Fixed a case where the conditional taint, specialize, & flow features were not playing nicely together

src/Psalm/Internal/Analyzer/Statements/Expression/Call/FunctionCallReturnTypeFetcher.php

@@ -658,7 +658,7 @@ class FunctionCallReturnTypeFetcher
                 $stmt->getArgs(),
                 $node_location,
                 $function_call_node,
-                $removed_taints,
+                [...$removed_taints, ...$conditionally_removed_taints],
                 $added_taints,
             );
         }

stubs/CoreGenericFunctions.phpstub

@@ -816,19 +816,79 @@ function array_product(array $array) {}
  * @psalm-pure
  *
  * 257 is FILTER_VALIDATE_INT
+ * @psalm-taint-escape ($filter is 257 ? 'callable' : null)
+ * @psalm-taint-escape ($filter is 257 ? 'unserialize' : null)
+ * @psalm-taint-escape ($filter is 257 ? 'include' : null)
+ * @psalm-taint-escape ($filter is 257 ? 'eval' : null)
+ * @psalm-taint-escape ($filter is 257 ? 'ldap' : null)
+ * @psalm-taint-escape ($filter is 257 ? 'sql' : null)
  * @psalm-taint-escape ($filter is 257 ? 'html' : null)
+ * @psalm-taint-escape ($filter is 257 ? 'has_quotes' : null)
+ * @psalm-taint-escape ($filter is 257 ? 'shell' : null)
+ * @psalm-taint-escape ($filter is 257 ? 'ssrf' : null)
+ * @psalm-taint-escape ($filter is 257 ? 'file' : null)
+ * @psalm-taint-escape ($filter is 257 ? 'cookie' : null)
+ * @psalm-taint-escape ($filter is 257 ? 'header' : null)
  *
  * 258 is FILTER_VALIDATE_BOOLEAN
+ * @psalm-taint-escape ($filter is 258 ? 'callable' : null)
+ * @psalm-taint-escape ($filter is 258 ? 'unserialize' : null)
+ * @psalm-taint-escape ($filter is 258 ? 'include' : null)
+ * @psalm-taint-escape ($filter is 258 ? 'eval' : null)
+ * @psalm-taint-escape ($filter is 258 ? 'ldap' : null)
+ * @psalm-taint-escape ($filter is 258 ? 'sql' : null)
  * @psalm-taint-escape ($filter is 258 ? 'html' : null)
+ * @psalm-taint-escape ($filter is 258 ? 'has_quotes' : null)
+ * @psalm-taint-escape ($filter is 258 ? 'shell' : null)
+ * @psalm-taint-escape ($filter is 258 ? 'ssrf' : null)
+ * @psalm-taint-escape ($filter is 258 ? 'file' : null)
+ * @psalm-taint-escape ($filter is 258 ? 'cookie' : null)
+ * @psalm-taint-escape ($filter is 258 ? 'header' : null)
  *
  * 259 is FILTER_VALIDATE_FLOAT
+ * @psalm-taint-escape ($filter is 259 ? 'callable' : null)
+ * @psalm-taint-escape ($filter is 259 ? 'unserialize' : null)
+ * @psalm-taint-escape ($filter is 259 ? 'include' : null)
+ * @psalm-taint-escape ($filter is 259 ? 'eval' : null)
+ * @psalm-taint-escape ($filter is 259 ? 'ldap' : null)
+ * @psalm-taint-escape ($filter is 259 ? 'sql' : null)
  * @psalm-taint-escape ($filter is 259 ? 'html' : null)
+ * @psalm-taint-escape ($filter is 259 ? 'has_quotes' : null)
+ * @psalm-taint-escape ($filter is 259 ? 'shell' : null)
+ * @psalm-taint-escape ($filter is 259 ? 'ssrf' : null)
+ * @psalm-taint-escape ($filter is 259 ? 'file' : null)
+ * @psalm-taint-escape ($filter is 259 ? 'cookie' : null)
+ * @psalm-taint-escape ($filter is 259 ? 'header' : null)
  *
  * 519 is FILTER_SANITIZE_NUMBER_INT
+ * @psalm-taint-escape ($filter is 519 ? 'callable' : null)
+ * @psalm-taint-escape ($filter is 519 ? 'unserialize' : null)
+ * @psalm-taint-escape ($filter is 519 ? 'include' : null)
+ * @psalm-taint-escape ($filter is 519 ? 'eval' : null)
+ * @psalm-taint-escape ($filter is 519 ? 'ldap' : null)
+ * @psalm-taint-escape ($filter is 519 ? 'sql' : null)
  * @psalm-taint-escape ($filter is 519 ? 'html' : null)
+ * @psalm-taint-escape ($filter is 519 ? 'has_quotes' : null)
+ * @psalm-taint-escape ($filter is 519 ? 'shell' : null)
+ * @psalm-taint-escape ($filter is 519 ? 'ssrf' : null)
+ * @psalm-taint-escape ($filter is 519 ? 'file' : null)
+ * @psalm-taint-escape ($filter is 519 ? 'cookie' : null)
+ * @psalm-taint-escape ($filter is 519 ? 'header' : null)
  *
  * 520 is FILTER_SANITIZE_NUMBER_FLOAT
+ * @psalm-taint-escape ($filter is 520 ? 'callable' : null)
+ * @psalm-taint-escape ($filter is 520 ? 'unserialize' : null)
+ * @psalm-taint-escape ($filter is 520 ? 'include' : null)
+ * @psalm-taint-escape ($filter is 520 ? 'eval' : null)
+ * @psalm-taint-escape ($filter is 520 ? 'ldap' : null)
+ * @psalm-taint-escape ($filter is 520 ? 'sql' : null)
  * @psalm-taint-escape ($filter is 520 ? 'html' : null)
+ * @psalm-taint-escape ($filter is 520 ? 'has_quotes' : null)
+ * @psalm-taint-escape ($filter is 520 ? 'shell' : null)
+ * @psalm-taint-escape ($filter is 520 ? 'ssrf' : null)
+ * @psalm-taint-escape ($filter is 520 ? 'file' : null)
+ * @psalm-taint-escape ($filter is 520 ? 'cookie' : null)
+ * @psalm-taint-escape ($filter is 520 ? 'header' : null)
  *
  * @psalm-flow ($value, $filter, $options) -> return
  */

