1
0
mirror of https://github.com/danog/psalm.git synced 2024-12-15 19:07:00 +01:00
Commit Graph

8388 Commits

Author SHA1 Message Date
Matt Brown
08ae85a735 Fix #4624 - allow in_array to work with list arrays 2020-11-19 09:26:41 -05:00
Matt Brown
7c02fa76d1 Fix #4620 - reconciled literal strings cannot carry taints 2020-11-19 09:06:25 -05:00
Mikhail Snetkov
20c78ae29b
Fix missing bracket in docs (#4614) 2020-11-19 08:43:39 -05:00
Matt Brown
95de6cf177 Allow immutable classes to be specialised through calls 2020-11-19 01:38:20 -05:00
Matt Brown
d60abaf858 Unfix fixes 2020-11-18 19:19:07 -05:00
Matt Brown
8dd229f6c0 Only ignore literal flows when tainting 2020-11-18 18:43:41 -05:00
Matt Brown
be275ae972 Fix #4605 - taint parent-declared property 2020-11-18 13:34:47 -05:00
Matt Brown
39c508f9d1 Fix #4603 - fix arithmetic to prevent end column 0 2020-11-18 13:19:54 -05:00
Matt Brown
236292ff05 Fix #4600 - set attributes in a bunch of places 2020-11-18 12:44:59 -05:00
Lukas Reschke
ddbfbb28e6
Split LDAP into custom category (#4604)
- Adds ldap_escape as sanitizer
- Defines the right parameters to ldap_search as sink
- Wrote documentation
- Added tests
2020-11-18 11:39:36 -05:00
Matt Brown
4bb84f7f0a Add more attributes to fake PhpParser generated expressions
Ref #4600
2020-11-18 10:16:41 -05:00
Matt Brown
3f7f959726 Fix #4599 - propagate taints to parent callers where necessary 2020-11-18 09:59:54 -05:00
Lukas Reschke
5ba4681c17
Add SSRF sinks (#4592) 2020-11-18 00:52:48 -05:00
Matt Brown
ab3961d9b3 Sanity check to ensure closure uses aren’t removed 2020-11-18 00:38:28 -05:00
Matt Brown
f3cde30b77 Only create vendor dir in config if it exists 2020-11-18 00:06:58 -05:00
Matt Brown
6e39c24a17 Don’t exit with 1 when running security analysis in GitHub Actions and generating a file 2020-11-17 22:49:25 -05:00
Matt Brown
1708bae984 Taint analysis should always run fully 2020-11-17 17:59:05 -05:00
Matt Brown
28dee4146a Fix tests 2020-11-17 17:53:46 -05:00
Matt Brown
f6591e6d0f Use resolution that works in multithreaded mode 2020-11-17 17:24:46 -05:00
Matt Brown
2aa98bc5d0 Simplify tainted output a bit, removing duplicate paths 2020-11-17 17:17:18 -05:00
Matt Brown
adeaa33a64 Don’t propagate taints to child constructor args 2020-11-17 16:49:29 -05:00
Matt Brown
854a5b2ec5 Allow TaintedInput to suppress all emitted issues 2020-11-17 16:08:05 -05:00
Matt Brown
74749d20cc Improve documentation for taints a little
Ref #4590
2020-11-17 16:03:50 -05:00
Matt Brown
4e5111f1a8 Fix #4472 - if something flows into a byref var it’s used 2020-11-17 15:30:53 -05:00
Michael Stilkerich
fec51eac8d
Stub for preg_filter (#4587) 2020-11-17 15:15:29 -05:00
Lukas Reschke
494ec40777
Add SARIF as report output (#4582)
https://docs.oasis-open.org/sarif/sarif/v2.0/sarif-v2.0.html
2020-11-17 13:23:20 -05:00
Matt Brown
43af3b1a57 Break out TaintedInput issues into a lot of separate ones 2020-11-17 12:44:31 -05:00
Matt Brown
fda2377812 Fix #4578 - replace number type in ext-ds stubs 2020-11-16 21:50:23 -05:00
Benjamin Morel
08716233e6
DateTimeInterface::getTimeZone() can return false (#4579)
Fixes #4515
2020-11-16 21:48:34 -05:00
Benjamin Morel
d313f57061
mysqli::$insert_id can be a string (#4577) 2020-11-16 21:48:04 -05:00
Tyson Andre
d71ed7b9e9
Fix curl_multi_getcontent signature (#4580) 2020-11-16 21:47:33 -05:00
Matt Brown
42802e11d1 Allow PHP major version to determine substr return type 2020-11-16 16:31:33 -05:00
Lukas Reschke
6780b01453
Add more Psalm flows for string functions (#4576)
This adds string functions from
https://www.php.net/manual/en/ref.strings.php

This commit adds the flows for functions from "addcslashes" to "sprintf".
More are to follow in later commits.

Ref #3636
2020-11-16 15:50:07 -05:00
Dusk
0fe3e1f83b
Allow named arguments to variadic functions (#4575)
Closes #4563
2020-11-16 15:49:27 -05:00
Lukas Reschke
09abcfb650
Add sinks for popen and proc_open (#4572)
User input in those two functions could lead to a RCE.

popen: https://www.php.net/manual/en/function.popen.php
proc_open: https://www.php.net/manual/en/function.proc-open.php
2020-11-16 15:04:22 -05:00
Thomas Mauro Vargiu
4e8fb9c37f
Fix #4549 Better intersection between parent types (#4560) 2020-11-15 20:29:49 -05:00
Lukas Reschke
5df2b771aa
Fix typo (#4555) 2020-11-15 20:28:51 -05:00
Lukas Reschke
fd06167843
$expr->name is not prefixed with $ (#4554)
The example as-is would currently not flag the following code:

```
	public function foo() {
		$foo = $bad_data;
		\shell_exec($foo);
        } 
```

Switching it to `bad_data` made it work.
2020-11-15 20:28:24 -05:00
orklah
6f8b463860
Detect trying to access to a list with a negative offset (#4552) 2020-11-15 20:26:50 -05:00
Matt Brown
5b004a1d11 Fix #4558 - Don’t convert value-of to key-of template 2020-11-15 18:33:07 -05:00
Matt Brown
26b4cd1fb9 Fix #4529 - allow unsetting with complex array key 2020-11-14 08:57:25 -05:00
Matt Brown
f65868c023 Fix style 2020-11-13 16:43:36 -05:00
Matt Brown
d97c8b750a Add closure-use termination for byref flows 2020-11-13 13:37:27 -05:00
Matt Brown
e7e5904d2d Remove unused uses in Psalm’s codebase 2020-11-13 13:16:39 -05:00
Matt Brown
2e47ca51d5 Fix #4547 - mark unused uses 2020-11-13 13:13:29 -05:00
Matt Brown
57125c7106 Uses by ref should be assigned that way 2020-11-13 12:50:01 -05:00
Matt Brown
4c1cf37d52 Improve error message for UnusedVariable 2020-11-13 12:36:17 -05:00
Matt Brown
086237aab7 Fix #4544 - improve handling of get_class in match 2020-11-13 11:55:42 -05:00
Matt Brown
13b83e6132 Fix #4545 - allow intersections in more places 2020-11-13 09:43:30 -05:00
Matt Brown
2992cc73c2 Split out trait template tests 2020-11-13 08:59:55 -05:00