New sinks for TaintedCallable #10117

stubs/Reflection.phpstub

@@ -15,6 +15,7 @@ class ReflectionClass implements Reflector {
     /**
      * @param T|class-string<T>|interface-string<T>|trait-string|enum-string<T> $argument
      * @psalm-pure
+     * @psalm-taint-sink callable $argument
      */
     public function __construct($argument) {}
 
@@ -411,6 +412,11 @@ abstract class ReflectionFunctionAbstract implements Reflector
     /** @psalm-pure */
     public function getClosure(): Closure {}
 
+    /**
+     * @psalm-taint-sink callable $function
+     */
+    public function __construct(callable $function) {}
+
     /**
      * @since 8.0
      * @template TClass as object

tests/TaintTest.php

@@ -2488,6 +2488,19 @@ class TaintTest extends TestCase
                 'code' => '<?php
                     echo pg_escape_string($conn, $_GET["a"]);',
                 'error_message' => 'TaintedHtml',
+            'taintedReflectionClass' => [
+                'code' => '<?php
+                    $name = $_GET["name"];
+                    $reflector = new ReflectionClass($name);
+                    $reflector->newInstance();',
+                'error_message' => 'TaintedCallable',
+            ],
+            'taintedReflectionFunction' => [
+                'code' => '<?php
+                    $name = $_GET["name"];
+                    $function = new ReflectionFunction($name);
+                    $function->invoke();',
+                'error_message' => 'TaintedCallable',
             ],
         ];
     }