Implement variadic taint propagation (#4649)

* Implement variadic taint propagation * Lint code
2025-01-22 05:41:20 +01:00 · 2020-11-21 23:41:40 +01:00 · 2020-11-21 23:41:40 +01:00 · ffb0c4ae17
commit ffb0c4ae17
parent ae0486529e
2 changed files with 47 additions and 19 deletions
--- a/src/Psalm/Internal/Analyzer/Statements/Expression/Call/FunctionCallAnalyzer.php
+++ b/src/Psalm/Internal/Analyzer/Statements/Expression/Call/FunctionCallAnalyzer.php
@ -1426,15 +1426,26 @@ class FunctionCallAnalyzer extends CallAnalyzer
                    continue;
                }

+                $current_arg_is_variadic = $function_storage->params[$i]->is_variadic;
+                $taintableArgIndex = [$i];
+
+                if ($current_arg_is_variadic) {
+                    $max_params = count($stmt->args) - 1;
+                    for ($arg_index = $i + 1; $arg_index <= $max_params; $arg_index++) {
+                        $taintableArgIndex[] = $arg_index;
+                    }
+                }
+
+                foreach ($taintableArgIndex as $argIndex) {
                    $arg_location = new CodeLocation(
                        $statements_analyzer->getSource(),
-                    $stmt->args[$i]->value
+                        $stmt->args[$argIndex]->value
                    );

                    $function_param_sink = DataFlowNode::getForMethodArgument(
                        $function_id,
                        $function_id,
-                    $i,
+                        $argIndex,
                        $arg_location,
                        $function_storage->specialize_call ? $node_location : null
                    );
@ -1450,6 +1461,7 @@ class FunctionCallAnalyzer extends CallAnalyzer
                    );
                }
            }
+        }

        if ($function_storage->taint_source_types) {
            $method_node = TaintSource::getForMethodReturn(
--- a/tests/TaintTest.php
+++ b/tests/TaintTest.php
@ -1826,6 +1826,22 @@ class TaintTest extends TestCase
                setcookie($_GET[\'taint\'], \'value\');',
            'error_message' => 'TaintedCookie',
            ],
+            'variadicTaintPropagation' => [
+                '<?php
+
+                /**
+                 * @psalm-pure
+                 *
+                 * @param string|int|float $args
+                 *
+                 * @psalm-flow ($format, $args) -> return
+                 */
+                function variadic_test(string $format, ...$args) : string {
+                }
+                
+                echo variadic_test(\'\', \'\', $_GET[\'taint\'], \'\');',
+                'error_message' => 'TaintedHtml'
+            ],
            'potentialTaintThroughChildClassSettingProperty' => [
                '<?php
                    class A {