exclude Plus on arrays too

2025-01-21 21:31:13 +01:00 · 2021-11-04 00:27:00 +01:00 · 2021-11-04 00:27:00 +01:00 · 9fb74a4f28
commit 9fb74a4f28
parent 3b01713257
2 changed files with 17 additions and 0 deletions
--- a/src/Psalm/Internal/Analyzer/Statements/Expression/BinaryOpAnalyzer.php
+++ b/src/Psalm/Internal/Analyzer/Statements/Expression/BinaryOpAnalyzer.php
@ -378,6 +378,7 @@ class BinaryOpAnalyzer
            && $stmt instanceof PhpParser\Node\Expr\BinaryOp
            && !$stmt instanceof PhpParser\Node\Expr\BinaryOp\Concat
            && !$stmt instanceof PhpParser\Node\Expr\BinaryOp\Coalesce
+            && (!$stmt instanceof PhpParser\Node\Expr\BinaryOp\Plus || !$result_type->hasArray())
        ) {
            //among BinaryOp, only Concat and Coalesce can pass tainted value to the result
            return;
--- a/tests/TaintTest.php
+++ b/tests/TaintTest.php
@ -650,6 +650,12 @@ class TaintTest extends TestCase
                    $var = $input === "x";
                    var_dump($var);'
            ],
+            'resultOfPlusIsNotTainted' => [
+                '<?php
+                    $input = $_GET["foo"];
+                    $var = $input + 1;
+                    var_dump($var);'
+            ],
        ];
    }

@ -2159,6 +2165,16 @@ class TaintTest extends TestCase
                    takesArray([$_GET["bad"] => "good"]);',
                'error_message' => 'TaintedHtml',
            ],
+            'resultOfPlusIsTaintedOnArrays' => [
+                '<?php
+                    scope($_GET["foo"]);
+                    function scope(array $foo)
+                    {
+                        $var = $foo + [];
+                        var_dump($var);
+                    }',
+                'error_message' => 'TaintedHtml',
+            ],
            'taintArrayKeyWithExplicitSink' => [
                '<?php
                    /** @psalm-taint-sink html $values */