1
0
mirror of https://github.com/danog/psalm.git synced 2024-11-30 04:39:00 +01:00
Commit Graph

100 Commits

Author SHA1 Message Date
Adrien LUCAS
f9cbc07fb7
Avoid false positives for taint specialized calls even when not using a variable (#4948) 2021-01-29 11:47:28 +01:00
Adrien LUCAS
63ddceaf8e
Taint specialized calls even when not using a variable (#4940) 2021-01-29 11:47:27 +01:00
Matt Brown
c4b1c63dd1
Taint all when conditional return is used
Ref #4792
2021-01-29 11:47:16 +01:00
Matt Brown
b21e138cc7
Allow nested specialisation 2021-01-29 11:47:15 +01:00
Matt Brown
309c13700d
Fix #4769 – don’t use unique ids for new generated nodes 2021-01-29 11:47:15 +01:00
Matt Brown
a0fee98962
Move param taint sink addition after arguuments have been analysed 2021-01-29 11:46:22 +01:00
Matt Brown
aa4be209fc
Make sure conditional escaping works for static methods too 2021-01-29 11:46:22 +01:00
Matt Brown
30ee5334a1
Fix #4661 - support conditional escaping for functions 2021-01-29 11:46:22 +01:00
Lukas Reschke
b2143f1da5
Implement variadic taint propagation (#4649)
* Implement variadic taint propagation

* Lint code
2021-01-29 11:46:19 +01:00
Lukas Reschke
4de2bf8f7f
Add psalm-flow for string functions from sscanf to wordwrap (#4591)
* Add string functions from sscanf to wordwrap

This should conclude all string functions from https://www.php.net/manual/en/book.strings.php

Continuation of https://github.com/vimeo/psalm/pull/4576

Ref https://github.com/vimeo/psalm/issues/3636

* Add StrTrReturnTypeProvider

* Fix psalm error

* phpcs

* Line length

* Ignore false return on vsprintf

Co-authored-by: Matthew Brown <github@muglug.com>
2021-01-29 11:46:19 +01:00
Matt Brown
02b1cc2288
Change TaintedText to TaintedCallable 2021-01-29 11:46:17 +01:00
Lukas Reschke
2ad5eee193
Add dedicated types for 'file', 'header' and 'cookie' (#4630)
* [WIP] Add dedicated sinks for 'file', 'header' and 'cookie'

* Add documentation

* Add mapping for taint flows

* Add tests

* Fix test
2021-01-29 11:46:16 +01:00
Matt Brown
43187a0e19
Fix #4620 - reconciled literal strings cannot carry taints 2021-01-29 11:46:15 +01:00
Matt Brown
005f394d8e
Allow immutable classes to be specialised through calls 2021-01-29 11:46:15 +01:00
Matt Brown
c3658e2590
Fix #4605 - taint parent-declared property 2021-01-29 11:46:15 +01:00
Lukas Reschke
ce05165384
Split LDAP into custom category (#4604)
- Adds ldap_escape as sanitizer
- Defines the right parameters to ldap_search as sink
- Wrote documentation
- Added tests
2021-01-29 11:46:14 +01:00
Matt Brown
3b8a76d520
Fix #4599 - propagate taints to parent callers where necessary 2021-01-29 11:46:14 +01:00
Lukas Reschke
99d094b5e0
Add SSRF sinks (#4592) 2021-01-29 11:46:14 +01:00
Matt Brown
5246841b12
Fix tests 2021-01-29 11:46:14 +01:00
Matt Brown
a4b56c9292
Simplify tainted output a bit, removing duplicate paths 2021-01-29 11:46:13 +01:00
Matt Brown
a7cc439db0
Don’t propagate taints to child constructor args 2021-01-29 11:46:13 +01:00
Matt Brown
2c69618347
Break out TaintedInput issues into a lot of separate ones 2021-01-29 11:46:13 +01:00
Lukas Reschke
ff55dba130
Add sinks for popen and proc_open (#4572)
User input in those two functions could lead to a RCE.

