danog/psalm
1
0
Fork 0
mirror of https://github.com/danog/psalm.git synced 2025-01-22 05:41:20 +01:00
Code Issues Projects Releases Wiki Activity

Merge pull request #9019 from mmcev106/prevent-erroneous-escapes

Browse Source 
Prevent DB escaping functions from affecting non-sql taints
This commit is contained in:
orklah 2022-12-28 21:32:12 +01:00 committed by GitHub
commit 94f9d48bca
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 182 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
stubs/CoreGenericClasses.phpstub
View File

@ -495,6 +495,36 @@ final class WeakMap implements ArrayAccess, Countable, IteratorAggregate, Traver
public function offsetUnset($offset) {}
}
class mysqli
{
/**
* @psalm-pure
*
* @psalm-taint-escape sql
* @psalm-flow ($string) -> return
*/
function escape_string($string) {}
/**
* @psalm-pure
*
* @psalm-taint-escape sql
* @psalm-flow ($string) -> return
*/
function real_escape_string($string) {}
}
class SQLite3
{
/**
* @psalm-pure
*
* @psalm-taint-escape sql
* @psalm-flow ($string) -> return
*/
static function escapeString($string) {}
}
#[Attribute(Attribute::TARGET_METHOD)]
final class ReturnTypeWillChange

64
stubs/CoreGenericFunctions.phpstub
View File

@ -1492,3 +1492,67 @@ function mb_convert_encoding(array|string $string, string $to_encoding, array|st
* @psalm-suppress ReferenceConstraintViolation
*/
function stream_select(null|array &$read, null|array &$write, null|array &$except, null|int $seconds, null|int $microseconds = null) : bool|int {}
/**
* @psalm-pure
*
* @psalm-taint-escape sql
* @psalm-flow ($string) -> return
*/
function mysqli_escape_string($string) {}
/**
* @psalm-pure
*
* @psalm-taint-escape sql
* @psalm-flow ($string) -> return
*/
function mysqli_real_escape_string($string) {}
/**
* @psalm-pure
*
* @psalm-taint-escape sql
* @psalm-flow ($string) -> return
*/
function db2_escape_string($string) {}
/**
* @psalm-pure
*
* @psalm-taint-escape sql
* @psalm-flow ($string) -> return
*/
function cubrid_real_escape_string($string) {}
/**
* @psalm-pure
*
* @psalm-taint-escape sql
* @psalm-flow ($string1, $string2) -> return
*/
function pg_escape_bytea($string1, $string2 = null) {}
/**
* @psalm-pure
*
* @psalm-taint-escape sql
* @psalm-flow ($string1, $string2) -> return
*/
function pg_escape_identifier($string1, $string2 = null) {}
/**
* @psalm-pure
*
* @psalm-taint-escape sql
* @psalm-flow ($string1, $string2) -> return
*/
function pg_escape_literal($string1, $string2 = null) {}
/**
* @psalm-pure
*
* @psalm-taint-escape sql
* @psalm-flow ($string1, $string2) -> return
*/
function pg_escape_string($string1, $string2 = null) {}

88
tests/TaintTest.php
View File

@ -727,6 +727,17 @@ class TaintTest extends TestCase
echo urlencode($_GET["bad"]);
',
],
'mysqliEscapeFunctions' => [
'code' => '<?php
$mysqli = new mysqli();
$a = $mysqli->escape_string($_GET["a"]);
$b = mysqli_escape_string($_GET["b"]);
$c = $mysqli->real_escape_string($_GET["c"]);
$d = mysqli_real_escape_string($_GET["d"]);
$mysqli->query("$a$b$c$d");',
],
];
}
@ -2389,6 +2400,83 @@ class TaintTest extends TestCase
',
'error_message' => 'TaintedShell',
],
'assertMysqliOnlyEscapesSqlTaints1' => [
'code' => '<?php
$mysqli = new mysqli();
echo $mysqli->escape_string($_GET["a"]);',
'error_message' => 'TaintedHtml',
],
'assertMysqliOnlyEscapesSqlTaints2' => [
'code' => '<?php
$mysqli = new mysqli();
echo $mysqli->real_escape_string($_GET["a"]);',
'error_message' => 'TaintedHtml',
],
'assertMysqliOnlyEscapesSqlTaints3' => [
'code' => '<?php
echo mysqli_escape_string($_GET["a"]);',
'error_message' => 'TaintedHtml',
],
'assertMysqliOnlyEscapesSqlTaints4' => [
'code' => '<?php
echo mysqli_real_escape_string($_GET["a"]);',
'error_message' => 'TaintedHtml',
],
'assertDb2OnlyEscapesSqlTaints' => [
'code' => '<?php
echo db2_escape_string($_GET["a"]);',
'error_message' => 'TaintedHtml',
],
'assertCubridOnlyEscapesSqlTaints' => [
'code' => '<?php
echo cubrid_real_escape_string($_GET["a"]);',
'error_message' => 'TaintedHtml',
],
'assertSQLiteOnlyEscapesSqlTaints' => [
'code' => '<?php
echo SQLite3::escapeString($_GET["a"]);',
'error_message' => 'TaintedHtml',
],
'assertPGOnlyEscapesSqlTaints1' => [
'code' => '<?php
echo pg_escape_bytea($_GET["a"]);',
'error_message' => 'TaintedHtml',
],
'assertPGOnlyEscapesSqlTaints2' => [
'code' => '<?php
echo pg_escape_bytea($conn, $_GET["a"]);',
'error_message' => 'TaintedHtml',
],
'assertPGOnlyEscapesSqlTaints3' => [
'code' => '<?php
echo pg_escape_identifier($_GET["a"]);',
'error_message' => 'TaintedHtml',
],
'assertPGOnlyEscapesSqlTaints4' => [
'code' => '<?php
echo pg_escape_identifier($conn, $_GET["a"]);',
'error_message' => 'TaintedHtml',
],
'assertPGOnlyEscapesSqlTaints5' => [
'code' => '<?php
echo pg_escape_literal($_GET["a"]);',
'error_message' => 'TaintedHtml',
],
'assertPGOnlyEscapesSqlTaints6' => [
'code' => '<?php
echo pg_escape_literal($conn, $_GET["a"]);',
'error_message' => 'TaintedHtml',
],
'assertPGOnlyEscapesSqlTaints7' => [
'code' => '<?php
echo pg_escape_string($_GET["a"]);',
'error_message' => 'TaintedHtml',
],
'assertPGOnlyEscapesSqlTaints8' => [
'code' => '<?php
echo pg_escape_string($conn, $_GET["a"]);',
'error_message' => 'TaintedHtml',
],
];
}