danog/psalm
1
0
Fork 0
mirror of https://github.com/danog/psalm.git synced 2024-11-30 04:39:00 +01:00
Code Issues Projects Releases Wiki Activity

Fixed a case where the conditional taint, specialize, & flow features were not playing nicely together

Browse Source
This commit is contained in:
Mark McEver 2023-02-01 15:41:52 -06:00
parent bb2cf1f30a
commit b5781c34e8
3 changed files with 85 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/Psalm/Internal/Analyzer/Statements/Expression/Call/FunctionCallReturnTypeFetcher.php
View File

@ -658,7 +658,7 @@ class FunctionCallReturnTypeFetcher
$stmt->getArgs(),
$node_location,
$function_call_node,
$removed_taints,
[...$removed_taints, ...$conditionally_removed_taints],
$added_taints,
);
}

60
stubs/CoreGenericFunctions.phpstub
View File

@ -816,19 +816,79 @@ function array_product(array $array) {}
* @psalm-pure
*
* 257 is FILTER_VALIDATE_INT
* @psalm-taint-escape ($filter is 257 ? 'callable' : null)
* @psalm-taint-escape ($filter is 257 ? 'unserialize' : null)
* @psalm-taint-escape ($filter is 257 ? 'include' : null)
* @psalm-taint-escape ($filter is 257 ? 'eval' : null)
* @psalm-taint-escape ($filter is 257 ? 'ldap' : null)
* @psalm-taint-escape ($filter is 257 ? 'sql' : null)
* @psalm-taint-escape ($filter is 257 ? 'html' : null)
* @psalm-taint-escape ($filter is 257 ? 'has_quotes' : null)
* @psalm-taint-escape ($filter is 257 ? 'shell' : null)
* @psalm-taint-escape ($filter is 257 ? 'ssrf' : null)
* @psalm-taint-escape ($filter is 257 ? 'file' : null)
* @psalm-taint-escape ($filter is 257 ? 'cookie' : null)
* @psalm-taint-escape ($filter is 257 ? 'header' : null)
*
* 258 is FILTER_VALIDATE_BOOLEAN
* @psalm-taint-escape ($filter is 258 ? 'callable' : null)
* @psalm-taint-escape ($filter is 258 ? 'unserialize' : null)
* @psalm-taint-escape ($filter is 258 ? 'include' : null)
* @psalm-taint-escape ($filter is 258 ? 'eval' : null)
* @psalm-taint-escape ($filter is 258 ? 'ldap' : null)
* @psalm-taint-escape ($filter is 258 ? 'sql' : null)
* @psalm-taint-escape ($filter is 258 ? 'html' : null)
* @psalm-taint-escape ($filter is 258 ? 'has_quotes' : null)
* @psalm-taint-escape ($filter is 258 ? 'shell' : null)
* @psalm-taint-escape ($filter is 258 ? 'ssrf' : null)
* @psalm-taint-escape ($filter is 258 ? 'file' : null)
* @psalm-taint-escape ($filter is 258 ? 'cookie' : null)
* @psalm-taint-escape ($filter is 258 ? 'header' : null)
*
* 259 is FILTER_VALIDATE_FLOAT
* @psalm-taint-escape ($filter is 259 ? 'callable' : null)
* @psalm-taint-escape ($filter is 259 ? 'unserialize' : null)
* @psalm-taint-escape ($filter is 259 ? 'include' : null)
* @psalm-taint-escape ($filter is 259 ? 'eval' : null)
* @psalm-taint-escape ($filter is 259 ? 'ldap' : null)
* @psalm-taint-escape ($filter is 259 ? 'sql' : null)
* @psalm-taint-escape ($filter is 259 ? 'html' : null)
* @psalm-taint-escape ($filter is 259 ? 'has_quotes' : null)
* @psalm-taint-escape ($filter is 259 ? 'shell' : null)
* @psalm-taint-escape ($filter is 259 ? 'ssrf' : null)
* @psalm-taint-escape ($filter is 259 ? 'file' : null)
* @psalm-taint-escape ($filter is 259 ? 'cookie' : null)
* @psalm-taint-escape ($filter is 259 ? 'header' : null)
*
* 519 is FILTER_SANITIZE_NUMBER_INT
* @psalm-taint-escape ($filter is 519 ? 'callable' : null)
* @psalm-taint-escape ($filter is 519 ? 'unserialize' : null)
* @psalm-taint-escape ($filter is 519 ? 'include' : null)
* @psalm-taint-escape ($filter is 519 ? 'eval' : null)
* @psalm-taint-escape ($filter is 519 ? 'ldap' : null)
* @psalm-taint-escape ($filter is 519 ? 'sql' : null)
* @psalm-taint-escape ($filter is 519 ? 'html' : null)
* @psalm-taint-escape ($filter is 519 ? 'has_quotes' : null)
* @psalm-taint-escape ($filter is 519 ? 'shell' : null)
* @psalm-taint-escape ($filter is 519 ? 'ssrf' : null)
* @psalm-taint-escape ($filter is 519 ? 'file' : null)
* @psalm-taint-escape ($filter is 519 ? 'cookie' : null)
* @psalm-taint-escape ($filter is 519 ? 'header' : null)
*
* 520 is FILTER_SANITIZE_NUMBER_FLOAT
* @psalm-taint-escape ($filter is 520 ? 'callable' : null)
* @psalm-taint-escape ($filter is 520 ? 'unserialize' : null)
* @psalm-taint-escape ($filter is 520 ? 'include' : null)
* @psalm-taint-escape ($filter is 520 ? 'eval' : null)
* @psalm-taint-escape ($filter is 520 ? 'ldap' : null)
* @psalm-taint-escape ($filter is 520 ? 'sql' : null)
* @psalm-taint-escape ($filter is 520 ? 'html' : null)
* @psalm-taint-escape ($filter is 520 ? 'has_quotes' : null)
* @psalm-taint-escape ($filter is 520 ? 'shell' : null)
* @psalm-taint-escape ($filter is 520 ? 'ssrf' : null)
* @psalm-taint-escape ($filter is 520 ? 'file' : null)
* @psalm-taint-escape ($filter is 520 ? 'cookie' : null)
* @psalm-taint-escape ($filter is 520 ? 'header' : null)
*
* @psalm-flow ($value, $filter, $options) -> return
*/

