Merge pull request #6813 from orklah/intTaint

don't register taints for numeric variables

src/Psalm/Internal/Analyzer/Statements/EchoAnalyzer.php

@@ -38,7 +38,7 @@ class EchoAnalyzer
             $expr_type = $statements_analyzer->node_data->getType($expr);
 
             if ($statements_analyzer->data_flow_graph instanceof TaintFlowGraph) {
-                if ($expr_type) {
+                if ($expr_type && $expr_type->hasObjectType()) {
                     $expr_type = CastAnalyzer::castStringAttempt(
                         $statements_analyzer,
                         $context,

src/Psalm/Internal/Analyzer/Statements/Expression/Call/ArgumentAnalyzer.php

@@ -1505,6 +1505,14 @@ class ArgumentAnalyzer
             return $input_type;
         }
 
+        // numeric types can't be tainted
+        if ($statements_analyzer->data_flow_graph instanceof TaintFlowGraph
+            && $input_type->isSingle()
+            && ($input_type->isInt() || $input_type->isFloat())
+        ) {
+            return $input_type;
+        }
+
         $event = new AddRemoveTaintsEvent($expr, $context, $statements_analyzer, $codebase);
 
         $added_taints = $codebase->config->eventDispatcher->dispatchAddTaints($event);

tests/TaintTest.php

@@ -616,6 +616,21 @@ class TaintTest extends TestCase
                     echo foo($_GET["foo"], true);
                     echo foo($_GET["foo"]);'
             ],
+            'NoTaintForInt' => [
+                '<?php // --taint-analysis
+
+                    function foo(int $value): void {
+                        echo $value;
+                    }
+
+                    foo($_GET["foo"]);
+
+                    function bar(): int {
+                        return $_GET["foo"];
+                    }
+
+                    echo bar();'
+            ],
             'conditionallyEscapedTaintPassedTrueStaticCall' => [
                 '<?php
                     class U {