Taint flows through preg_replace_callback

2024-11-30 04:39:00 +01:00 · 2020-06-23 15:28:31 -04:00 · 2020-06-23 15:28:31 -04:00 · f46236ad71
commit f46236ad71
parent f72b609d42
2 changed files with 37 additions and 0 deletions
--- a/src/Psalm/Internal/Stubs/CoreGenericFunctions.phpstub
+++ b/src/Psalm/Internal/Stubs/CoreGenericFunctions.phpstub
@ -612,6 +612,17 @@ function str_replace($search, $replace, $subject, &$count = null) {}
 */
 function preg_replace($search, $replace, $subject, int $limit = -1, &$count = null) {}

+/**
+ * @param string|string[] $search
+ * @param callable(array<int, string>):string $replace
+ * @param string|array<string|int|float> $subject
+ * @param int $count
+ * @return ($subject is array ? array<string> : string)
+ *
+ * @psalm-flow ($subject) -> return
+ */
+function preg_replace_callback($search, $replace, $subject, int $limit = -1, &$count = null) {}
+
 /**
 * @psalm-pure
 *
--- a/tests/TaintTest.php
+++ b/tests/TaintTest.php
@ -1749,4 +1749,30 @@ class TaintTest extends TestCase

        $this->analyzeFile('somefile.php', new Context());
    }
+
+    public function testTaintThroughPregReplaceCallback() : void
+    {
+        $this->expectException(\Psalm\Exception\CodeException::class);
+        $this->expectExceptionMessage('TaintedInput');
+
+        $this->project_analyzer->trackTaintedInputs();
+
+        $this->addFile(
+            'somefile.php',
+            '<?php
+                $a = $_GET["bad"];
+
+                $b = preg_replace_callback(
+                    \'/foo/\',
+                    function (array $matches) : string {
+                        return $matches[1];
+                    },
+                    $a
+                );
+
+                echo $b;'
+        );
+
+        $this->analyzeFile('somefile.php', new Context());
+    }
 }