Merge pull request #6809 from orklah/binaryOpTaint

don't taint the result of most binary operations
2025-01-21 21:31:13 +01:00 · 2021-11-04 13:18:07 +01:00 · 2021-11-04 13:18:07 +01:00 · e6dccaa07c
commit e6dccaa07c
parent bf993452a8 6e49c61fd0
2 changed files with 36 additions and 2 deletions
--- a/src/Psalm/Internal/Analyzer/Statements/Expression/BinaryOpAnalyzer.php
+++ b/src/Psalm/Internal/Analyzer/Statements/Expression/BinaryOpAnalyzer.php
@ -6,6 +6,7 @@ use Psalm\CodeLocation;
 use Psalm\Context;
 use Psalm\Internal\Analyzer\Statements\ExpressionAnalyzer;
 use Psalm\Internal\Analyzer\StatementsAnalyzer;
+use Psalm\Internal\Codebase\TaintFlowGraph;
 use Psalm\Internal\Codebase\VariableUseGraph;
 use Psalm\Internal\DataFlow\DataFlowNode;
 use Psalm\Issue\ImpureMethodCall;
@ -369,10 +370,21 @@ class BinaryOpAnalyzer
            throw new \UnexpectedValueException('bad');
        }
        $result_type = $statements_analyzer->node_data->getType($stmt);
+        if (!$result_type) {
+            return;
+        }

-        if ($statements_analyzer->data_flow_graph
-            && $result_type
+        if ($statements_analyzer->data_flow_graph instanceof TaintFlowGraph
+            && $stmt instanceof PhpParser\Node\Expr\BinaryOp
+            && !$stmt instanceof PhpParser\Node\Expr\BinaryOp\Concat
+            && !$stmt instanceof PhpParser\Node\Expr\BinaryOp\Coalesce
+            && (!$stmt instanceof PhpParser\Node\Expr\BinaryOp\Plus || !$result_type->hasArray())
        ) {
+            //among BinaryOp, only Concat and Coalesce can pass tainted value to the result. Also Plus on arrays only
+            return;
+        }
+
+        if ($statements_analyzer->data_flow_graph) {
            $stmt_left_type = $statements_analyzer->node_data->getType($left);
            $stmt_right_type = $statements_analyzer->node_data->getType($right);

--- a/tests/TaintTest.php
+++ b/tests/TaintTest.php
@ -644,6 +644,18 @@ class TaintTest extends TestCase

                    takesArray(["good" => $_GET["bad"]]);'
            ],
+            'resultOfComparisonIsNotTainted' => [
+                '<?php
+                    $input = $_GET["foo"];
+                    $var = $input === "x";
+                    var_dump($var);'
+            ],
+            'resultOfPlusIsNotTainted' => [
+                '<?php
+                    $input = $_GET["foo"];
+                    $var = $input + 1;
+                    var_dump($var);'
+            ],
        ];
    }

@ -2153,6 +2165,16 @@ class TaintTest extends TestCase
                    takesArray([$_GET["bad"] => "good"]);',
                'error_message' => 'TaintedHtml',
            ],
+            'resultOfPlusIsTaintedOnArrays' => [
+                '<?php
+                    scope($_GET["foo"]);
+                    function scope(array $foo)
+                    {
+                        $var = $foo + [];
+                        var_dump($var);
+                    }',
+                'error_message' => 'TaintedHtml',
+            ],
            'taintArrayKeyWithExplicitSink' => [
                '<?php
                    /** @psalm-taint-sink html $values */