1
0
mirror of https://github.com/danog/psalm.git synced 2024-12-15 02:47:02 +01:00
Commit Graph

13297 Commits

Author SHA1 Message Date
Mark McEver
53c3f1ebb3 Prevent other DB escaping functions from escaping non-sql taints 2022-12-28 14:19:01 -06:00
orklah
435acb823c
Merge pull request #9018 from orklah/TClosure
create proper TClosure instead of TNamedObject with a Closure value
2022-12-28 20:53:52 +01:00
orklah
a0a9d979d5 remove useless import 2022-12-28 20:47:50 +01:00
orklah
fa4891ce58 create proper TClosure instead of TNamedObject with a Closure value 2022-12-28 20:42:59 +01:00
Mark McEver
69f31dcd4a Prevent mysqli escaping functions from escaping non-sql taints 2022-12-28 13:39:01 -06:00
orklah
1bd0644124
Merge pull request #9017 from orklah/isnotaclass
Add getAtomicType to IsNotAClass for proper negation Reconciliation
2022-12-28 19:22:48 +01:00
orklah
58853c00f8 add test 2022-12-28 19:13:03 +01:00
orklah
e52664deea Add getAtomicType for IsNotAClass for proper negation Reconciliation 2022-12-28 19:04:23 +01:00
Marco Pivetta
45f743f851 Adjusted assertDifferentTypeOfArray test to avoid intersecting incompatible string arrays
Getting one interesting failure caused by the `lowercase-string` refinement done before:

```
  There was 1 error:

  1) Psalm\Tests\AssertAnnotationTest::testValidCode with data set "assertDifferentTypeOfArray" ('<?php\n                    /*...ts[1];')
  Psalm\Exception\CodeException: DocblockTypeContradiction - src/somefile.php:21:21 - Cannot resolve types for $parts - docblock-defined type list{0: lowercase-string, 1?: lowercase-string} does not contain list{string, string}
```

Happens on this bit:

```php
           'assertDifferentTypeOfArray' => [
                'code' => '<?php
                    /**
                     * @psalm-assert list{string, string} $value
                     * @param mixed $value
                     */
                    function isStringTuple($value): void {
                        if (!is_array($value)
                            || !isset($value[0])
                            || !isset($value[1])
                            || !is_string($value[0])
                            || !is_string($value[1])
                        ) {
                            throw new \Exception("bad");
                        }
                    }

                    $s = "";

                    $parts = explode(":", $s, 2);

                    isStringTuple($parts);

                    echo $parts[0];
                    echo $parts[1];',
            ],
```

If I change this to:

```
@psalm-assert list{lowercase-string, lowercase-string} $value
```

Then everything works: I'm wondering if this error has to do with array intersections, and whether suppressing it suffices.

For now, changing the input string, so it is not a `lowercase-string`, is sufficient.
2022-12-28 17:57:33 +01:00
Marco Pivetta
c0c0116809 Using list{0: string, 1?: string} syntax for more precise array key types
Thanks to @orklah's feedback, the `explode()` return type is now much more precise too.

Ref: https://github.com/vimeo/psalm/pull/9016#discussion_r1058458616
2022-12-28 17:48:33 +01:00
Marco Pivetta
6341d7fef0 Adjusted existing tests to the new signature of explode()
Note how the signature became `array{0: string, 1?: string, 2?: string, array<int, string>}`,
which may be a side-effect of unions between a defined hashmap structure with array
keys, and `list<string>`.
2022-12-28 17:39:06 +01:00
Marco Pivetta
bfded43614 Ensure that explode($d, lowercase-string) produces list<lowercase-string> types
This specific distinction seems to be very important for Psalm, as `explode()` and
`lowercase-string` are used aggressively across the codebase.

Also, this change expands the baseline by a few entries, since some of the code locations
instide Psalm itself have un-checked list destructuring operations, as well as array
access calls on potentially undefined array keys produced by `explode()`, which were
previously just `list<string>`, and are now `array{0: string, 1?: string}`, which is
a bit more precise.
2022-12-28 17:26:25 +01:00
Marco Pivetta
04999b172a Refined explode() types
Fixes #5039

This patch removes the need for a custom function return type
provider for `explode()`, and instead replaces all that with a single
stub for the `explode()` function, which provides types for some of
the most common `$limit` input values.

With this change, the `$delimiter` is enforced to be a `non-empty-string`,
which will lead to downstream consumers having to adjust some code accordingly,
but that shouldn't affect the most common scenario of exploding a string
based with a constant `literal-string` delimiter, which most PHP devs tend to do.

