1
0
mirror of https://github.com/danog/psalm.git synced 2025-01-21 21:31:13 +01:00

Fix #4605 - taint parent-declared property

This commit is contained in:
Matt Brown 2020-11-18 13:34:47 -05:00
parent 39c508f9d1
commit be275ae972
2 changed files with 51 additions and 3 deletions

View File

@ -412,7 +412,7 @@ class InstancePropertyAssignmentAnalyzer
$has_regular_setter = true;
$property_exists = true;
if (!$context->collect_initializations) {
if (!$context->collect_initializations && !$context->collect_mutations) {
self::taintProperty(
$statements_analyzer,
$stmt,
@ -483,7 +483,7 @@ class InstancePropertyAssignmentAnalyzer
* not in that list, fall through
*/
if (!$var_id || !$class_storage->sealed_properties) {
if (!$context->collect_initializations) {
if (!$context->collect_initializations && !$context->collect_mutations) {
self::taintProperty(
$statements_analyzer,
$stmt,
@ -535,7 +535,10 @@ class InstancePropertyAssignmentAnalyzer
}
}
if ($statements_analyzer->data_flow_graph && !$context->collect_initializations) {
if ($statements_analyzer->data_flow_graph
&& !$context->collect_initializations
&& !$context->collect_mutations
) {
$class_storage = $codebase->classlike_storage_provider->get($fq_class_name);
self::taintProperty(
@ -1162,6 +1165,8 @@ class InstancePropertyAssignmentAnalyzer
return;
}
$codebase = $statements_analyzer->getCodebase();
$data_flow_graph = $statements_analyzer->data_flow_graph;
$var_location = new CodeLocation($statements_analyzer->getSource(), $stmt->var);
@ -1265,6 +1270,29 @@ class InstancePropertyAssignmentAnalyzer
$data_flow_graph->addPath($parent_node, $localized_property_node, '=');
}
}
$declaring_property_class = $codebase->properties->getDeclaringClassForProperty(
$property_id,
false,
$statements_analyzer
);
if ($statements_analyzer->data_flow_graph instanceof TaintFlowGraph
&& $declaring_property_class
&& $declaring_property_class !== $class_storage->name
&& $stmt->name instanceof PhpParser\Node\Identifier
) {
$declaring_property_node = new DataFlowNode(
$declaring_property_class . '::$' . $stmt->name,
$declaring_property_class . '::$' . $stmt->name,
null,
null
);
$data_flow_graph->addNode($declaring_property_node);
$data_flow_graph->addPath($property_node, $declaring_property_node, 'property-assignment');
}
}
}
}

View File

@ -1782,6 +1782,26 @@ class TaintTest extends TestCase
ldap_search($ds, $dn, $filter, []);',
'error_message' => 'TaintedLdap',
],
'potentialTaintThroughChildClassSettingProperty' => [
'<?php
class A {
public string $taint = "";
public function getTaint() : string {
return $this->taint;
}
}
class B extends A {
public function __construct(string $taint) {
$this->taint = $taint;
}
}
$b = new B($_GET["bar"]);
echo $b->getTaint();',
'error_message' => 'TaintedHtml',
],
/*
// TODO: Stubs do not support this type of inference even with $this->message = $message.
// Most uses of getMessage() would be with caught exceptions, so this is not representative of real code.