From 9c0e9a3d7ed59d84ebc88558a09b90a57aa07e53 Mon Sep 17 00:00:00 2001
From: Matt Brown <github@muglug.com>
Date: Sun, 6 Dec 2020 11:24:48 -0500
Subject: [PATCH] Taint all when conditional return is used

Ref #4792
---
 .../Call/FunctionCallReturnTypeFetcher.php    |  6 ++++--
 tests/TaintTest.php                           | 21 +++++++++++++++++++
 2 files changed, 25 insertions(+), 2 deletions(-)

diff --git a/src/Psalm/Internal/Analyzer/Statements/Expression/Call/FunctionCallReturnTypeFetcher.php b/src/Psalm/Internal/Analyzer/Statements/Expression/Call/FunctionCallReturnTypeFetcher.php
index 1caa73e15..9e5cdbaef 100644
--- a/src/Psalm/Internal/Analyzer/Statements/Expression/Call/FunctionCallReturnTypeFetcher.php
+++ b/src/Psalm/Internal/Analyzer/Statements/Expression/Call/FunctionCallReturnTypeFetcher.php
@@ -512,8 +512,10 @@ class FunctionCallReturnTypeFetcher
                 true
             );
 
-            foreach ($expanded_type->getLiteralStrings() as $literal_string) {
-                $conditionally_removed_taints[] = $literal_string->value;
+            if (!$expanded_type->isNullable()) {
+                foreach ($expanded_type->getLiteralStrings() as $literal_string) {
+                    $conditionally_removed_taints[] = $literal_string->value;
+                }
             }
         }
 
diff --git a/tests/TaintTest.php b/tests/TaintTest.php
index 711417710..fb8fe9d04 100644
--- a/tests/TaintTest.php
+++ b/tests/TaintTest.php
@@ -1975,6 +1975,27 @@ class TaintTest extends TestCase
                     echo get("x");',
                 'error_message' => 'TaintedHtml',
             ],
+            'conditionallyEscapedTaintsAll' => [
+                '<?php
+                    /** @psalm-taint-escape ($type is "int" ? "html" : null) */
+                    function cast(mixed $value, string $type): mixed
+                    {
+                        if ("int" === $type) {
+                            return (int) $value;
+                        }
+                        return (string) $value;
+                    }
+
+                    /** @psalm-taint-specialize */
+                    function data(array $data, string $key, string $type) {
+                        return cast($data[$key], $type);
+                    }
+
+                    // technically a false-positive, but desired behaviour in lieu
+                    // of better information
+                    echo data($_GET, "x", "int");',
+                'error_message' => 'TaintedHtml',
+            ],
             /*
             // TODO: Stubs do not support this type of inference even with $this->message = $message.
             // Most uses of getMessage() would be with caught exceptions, so this is not representative of real code.