36
tests/TaintTest.php
View File

@ -230,19 +230,31 @@ class TaintTest extends TestCase
echo $a;
}',
],
'taintFilterVarInt' => [
'taintFilterVar' => [
'code' => '<?php
echo filter_var($_GET["bad"], FILTER_VALIDATE_INT);
echo filter_var($_GET["bad"], FILTER_SANITIZE_NUMBER_INT);',
],
'taintFilterVarBoolean' => [
'code' => '<?php
echo filter_var($_GET["bad"], FILTER_VALIDATE_BOOLEAN);',
],
'taintFilterVarFloat' => [
'code' => '<?php
echo filter_var($_GET["bad"], FILTER_VALIDATE_FLOAT);
echo filter_var($_GET["bad"], FILTER_SANITIZE_NUMBER_FLOAT);',
$args = [
filter_var($_GET["bad"], FILTER_VALIDATE_INT),
filter_var($_GET["bad"], FILTER_VALIDATE_BOOLEAN),
filter_var($_GET["bad"], FILTER_VALIDATE_FLOAT),
filter_var($_GET["bad"], FILTER_SANITIZE_NUMBER_INT),
filter_var($_GET["bad"], FILTER_SANITIZE_NUMBER_FLOAT),
];
foreach($args as $arg){
new $arg;
unserialize($arg);
require_once $arg;
eval($arg);
ldap_connect($arg);
ldap_search("", "", $arg);
mysqli_query($conn, $arg);
echo $arg;
system($arg);
curl_init($arg);
file_get_contents($arg);
setcookie($arg);
header($arg);
}',
],
'taintLdapEscape' => [
'code' => '<?php