Mark McEver
53c3f1ebb3
Prevent other DB escaping functions from escaping non-sql taints
2022-12-28 14:19:01 -06:00
orklah
435acb823c
Merge pull request #9018 from orklah/TClosure
...
create proper TClosure instead of TNamedObject with a Closure value
2022-12-28 20:53:52 +01:00
orklah
a0a9d979d5
remove useless import
2022-12-28 20:47:50 +01:00
orklah
fa4891ce58
create proper TClosure instead of TNamedObject with a Closure value
2022-12-28 20:42:59 +01:00
Mark McEver
69f31dcd4a
Prevent mysqli escaping functions from escaping non-sql taints
2022-12-28 13:39:01 -06:00
orklah
1bd0644124
Merge pull request #9017 from orklah/isnotaclass
...
Add getAtomicType to IsNotAClass for proper negation Reconciliation
2022-12-28 19:22:48 +01:00
orklah
58853c00f8
add test
2022-12-28 19:13:03 +01:00
orklah
e52664deea
Add getAtomicType for IsNotAClass for proper negation Reconciliation
2022-12-28 19:04:23 +01:00
Marco Pivetta
45f743f851
Adjusted assertDifferentTypeOfArray
test to avoid intersecting incompatible string arrays
...
Getting one interesting failure caused by the `lowercase-string` refinement done before:
```
There was 1 error:
1) Psalm\Tests\AssertAnnotationTest::testValidCode with data set "assertDifferentTypeOfArray" ('<?php\n /*...ts[1];')
Psalm\Exception\CodeException: DocblockTypeContradiction - src/somefile.php:21:21 - Cannot resolve types for $parts - docblock-defined type list{0: lowercase-string, 1?: lowercase-string} does not contain list{string, string}
```
Happens on this bit:
```php
'assertDifferentTypeOfArray' => [
'code' => '<?php
/**
* @psalm-assert list{string, string} $value
* @param mixed $value
*/
function isStringTuple($value): void {
if (!is_array($value)
|| !isset($value[0])
|| !isset($value[1])
|| !is_string($value[0])
|| !is_string($value[1])
) {
throw new \Exception("bad");
}
}
$s = "";
$parts = explode(":", $s, 2);
isStringTuple($parts);
echo $parts[0];
echo $parts[1];',
],
```
If I change this to:
```
@psalm-assert list{lowercase-string, lowercase-string} $value
```
Then everything works: I'm wondering if this error has to do with array intersections, and whether suppressing it suffices.
For now, changing the input string, so it is not a `lowercase-string`, is sufficient.
2022-12-28 17:57:33 +01:00
Marco Pivetta
c0c0116809
Using list{0: string, 1?: string}
syntax for more precise array key types
...
Thanks to @orklah's feedback, the `explode()` return type is now much more precise too.
Ref: https://github.com/vimeo/psalm/pull/9016#discussion_r1058458616
2022-12-28 17:48:33 +01:00
Marco Pivetta
6341d7fef0
Adjusted existing tests to the new signature of explode()
...
Note how the signature became `array{0: string, 1?: string, 2?: string, array<int, string>}`,
which may be a side-effect of unions between a defined hashmap structure with array
keys, and `list<string>`.
2022-12-28 17:39:06 +01:00
Marco Pivetta
bfded43614
Ensure that explode($d, lowercase-string)
produces list<lowercase-string>
types
...
This specific distinction seems to be very important for Psalm, as `explode()` and
`lowercase-string` are used aggressively across the codebase.
Also, this change expands the baseline by a few entries, since some of the code locations
instide Psalm itself have un-checked list destructuring operations, as well as array
access calls on potentially undefined array keys produced by `explode()`, which were
previously just `list<string>`, and are now `array{0: string, 1?: string}`, which is
a bit more precise.
2022-12-28 17:26:25 +01:00
Marco Pivetta
04999b172a
Refined explode()
types
...
Fixes #5039
This patch removes the need for a custom function return type
provider for `explode()`, and instead replaces all that with a single
stub for the `explode()` function, which provides types for some of
the most common `$limit` input values.
With this change, the `$delimiter` is enforced to be a `non-empty-string`,
which will lead to downstream consumers having to adjust some code accordingly,
but that shouldn't affect the most common scenario of exploding a string
based with a constant `literal-string` delimiter, which most PHP devs tend to do.