tests/TaintTest.php

@@ -230,19 +230,31 @@ class TaintTest extends TestCase
                         echo $a;
                     }',
             ],
-            'taintFilterVarInt' => [
+            'taintFilterVar' => [
                 'code' => '<?php
-                    echo filter_var($_GET["bad"], FILTER_VALIDATE_INT);
+                    $args = [
-                    echo filter_var($_GET["bad"], FILTER_SANITIZE_NUMBER_INT);',
+                        filter_var($_GET["bad"], FILTER_VALIDATE_INT),
-            ],
+                        filter_var($_GET["bad"], FILTER_VALIDATE_BOOLEAN),
-            'taintFilterVarBoolean' => [
+                        filter_var($_GET["bad"], FILTER_VALIDATE_FLOAT),
-                'code' => '<?php
+                        filter_var($_GET["bad"], FILTER_SANITIZE_NUMBER_INT),
-                    echo filter_var($_GET["bad"], FILTER_VALIDATE_BOOLEAN);',
+                        filter_var($_GET["bad"], FILTER_SANITIZE_NUMBER_FLOAT),
-            ],
+                    ];
-            'taintFilterVarFloat' => [
+
-                'code' => '<?php
+                    foreach($args as $arg){
-                    echo filter_var($_GET["bad"], FILTER_VALIDATE_FLOAT);
+                        new $arg;
-                    echo filter_var($_GET["bad"], FILTER_SANITIZE_NUMBER_FLOAT);',
+                        unserialize($arg);
+                        require_once $arg;
+                        eval($arg);
+                        ldap_connect($arg);
+                        ldap_search("", "", $arg);
+                        mysqli_query($conn, $arg);
+                        echo $arg;
+                        system($arg);
+                        curl_init($arg);
+                        file_get_contents($arg);
+                        setcookie($arg);
+                        header($arg);
+                    }',
             ],
             'taintLdapEscape' => [
                 'code' => '<?php