1
0
mirror of https://github.com/danog/psalm.git synced 2025-01-22 13:51:54 +01:00

148 Commits

Author SHA1 Message Date
9e535682c4 Merge remote-tracking branch 'origin/5.x' into HEAD 2023-11-27 11:54:44 +01:00
Simon Berger
6f32c723f5 Narrow down get_browser returning array or object based on $return_array param 2023-10-25 10:34:46 +02:00
71483b72aa Merge remote-tracking branch 'origin/5.x' into v6_fixes 2023-10-22 20:08:39 +02:00
Rudolph Gottesheim
87e0bbcf89 Allow passing stringable-objects to sprintf() in all PHP versions 2023-09-28 10:23:02 +02:00
cgocast
84e7423175 Detect DoS by sleep vimeo#10178 2023-09-06 15:58:08 +02:00
kkmuffme
4f87da19e2 stubs exec param-out for $output 2023-08-22 15:28:28 +02:00
The Devick
313267082b
Fix bcdiv nullable scale stub 2023-08-12 14:36:00 -03:00
kkmuffme
26eb870e47 fix mixed replace return types for arrays
* remove useless replace return type provider code that returned incorrect type for array replacements and was worse duplicate of existing stubs
* require preg patterns to be non-empty-strings as otherwise it will throw a PHP notice
* improve return type of array replacements to be more correct (not fully correct due to https://github.com/vimeo/psalm/issues/5994#issuecomment-1614601590)
2023-06-30 17:08:03 +02:00
Yannick Gottschalk
f93d23899d Fix glob CallMap and stub to prevent crash on alpine (and possibly other systems) 2023-06-25 13:17:13 +02:00
kkmuffme
c5fee532f3 consistently ignore falsable return, remove unused suppress with new types 2023-06-24 18:11:15 +02:00
kkmuffme
7f0217d1e3 fix incorrect default stubs 2023-06-24 18:11:15 +02:00
kkmuffme
1465ed7c23 fix CoreGenericFunctions.phpstub not falling back to callmap 2023-06-09 12:59:13 +02:00
kkmuffme
6e5fdac32e vprintf is pure too 2023-06-09 12:59:13 +02:00
kkmuffme
a0b87ad935 suppress PHP 7 issues and remove unspecific return type 2023-06-09 12:59:13 +02:00
kkmuffme
cf4536f646 fix incorrect return type of printf 2023-06-09 12:59:12 +02:00
Yannick Gottschalk
a130e2f06c Fixes #9820 2023-06-06 17:02:28 +02:00
kkmuffme
51d3276c03 Fix https://github.com/vimeo/psalm/issues/9839 2023-05-30 21:34:10 +02:00
Kamil Tekiela
c2bbc6239a Update CoreGenericFunctions.phpstub 2023-05-29 16:16:49 +01:00
RobChett
bd0ba6ee95 Narrow the type of haystack when strpos != false 2023-05-21 10:35:19 +01:00
RobChett
1a1d9c9bf5 Add return type provider for date/gmdate 2023-04-21 08:12:49 +01:00
tuqqu
d3a21acc24 Fix array_flip to preserve non-empty array type 2023-04-13 22:19:44 +02:00
orklah
94f32e9718
Merge pull request #9323 from othercorey/fix-array-unique
Fix array_unique callmap
2023-03-28 20:27:18 +02:00
Corey Taylor
730bc221e9 Re-add array_unique() stub which preserved array type 2023-03-28 04:09:50 -05:00
fluffycondor
f3e950bac7 str_* functions assert for non-empty-string 2023-03-17 17:58:44 +06:00
fluffycondor
cf86b16199 Code style 2023-03-17 16:46:00 +06:00
fluffycondor
c2dae0e43f Add php8 str_* functions signatures 2023-03-17 16:39:04 +06:00
fluffycondor
2c69e3cdcc
Add explanation
Co-authored-by: Bruce Weirdan <weirdan@gmail.com>
2023-03-16 12:37:14 +06:00
fluffycondor
0c3fa5b5d0 Add depth range
According to
https://www.php.net/manual/en/function.json-decode.php#:~:text=The%20value%20must%20be%20greater%20than%200%2C%20and%20less%20than%20or%20equal%20to%202147483647
2023-03-16 12:08:48 +06:00
fluffycondor
d11c7cdb8e Add JSON_THROW_ON_ERROR full support 2023-03-16 12:08:07 +06:00
Corey Taylor
39bb7b45a7 Fix return type of str_split() 2023-03-12 21:15:53 -05:00
fluffycondor
2abefb9618 Return a non-empty-string with JSON_THROW_ON_ERROR | JSON_UNESCAPED_UNICODE 2023-03-10 11:34:23 +06:00
Corey Taylor
3ddeecec1a Fix strpos stub return type 2023-02-16 13:34:39 -06:00
orklah
54cd529642
Merge pull request #9170 from mmcev106/filter-var-pure
Added @psalm-pure to filter_var()
2023-02-02 23:39:06 +01:00
Mark McEver
b5781c34e8 Fixed a case where the conditional taint, specialize, & flow features were not playing nicely together 2023-02-01 15:41:52 -06:00
Mark McEver
bb2cf1f30a Added @psalm-pure to filter_var() 2023-01-23 15:09:29 -06:00
Ryan Bonham
cb204edcdd
Correct Stubs for PHP 7 and PHP 8 2023-01-07 12:38:49 -05:00
Ryan Bonham
0d360419b7
Update Call Maps and Signature for get_headers 2023-01-06 19:24:00 -05:00
orklah
790c30959d
Merge pull request #9016 from Ocramius/feature/#5039-more-refined-types-for-explode-core-function
Refined `explode()` types
2022-12-29 10:23:18 +01:00
Mark McEver
53c3f1ebb3 Prevent other DB escaping functions from escaping non-sql taints 2022-12-28 14:19:01 -06:00
Mark McEver
69f31dcd4a Prevent mysqli escaping functions from escaping non-sql taints 2022-12-28 13:39:01 -06:00
Marco Pivetta
c0c0116809 Using list{0: string, 1?: string} syntax for more precise array key types
Thanks to @orklah's feedback, the `explode()` return type is now much more precise too.

