Implement variadic taint propagation (#4649)

* Implement variadic taint propagation * Lint code
2025-01-21 21:31:13 +01:00 · 2020-11-21 23:41:40 +01:00 · 2020-11-21 23:41:40 +01:00 · ffb0c4ae17
commit ffb0c4ae17
parent ae0486529e
2 changed files with 47 additions and 19 deletions
--- a/src/Psalm/Internal/Analyzer/Statements/Expression/Call/FunctionCallAnalyzer.php
+++ b/src/Psalm/Internal/Analyzer/Statements/Expression/Call/FunctionCallAnalyzer.php
@ -1426,28 +1426,40 @@ class FunctionCallAnalyzer extends CallAnalyzer
                    continue;
                }

-                $arg_location = new CodeLocation(
-                    $statements_analyzer->getSource(),
-                    $stmt->args[$i]->value
-                );
+                $current_arg_is_variadic = $function_storage->params[$i]->is_variadic;
+                $taintableArgIndex = [$i];

-                $function_param_sink = DataFlowNode::getForMethodArgument(
-                    $function_id,
-                    $function_id,
-                    $i,
-                    $arg_location,
-                    $function_storage->specialize_call ? $node_location : null
-                );
+                if ($current_arg_is_variadic) {
+                    $max_params = count($stmt->args) - 1;
+                    for ($arg_index = $i + 1; $arg_index <= $max_params; $arg_index++) {
+                        $taintableArgIndex[] = $arg_index;
+                    }
+                }

-                $statements_analyzer->data_flow_graph->addNode($function_param_sink);
+                foreach ($taintableArgIndex as $argIndex) {
+                    $arg_location = new CodeLocation(
+                        $statements_analyzer->getSource(),
+                        $stmt->args[$argIndex]->value
+                    );

-                $statements_analyzer->data_flow_graph->addPath(
-                    $function_param_sink,
-                    $function_call_node,
-                    $path_type,
-                    $function_storage->added_taints,
-                    $removed_taints
-                );
+                    $function_param_sink = DataFlowNode::getForMethodArgument(
+                        $function_id,
+                        $function_id,
+                        $argIndex,
+                        $arg_location,
+                        $function_storage->specialize_call ? $node_location : null
+                    );
+
+                    $statements_analyzer->data_flow_graph->addNode($function_param_sink);
+
+                    $statements_analyzer->data_flow_graph->addPath(
+                        $function_param_sink,
+                        $function_call_node,
+                        $path_type,
+                        $function_storage->added_taints,
+                        $removed_taints
+                    );
+                }
            }
        }

--- a/tests/TaintTest.php
+++ b/tests/TaintTest.php
@ -1826,6 +1826,22 @@ class TaintTest extends TestCase
                setcookie($_GET[\'taint\'], \'value\');',
            'error_message' => 'TaintedCookie',
            ],
+            'variadicTaintPropagation' => [
+                '<?php
+
+                /**
+                 * @psalm-pure
+                 *
+                 * @param string|int|float $args
+                 *
+                 * @psalm-flow ($format, $args) -> return
+                 */
+                function variadic_test(string $format, ...$args) : string {
+                }
+                
+                echo variadic_test(\'\', \'\', $_GET[\'taint\'], \'\');',
+                'error_message' => 'TaintedHtml'
+            ],
            'potentialTaintThroughChildClassSettingProperty' => [
                '<?php
                    class A {