c06f1cd2c6
commit 667dcc2e49
2 changed files with 18 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/Psalm/Internal/Codebase/DataFlowGraph.php
View File

@ -63,7 +63,9 @@ abstract class DataFlowGraph
) : bool { ) : bool {
$el = strlen($expression_type); $el = strlen($expression_type);
if (substr($path_type, 0, $el + 7) === $expression_type . '-fetch-') { // arraykey-fetch requires a matching arraykey-assignment at the same level
// otherwise the tainting is not valid
if (substr($path_type, 0, $el + 7) === $expression_type . '-fetch-' || $path_type === 'arraykey-fetch') {
$fetch_nesting = 0; $fetch_nesting = 0;
$previous_path_types = array_reverse($previous_path_types); $previous_path_types = array_reverse($previous_path_types);

20
tests/TaintTest.php
View File

@ -630,6 +630,16 @@ class TaintTest extends TestCase
echo U::foo($_GET["foo"], true); echo U::foo($_GET["foo"], true);
echo U::foo($_GET["foo"]);' echo U::foo($_GET["foo"]);'
], ],
'keysAreNotTainted' => [
'<?php
function takesArray(array $arr): void {
foreach ($arr as $key => $_) {
echo $key;
}
}
takesArray(["good" => $_GET["bad"]]);'
],
]; ];
} }
@ -2128,15 +2138,15 @@ class TaintTest extends TestCase
$res = Wdb::query("SELECT blah FROM tablea ORDER BY ". $order. " DESC");', $res = Wdb::query("SELECT blah FROM tablea ORDER BY ". $order. " DESC");',
'error_message' => 'TaintedSql', 'error_message' => 'TaintedSql',
], ],
'taintArrayKey' => [ 'keysAreTainted' => [
'<?php '<?php
function doTheMagic(array $values) { function takesArray(array $arr): void {
foreach ($values as $key => $value) { foreach ($arr as $key => $_) {
echo $key . " " . $value; echo $key;
} }
} }
doTheMagic([(string)$_GET["bad"] => "foo"]);', takesArray([$_GET["bad"] => "good"]);',
'error_message' => 'TaintedHtml', 'error_message' => 'TaintedHtml',
], ],
'taintArrayKeyWithExplicitSink' => [ 'taintArrayKeyWithExplicitSink' => [