Ref: https://github.com/vimeo/psalm/pull/9016#discussion_r1058458616
2022-12-28 17:48:33 +01:00
Marco Pivetta
bfded43614 Ensure that explode($d, lowercase-string) produces list<lowercase-string> types
This specific distinction seems to be very important for Psalm, as `explode()` and
`lowercase-string` are used aggressively across the codebase.

Also, this change expands the baseline by a few entries, since some of the code locations
instide Psalm itself have un-checked list destructuring operations, as well as array
access calls on potentially undefined array keys produced by `explode()`, which were
previously just `list<string>`, and are now `array{0: string, 1?: string}`, which is
a bit more precise.
2022-12-28 17:26:25 +01:00
Marco Pivetta
04999b172a Refined explode() types
Fixes #5039

This patch removes the need for a custom function return type
provider for `explode()`, and instead replaces all that with a single
stub for the `explode()` function, which provides types for some of
the most common `$limit` input values.

With this change, the `$delimiter` is enforced to be a `non-empty-string`,
which will lead to downstream consumers having to adjust some code accordingly,
but that shouldn't affect the most common scenario of exploding a string
based with a constant `literal-string` delimiter, which most PHP devs tend to do.

This change didn't come with an accompanying test, since that would be a bit
wasteful, but it was verified locally with following script:

```php
<?php

$possible0  = explode(',', 'hello, world', -100);
$possible1  = explode(',', 'hello, world', -1);
$possible2  = explode(',', 'hello, world', 0);
$possible3  = explode(',', 'hello, world', 1);
$possible4  = explode(',', 'hello, world', 2);
$possible5  = explode(',', 'hello, world', 3);
$possible6  = explode(',', 'hello, world', 4);
try {
    $impossible1 = explode('', '', -1);
} catch (Throwable $impossible1) {}

$traced = [$possible0, $possible1, $possible2, $possible3, $possible4, $possible5, $possible6, $impossible1];

/** @psalm-trace $traced */

var_dump($traced);

return $traced;
```

