mirror of
https://github.com/danog/psalm.git
synced 2025-01-22 05:41:20 +01:00
Fix #4605 - taint parent-declared property
This commit is contained in:
Matt Brown
parent
39c508f9d1
commit
be275ae972
@ -412,7 +412,7 @@ class InstancePropertyAssignmentAnalyzer
|
||||
$has_regular_setter = true;
|
||||
$property_exists = true;
|
||||
|
||||
if (!$context->collect_initializations) {
|
||||
if (!$context->collect_initializations && !$context->collect_mutations) {
|
||||
self::taintProperty(
|
||||
$statements_analyzer,
|
||||
$stmt,
|
||||
@ -483,7 +483,7 @@ class InstancePropertyAssignmentAnalyzer
|
||||
* not in that list, fall through
|
||||
*/
|
||||
if (!$var_id || !$class_storage->sealed_properties) {
|
||||
if (!$context->collect_initializations) {
|
||||
if (!$context->collect_initializations && !$context->collect_mutations) {
|
||||
self::taintProperty(
|
||||
$statements_analyzer,
|
||||
$stmt,
|
||||
@ -535,7 +535,10 @@ class InstancePropertyAssignmentAnalyzer
|
||||
}
|
||||
}
|
||||
|
||||
if ($statements_analyzer->data_flow_graph && !$context->collect_initializations) {
|
||||
if ($statements_analyzer->data_flow_graph
|
||||
&& !$context->collect_initializations
|
||||
&& !$context->collect_mutations
|
||||
) {
|
||||
$class_storage = $codebase->classlike_storage_provider->get($fq_class_name);
|
||||
|
||||
self::taintProperty(
|
||||
@ -1162,6 +1165,8 @@ class InstancePropertyAssignmentAnalyzer
|
||||
return;
|
||||
}
|
||||
|
||||
$codebase = $statements_analyzer->getCodebase();
|
||||
|
||||
$data_flow_graph = $statements_analyzer->data_flow_graph;
|
||||
|
||||
$var_location = new CodeLocation($statements_analyzer->getSource(), $stmt->var);
|
||||
@ -1265,6 +1270,29 @@ class InstancePropertyAssignmentAnalyzer
|
||||
$data_flow_graph->addPath($parent_node, $localized_property_node, '=');
|
||||
}
|
||||
}
|
||||
|
||||
$declaring_property_class = $codebase->properties->getDeclaringClassForProperty(
|
||||
$property_id,
|
||||
false,
|
||||
$statements_analyzer
|
||||
);
|
||||
|
||||
if ($statements_analyzer->data_flow_graph instanceof TaintFlowGraph
|
||||
&& $declaring_property_class
|
||||
&& $declaring_property_class !== $class_storage->name
|
||||
&& $stmt->name instanceof PhpParser\Node\Identifier
|
||||
) {
|
||||
$declaring_property_node = new DataFlowNode(
|
||||
$declaring_property_class . '::$' . $stmt->name,
|
||||
$declaring_property_class . '::$' . $stmt->name,
|
||||
null,
|
||||
null
|
||||
);
|
||||
|
||||
$data_flow_graph->addNode($declaring_property_node);
|
||||
|
||||
$data_flow_graph->addPath($property_node, $declaring_property_node, 'property-assignment');
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -1782,6 +1782,26 @@ class TaintTest extends TestCase
|
||||
ldap_search($ds, $dn, $filter, []);',
|
||||
'error_message' => 'TaintedLdap',
|
||||
],
|
||||
'potentialTaintThroughChildClassSettingProperty' => [
|
||||
'<?php
|
||||
class A {
|
||||
public string $taint = "";
|
||||
|
||||
public function getTaint() : string {
|
||||
return $this->taint;
|
||||
}
|
||||
}
|
||||
|
||||
class B extends A {
|
||||
public function __construct(string $taint) {
|
||||
$this->taint = $taint;
|
||||
}
|
||||
}
|
||||
|
||||
$b = new B($_GET["bar"]);
|
||||
echo $b->getTaint();',
|
||||
'error_message' => 'TaintedHtml',
|
||||
],
|
||||
/*
|
||||
// TODO: Stubs do not support this type of inference even with $this->message = $message.
|
||||
// Most uses of getMessage() would be with caught exceptions, so this is not representative of real code.
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user