This change didn't come with an accompanying test, since that would be a bit
wasteful, but it was verified locally with following script:

```php
<?php

$possible0  = explode(',', 'hello, world', -100);
$possible1  = explode(',', 'hello, world', -1);
$possible2  = explode(',', 'hello, world', 0);
$possible3  = explode(',', 'hello, world', 1);
$possible4  = explode(',', 'hello, world', 2);
$possible5  = explode(',', 'hello, world', 3);
$possible6  = explode(',', 'hello, world', 4);
try {
    $impossible1 = explode('', '', -1);
} catch (Throwable $impossible1) {}

$traced = [$possible0, $possible1, $possible2, $possible3, $possible4, $possible5, $possible6, $impossible1];

/** @psalm-trace $traced */

var_dump($traced);

return $traced;
```

Running psalm locally, this produces:

```
psalm on  feature/#5039-more-refined-types-for-explode-core-function [?] via 🐘 v8.1.13 via ❄️  impure (nix-shell)
❯ ./psalm --no-cache explode.php
Target PHP version: 7.4 (inferred from composer.json) Extensions enabled: dom, simplexml (unsupported extensions: ctype, json, libxml, mbstring, tokenizer)
Scanning files...
Analyzing files...

░

To whom it may concern: Psalm cannot detect unused classes, methods and properties
when analyzing individual files and folders. Run on the full project to enable
complete unused code detection.

ERROR: InvalidArgument - explode.php:11:28 - Argument 1 of explode expects non-empty-string, but '' provided (see https://psalm.dev/004)
    $impossible1 = explode('', '', -1);

ERROR: PossiblyUndefinedGlobalVariable - explode.php:14:96 - Possibly undefined global variable $impossible1 defined in try block (see https://psalm.dev/126)
$traced = [$possible0, $possible1, $possible2, $possible3, $possible4, $possible5, $possible6, $impossible1];

ERROR: ForbiddenCode - explode.php:18:1 - Unsafe var_dump (see https://psalm.dev/002)
/** @psalm-trace $traced */

var_dump($traced);

ERROR: Trace - explode.php:18:1 - $traced: list{0: array<never, never>, 1: non-empty-list<string>, 2: list{string}, 3: list{string}, 4: array{0: string, 1?: string}, 5: array{0: string, 1?: string, 2?: string}, 6: non-empty-list<string>, 7?: Throwable|non-empty-list<string>} (see https://psalm.dev/224)
/** @psalm-trace $traced */

var_dump($traced);

------------------------------
4 errors found
------------------------------

Checks took 6.31 seconds and used 265.386MB of memory
Psalm was unable to infer types in the codebase
```

The actual runtime behavior on PHP 8.x: https://3v4l.org/0NKlW

```
array(8) {
  [0]=>
  array(0) {
  }
  [1]=>
  array(1) {
    [0]=>
    string(5) "hello"
  }
  [2]=>
  array(1) {
    [0]=>
    string(12) "hello, world"
  }
  [3]=>
  array(1) {
    [0]=>
    string(12) "hello, world"
  }
  [4]=>
  array(2) {
    [0]=>
    string(5) "hello"
    [1]=>
    string(6) " world"
  }
  [5]=>
  array(2) {
    [0]=>
    string(5) "hello"
    [1]=>
    string(6) " world"
  }
  [6]=>
  array(2) {
    [0]=>
    string(5) "hello"
    [1]=>
    string(6) " world"
  }
  [7]=>
  object(ValueError)#1 (7) {
    ["message":protected]=>
    string(51) "explode(): Argument #1 ($separator) cannot be empty"
    ["string":"Error":private]=>
    string(0) ""
    ["code":protected]=>
    int(0)
    ["file":protected]=>
    string(9) "/in/0NKlW"
    ["line":protected]=>
    int(11)
    ["trace":"Error":private]=>
    array(1) {
      [0]=>
      array(4) {
        ["file"]=>
        string(9) "/in/0NKlW"
        ["line"]=>
        int(11)
        ["function"]=>
        string(7) "explode"
        ["args"]=>
        array(3) {
          [0]=>
          string(0) ""
          [1]=>
          string(0) ""
          [2]=>
          int(-1)
        }
      }
    }
    ["previous":"Error":private]=>
    NULL
  }
}
```