Running psalm locally, this produces:

```
psalm on  feature/#5039-more-refined-types-for-explode-core-function [?] via 🐘 v8.1.13 via ❄️  impure (nix-shell)
❯ ./psalm --no-cache explode.php
Target PHP version: 7.4 (inferred from composer.json) Extensions enabled: dom, simplexml (unsupported extensions: ctype, json, libxml, mbstring, tokenizer)
Scanning files...
Analyzing files...

░

To whom it may concern: Psalm cannot detect unused classes, methods and properties
when analyzing individual files and folders. Run on the full project to enable
complete unused code detection.

ERROR: InvalidArgument - explode.php:11:28 - Argument 1 of explode expects non-empty-string, but '' provided (see https://psalm.dev/004)
    $impossible1 = explode('', '', -1);

ERROR: PossiblyUndefinedGlobalVariable - explode.php:14:96 - Possibly undefined global variable $impossible1 defined in try block (see https://psalm.dev/126)
$traced = [$possible0, $possible1, $possible2, $possible3, $possible4, $possible5, $possible6, $impossible1];

ERROR: ForbiddenCode - explode.php:18:1 - Unsafe var_dump (see https://psalm.dev/002)
/** @psalm-trace $traced */

var_dump($traced);

ERROR: Trace - explode.php:18:1 - $traced: list{0: array<never, never>, 1: non-empty-list<string>, 2: list{string}, 3: list{string}, 4: array{0: string, 1?: string}, 5: array{0: string, 1?: string, 2?: string}, 6: non-empty-list<string>, 7?: Throwable|non-empty-list<string>} (see https://psalm.dev/224)
/** @psalm-trace $traced */

var_dump($traced);

------------------------------
4 errors found
------------------------------

Checks took 6.31 seconds and used 265.386MB of memory
Psalm was unable to infer types in the codebase
```

The actual runtime behavior on PHP 8.x: https://3v4l.org/0NKlW

```
array(8) {
  [0]=>
  array(0) {
  }
  [1]=>
  array(1) {
    [0]=>
    string(5) "hello"
  }
  [2]=>
  array(1) {
    [0]=>
    string(12) "hello, world"
  }
  [3]=>
  array(1) {
    [0]=>
    string(12) "hello, world"
  }
  [4]=>
  array(2) {
    [0]=>
    string(5) "hello"
    [1]=>
    string(6) " world"
  }
  [5]=>
  array(2) {
    [0]=>
    string(5) "hello"
    [1]=>
    string(6) " world"
  }
  [6]=>
  array(2) {
    [0]=>
    string(5) "hello"
    [1]=>
    string(6) " world"
  }
  [7]=>
  object(ValueError)#1 (7) {
    ["message":protected]=>
    string(51) "explode(): Argument #1 ($separator) cannot be empty"
    ["string":"Error":private]=>
    string(0) ""
    ["code":protected]=>
    int(0)
    ["file":protected]=>
    string(9) "/in/0NKlW"
    ["line":protected]=>
    int(11)
    ["trace":"Error":private]=>
    array(1) {
      [0]=>
      array(4) {
        ["file"]=>
        string(9) "/in/0NKlW"
        ["line"]=>
        int(11)
        ["function"]=>
        string(7) "explode"
        ["args"]=>
        array(3) {
          [0]=>
          string(0) ""
          [1]=>
          string(0) ""
          [2]=>
          int(-1)
        }
      }
    }
    ["previous":"Error":private]=>
    NULL
  }
}
```

On PHP 7:

```
Warning: explode(): Empty delimiter in /in/0NKlW on line 11
array(8) {
  [0]=>
  array(0) {
  }
  [1]=>
  array(1) {
    [0]=>
    string(5) "hello"
  }
  [2]=>
  array(1) {
    [0]=>
    string(12) "hello, world"
  }
  [3]=>
  array(1) {
    [0]=>
    string(12) "hello, world"
  }
  [4]=>
  array(2) {
    [0]=>
    string(5) "hello"
    [1]=>
    string(6) " world"
  }
  [5]=>
  array(2) {
    [0]=>
    string(5) "hello"
    [1]=>
    string(6) " world"
  }
  [6]=>
  array(2) {
    [0]=>
    string(5) "hello"
    [1]=>
    string(6) " world"
  }
  [7]=>
  bool(false)
}
```
2022-12-28 17:11:40 +01:00
098d5020d0 array_merge_recursive 2022-12-18 14:52:44 +01:00
1dd062a810 Fix #2481 2022-12-18 14:50:51 +01:00
fluffycondor
9a22d682f5 Simplify conditional return 2022-12-18 17:15:24 +06:00
fluffycondor
987981b12a Make sprintf return non-empty-string when arguments non-empty-strings too 2022-12-18 16:53:19 +06:00
Mark McEver
9764803c55 Allowed taints to pass through urlencode() 2022-12-05 17:25:36 -06:00
Matthew Brown
8d36bdc3ed
Make array shapes strict by default (#8701)
* Make array shapes strict by default

* Fix PSL tests
2022-11-11 20:14:21 -05:00
68a5511057 Merge remote-tracking branch 'origin/4.x' into HEAD 2022-11-08 10:25:04 +01:00