This change didn't come with an accompanying test, since that would be a bit
wasteful, but it was verified locally with following script:
```php
<?php
$possible0 = explode(',', 'hello, world', -100);
$possible1 = explode(',', 'hello, world', -1);
$possible2 = explode(',', 'hello, world', 0);
$possible3 = explode(',', 'hello, world', 1);
$possible4 = explode(',', 'hello, world', 2);
$possible5 = explode(',', 'hello, world', 3);
$possible6 = explode(',', 'hello, world', 4);
try {
$impossible1 = explode('', '', -1);
} catch (Throwable $impossible1) {}
$traced = [$possible0, $possible1, $possible2, $possible3, $possible4, $possible5, $possible6, $impossible1];
/** @psalm-trace $traced */
var_dump($traced);
return $traced;
```
Running psalm locally, this produces:
```
psalm on feature/#5039-more-refined-types-for-explode-core-function [?] via 🐘 v8.1.13 via ❄️ impure (nix-shell)
❯ ./psalm --no-cache explode.php
Target PHP version: 7.4 (inferred from composer.json) Extensions enabled: dom, simplexml (unsupported extensions: ctype, json, libxml, mbstring, tokenizer)
Scanning files...
Analyzing files...
░
To whom it may concern: Psalm cannot detect unused classes, methods and properties
when analyzing individual files and folders. Run on the full project to enable
complete unused code detection.
ERROR: InvalidArgument - explode.php:11:28 - Argument 1 of explode expects non-empty-string, but '' provided (see https://psalm.dev/004 )
$impossible1 = explode('', '', -1);
ERROR: PossiblyUndefinedGlobalVariable - explode.php:14:96 - Possibly undefined global variable $impossible1 defined in try block (see https://psalm.dev/126 )
$traced = [$possible0, $possible1, $possible2, $possible3, $possible4, $possible5, $possible6, $impossible1];
ERROR: ForbiddenCode - explode.php:18:1 - Unsafe var_dump (see https://psalm.dev/002 )
/** @psalm-trace $traced */
var_dump($traced);
ERROR: Trace - explode.php:18:1 - $traced: list{0: array<never, never>, 1: non-empty-list<string>, 2: list{string}, 3: list{string}, 4: array{0: string, 1?: string}, 5: array{0: string, 1?: string, 2?: string}, 6: non-empty-list<string>, 7?: Throwable|non-empty-list<string>} (see https://psalm.dev/224 )
/** @psalm-trace $traced */
var_dump($traced);
------------------------------
4 errors found
------------------------------
Checks took 6.31 seconds and used 265.386MB of memory
Psalm was unable to infer types in the codebase
```
The actual runtime behavior on PHP 8.x: https://3v4l.org/0NKlW
```
array(8) {
[0]=>
array(0) {
}
[1]=>
array(1) {
[0]=>
string(5) "hello"
}
[2]=>
array(1) {
[0]=>
string(12) "hello, world"
}
[3]=>
array(1) {
[0]=>
string(12) "hello, world"
}
[4]=>
array(2) {
[0]=>
string(5) "hello"
[1]=>
string(6) " world"
}
[5]=>
array(2) {
[0]=>
string(5) "hello"
[1]=>
string(6) " world"
}
[6]=>
array(2) {
[0]=>
string(5) "hello"
[1]=>
string(6) " world"
}
[7]=>
object(ValueError)#1 (7) {
["message":protected]=>
string(51) "explode(): Argument #1 ($separator) cannot be empty"
["string":"Error":private]=>
string(0) ""
["code":protected]=>
int(0)
["file":protected]=>
string(9) "/in/0NKlW"
["line":protected]=>
int(11)
["trace":"Error":private]=>
array(1) {
[0]=>
array(4) {
["file"]=>
string(9) "/in/0NKlW"
["line"]=>
int(11)
["function"]=>
string(7) "explode"
["args"]=>
array(3) {
[0]=>
string(0) ""
[1]=>
string(0) ""
[2]=>
int(-1)
}
}
}
["previous":"Error":private]=>
NULL
}
}
```
On PHP 7:
```
Warning: explode(): Empty delimiter in /in/0NKlW on line 11
array(8) {
[0]=>
array(0) {
}
[1]=>
array(1) {
[0]=>
string(5) "hello"
}
[2]=>
array(1) {
[0]=>
string(12) "hello, world"
}
[3]=>
array(1) {
[0]=>
string(12) "hello, world"
}
[4]=>
array(2) {
[0]=>
string(5) "hello"
[1]=>
string(6) " world"
}
[5]=>
array(2) {
[0]=>
string(5) "hello"
[1]=>
string(6) " world"
}
[6]=>
array(2) {
[0]=>
string(5) "hello"
[1]=>
string(6) " world"
}
[7]=>
bool(false)
}
```
2022-12-28 17:11:40 +01:00
orklah
7b8b44ca21
Merge pull request #9014 from theodorejb/patch-1
...
Fix PHPCS trailing comma
2022-12-28 16:55:51 +01:00
Theodore Brown
e4b0343f76
Fix PHPCS trailing comma
2022-12-28 09:35:34 -06:00
orklah
dbcfe62c52
Merge pull request #8987 from jack-worman/Always_check_unused_methods_and_properties
...
Add @psalm-api annotation
2022-12-28 15:20:48 +01:00
orklah
d338b00cb7
Merge pull request #8999 from VincentLanglet/union
...