On PHP 7:

```
Warning: explode(): Empty delimiter in /in/0NKlW on line 11
array(8) {
  [0]=>
  array(0) {
  }
  [1]=>
  array(1) {
    [0]=>
    string(5) "hello"
  }
  [2]=>
  array(1) {
    [0]=>
    string(12) "hello, world"
  }
  [3]=>
  array(1) {
    [0]=>
    string(12) "hello, world"
  }
  [4]=>
  array(2) {
    [0]=>
    string(5) "hello"
    [1]=>
    string(6) " world"
  }
  [5]=>
  array(2) {
    [0]=>
    string(5) "hello"
    [1]=>
    string(6) " world"
  }
  [6]=>
  array(2) {
    [0]=>
    string(5) "hello"
    [1]=>
    string(6) " world"
  }
  [7]=>
  bool(false)
}
```
2022-12-28 17:11:40 +01:00
orklah
7b8b44ca21
Merge pull request #9014 from theodorejb/patch-1
Fix PHPCS trailing comma
2022-12-28 16:55:51 +01:00
Theodore Brown
e4b0343f76
Fix PHPCS trailing comma 2022-12-28 09:35:34 -06:00
orklah
dbcfe62c52
Merge pull request #8987 from jack-worman/Always_check_unused_methods_and_properties
Add @psalm-api annotation
2022-12-28 15:20:48 +01:00
orklah
d338b00cb7
Merge pull request #8999 from VincentLanglet/union
Preserve from_docblock in TypeCombiner
2022-12-28 10:08:12 +01:00
Vincent Langlet
a263e5d42c Simplify 2022-12-28 09:30:41 +01:00
orklah
41ae518800
Merge pull request #9001 from fluffycondor/http_response_header-non-empty-list
Make `$http_response_header` a non-empty-list
2022-12-28 00:27:30 +01:00
orklah
9892ef2fab
Merge pull request #9011 from mathe42/patch-1
feat: add xdebug_info (fixes #8977)
2022-12-27 19:40:33 +01:00
Sebastian Krüger
ddf846b8c7
.xdebug_info only available for php >= 2022-12-27 18:39:41 +01:00
Sebastian Krüger
c74aacdeee
feat: add xdebug_info (fixes #8977) 2022-12-27 17:45:58 +01:00
Andrew Nagy
eab70e176c allow array-to-xml 3 2022-12-26 21:18:46 +00:00
Bruce Weirdan
9f5314b146
Merge pull request #9009 from weirdan/allow-no-return-type-on-destructors
Fixes https://github.com/vimeo/psalm/issues/9008
2022-12-26 15:58:50 -04:00
Bruce Weirdan
52da29e389
Do not require return type on destructors in interfaces
Fixes vimeo/psalm#9008
2022-12-26 15:45:44 -04:00
Bruce Weirdan
c1273a8c51
Merge pull request #9007 from lptn/imap_is_open 2022-12-26 12:16:40 -04:00
Alies Lapatsin
f700feb5b5 Add imap_is_open() to PHP 8.2 dictionary (Only as of PHP 8.2.1) 2022-12-26 16:19:03 +01:00
Alies Lapatsin
6cd85b9b84 Add imap_is_open() to PHP 8.2 dictionary 2022-12-26 16:14:20 +01:00
Vincent Langlet
b1f1ca6d7e Try 2022-12-25 19:11:54 +01:00
Vincent Langlet
a8ef02db5a Real fix 2022-12-25 17:35:47 +01:00
orklah
e26ce993c7
Merge pull request #9000 from jack-worman/restrictReturnTypes_configuration
restrictReturnTypes configuration documentation
2022-12-25 16:14:09 +01:00
fluffycondor
bfc00056e3 Add test 2022-12-25 11:50:09 +06:00
fluffycondor
040737de24 Fix non-empty-list class 2022-12-25 11:45:56 +06:00
fluffycondor
032f01114e Fix test 2022-12-25 11:41:34 +06:00
fluffycondor
a077bd4351 Make http_response_header possibly undefined 2022-12-25 11:38:51 +06:00
Bruce Weirdan
58ae7480c9
Merge pull request #9002 from jack-worman/forbidden_functions_bug 2022-12-24 15:42:47 -04:00
Jack Worman
1bb9eb4cfc forbidden function bug and better get_defined_functions() signature 2022-12-24 12:34:40 -06:00
fluffycondor
69da58d578 Make http_response_header a non-empty-list of non-falsy-string 2022-12-25 00:02:58 +06:00
Jack Worman
f9e9aad990 restrictReturnTypes configuration 2022-12-24 11:25:56 -06:00
Vincent Langlet
ebd5727dec Update type 2022-12-24 13:38:02 +01:00
Vincent Langlet
06010b40ce Fix 2022-12-24 13:24:28 +01:00
Vincent Langlet
723001d814 Failing test 2022-12-24 13:17:08 +01:00
Jack Worman
703a1e1698 @psalm-api 2022-12-23 16:13:46 -06:00
orklah
8b05f2ead8
Merge pull request #8997 from weirdan/fix-missing-composer-version
Fix missing version in PHARs build on GA
2022-12-23 22:50:41 +01:00
Bruce Weirdan
7dd25b46d8
Fix missing version in PHARs build on GA
We were overriding the root version with COMPOSER_ROOT_VERSION, so all
PHARs had `dev-master` as the version for `vimeo/psalm` baked in.

Fixed vimeo/psalm#7606
2022-12-23 17:26:39 -04:00
Bruce Weirdan
08b73f25da
Merge pull request #8996 from weirdan/improve-type-invalid-reference-message
Fixes https://github.com/vimeo/psalm/issues/8842
2022-12-23 15:03:24 -04:00
Bruce Weirdan
bf6ef6466e
Improve invalid references message in @psalm-type
Fixes vimeo/psalm#8842
2022-12-23 14:52:08 -04:00
orklah
597957989c
Merge pull request #8990 from othercorey/verify-param-nullable
Verify nullable callmap parameters
2022-12-23 18:30:27 +01:00
Corey Taylor
d6eca8c056 Verify nullable callmap parameters 2022-12-23 06:04:35 -06:00
orklah
1cde7e4031
Merge pull request #8792 from emmanuelGuiton/master
Fixes vimeo#8112
2022-12-22 22:11:42 +01:00