Preserve from_docblock in TypeCombiner
2022-12-28 10:08:12 +01:00
Vincent Langlet
a263e5d42c
Simplify
2022-12-28 09:30:41 +01:00
orklah
41ae518800
Merge pull request #9001 from fluffycondor/http_response_header-non-empty-list
...
Make `$http_response_header` a non-empty-list
2022-12-28 00:27:30 +01:00
orklah
9892ef2fab
Merge pull request #9011 from mathe42/patch-1
...
feat: add xdebug_info (fixes #8977 )
2022-12-27 19:40:33 +01:00
Sebastian Krüger
ddf846b8c7
.xdebug_info only available for php >=
2022-12-27 18:39:41 +01:00
Sebastian Krüger
c74aacdeee
feat: add xdebug_info ( fixes #8977 )
2022-12-27 17:45:58 +01:00
Andrew Nagy
eab70e176c
allow array-to-xml 3
2022-12-26 21:18:46 +00:00
Bruce Weirdan
9f5314b146
Merge pull request #9009 from weirdan/allow-no-return-type-on-destructors
...
Fixes https://github.com/vimeo/psalm/issues/9008
2022-12-26 15:58:50 -04:00
Bruce Weirdan
52da29e389
Do not require return type on destructors in interfaces
...
Fixes vimeo/psalm#9008
2022-12-26 15:45:44 -04:00
Bruce Weirdan
c1273a8c51
Merge pull request #9007 from lptn/imap_is_open
2022-12-26 12:16:40 -04:00
Alies Lapatsin
f700feb5b5
Add imap_is_open() to PHP 8.2 dictionary (Only as of PHP 8.2.1)
2022-12-26 16:19:03 +01:00
Alies Lapatsin
6cd85b9b84
Add imap_is_open() to PHP 8.2 dictionary
2022-12-26 16:14:20 +01:00
Vincent Langlet
b1f1ca6d7e
Try
2022-12-25 19:11:54 +01:00
Vincent Langlet
a8ef02db5a
Real fix
2022-12-25 17:35:47 +01:00
orklah
e26ce993c7
Merge pull request #9000 from jack-worman/restrictReturnTypes_configuration
...
restrictReturnTypes configuration documentation
2022-12-25 16:14:09 +01:00
fluffycondor
bfc00056e3
Add test
2022-12-25 11:50:09 +06:00
fluffycondor
040737de24
Fix non-empty-list class
2022-12-25 11:45:56 +06:00
fluffycondor
032f01114e
Fix test
2022-12-25 11:41:34 +06:00
fluffycondor
a077bd4351
Make http_response_header possibly undefined
2022-12-25 11:38:51 +06:00
Bruce Weirdan
58ae7480c9
Merge pull request #9002 from jack-worman/forbidden_functions_bug
2022-12-24 15:42:47 -04:00
Jack Worman
1bb9eb4cfc
forbidden function bug and better get_defined_functions() signature
2022-12-24 12:34:40 -06:00
fluffycondor
69da58d578
Make http_response_header a non-empty-list of non-falsy-string
2022-12-25 00:02:58 +06:00
Jack Worman
f9e9aad990
restrictReturnTypes configuration
2022-12-24 11:25:56 -06:00
Vincent Langlet
ebd5727dec
Update type
2022-12-24 13:38:02 +01:00
Vincent Langlet
06010b40ce
Fix
2022-12-24 13:24:28 +01:00
Vincent Langlet
723001d814
Failing test
2022-12-24 13:17:08 +01:00
Jack Worman
703a1e1698
@psalm-api
2022-12-23 16:13:46 -06:00
orklah
8b05f2ead8
Merge pull request #8997 from weirdan/fix-missing-composer-version
...
Fix missing version in PHARs build on GA
2022-12-23 22:50:41 +01:00
Bruce Weirdan
7dd25b46d8
Fix missing version in PHARs build on GA
...
We were overriding the root version with COMPOSER_ROOT_VERSION, so all
PHARs had `dev-master` as the version for `vimeo/psalm` baked in.
Fixed vimeo/psalm#7606
2022-12-23 17:26:39 -04:00
Bruce Weirdan
08b73f25da
Merge pull request #8996 from weirdan/improve-type-invalid-reference-message
...
Fixes https://github.com/vimeo/psalm/issues/8842
2022-12-23 15:03:24 -04:00
Bruce Weirdan
bf6ef6466e
Improve invalid references
message in @psalm-type
...
Fixes vimeo/psalm#8842
2022-12-23 14:52:08 -04:00
orklah
597957989c
Merge pull request #8990 from othercorey/verify-param-nullable
...
Verify nullable callmap parameters
2022-12-23 18:30:27 +01:00
Corey Taylor
d6eca8c056
Verify nullable callmap parameters
2022-12-23 06:04:35 -06:00
orklah
1cde7e4031
Merge pull request #8792 from emmanuelGuiton/master
...
Fixes vimeo#8112
2022-12-22 22:11:42 +01:00