popen: https://www.php.net/manual/en/function.popen.php
proc_open: https://www.php.net/manual/en/function.proc-open.php
2021-01-29 11:46:11 +01:00
Adrien LUCAS
9ab0ab9472
Add a proxy capability to the flow annotation (#4495)
* Add a `passthru` capability to the flow annotation

* Fix passthru-calls type

* Fix types and rename to proxy

* Allow to proxy a method

Co-authored-by: Matthew Brown <github@muglug.com>
2021-01-29 11:46:07 +01:00
Matt Brown
b68995582e
Preserve reconciled taints for all but non-string scalar types 2021-01-29 11:46:05 +01:00
Matt Brown
63953d5676
4.x - refactor unused variable detection
This turns unused variable detection into an explicit control-flow problem, where before we had a more simplistic mark-and-sweep algorithm
2021-01-29 11:39:44 +01:00
orklah
e3e5a55907
unused use statements (#4228) 2021-01-29 11:39:42 +01:00
Brown
dbe4b4c708
Localise taint analysis better 2021-01-29 11:39:40 +01:00
orklah
db45ff1ba4
More return types (#4173)
* add native return types

* redundant phpdoc
2021-01-29 11:38:57 +01:00
Bruce Weirdan
1cc4715740
Fix windows tests (#4040)
* Fix windows tests by not mangling the expectations

* Use platform-dependent directory separator in expected messages

* fix CS
2021-01-29 11:38:04 +01:00
Adrien LUCAS
d44130191b
Allow taint through strval sprintf (#3836)
* Add psalm-flow to strval

* Unexpected behavior with implode
2020-07-17 10:12:04 -04:00
Brown
67b2edc328 Allow more things to be suppressed with @psalm-suppress TaintedInput 2020-07-02 11:53:51 -04:00
Brown
ae7c5b095b Fix #3712 - allow taints to be suppressed with @psalm-suppress 2020-07-01 23:23:45 -04:00
Tyson Andre
e3d59bf5d4
Support taint detection on Throwable::getTraceAsString() (#3731)
And `__toString()`, which uses getTraceAsString().

Fixes #3696

```php
function login($username, $password, $secret) {
    throw new RuntimeException('login failure');
}
try {
    login('user', $_GET['pass'], SECRET);
} catch (Exception $e) {
    // This output includes unescaped 'pass' and SECRET
    echo $e, "\n";
    echo $e->getTraceAsString();
}
```
2020-07-01 21:27:40 -04:00
Tyson Andre
b0a3de47e8
Mark create_function() as a taint sink (#3729)
create_function() is a thin wrapper around eval().
Fixes #3723
2020-07-01 18:09:30 -04:00
Brown
cb0f65dd91 Skip taint tests in Windows 2020-07-01 09:49:52 -04:00
Brown
671009a70c Specialize constructor taints cc @TysonAndre 2020-06-29 21:08:43 -04:00
Brown
e56483bb54 Fix #3711 - generalize call of specialized class without specializations 2020-06-29 17:42:01 -04:00
Brown
f6e2e0a84a Perform string casting for taints in ArgumentAnalyzer 2020-06-29 13:21:33 -04:00
Brown
45c21853e5 Fix #3709 - don’t crash on inherited __toString tainting 2020-06-29 12:11:11 -04:00
Matthew Brown
18f9e7487b
Remove string cast
Cc @TysonAndre
2020-06-29 09:54:07 -04:00
Brown
38977d797e Fix #3697 - cast types via implied __toString method 2020-06-29 09:13:19 -04:00
Brown
559b3d3471 Fix #3681 - taint exit like echo 2020-06-25 17:17:08 -04:00
Brown
07f7e5ccaf Reconciling should preserve taints
Fixes #3680
2020-06-25 17:04:18 -04:00
Brown
9837a60853 Fix #3675 - add taints to filter_var return
Doesn’t yet take callback into account
2020-06-25 13:24:26 -04:00
Brown
95bf7f835b Improve handling of array_map, faking out calls where nececssary 2020-06-25 13:05:34 -04:00
Brown
b8ebed0b85 Add a bit more accuracy 2020-06-25 01:00:11 -04:00
Brown
e26922010a Improve accuracy of array nesting checks 2020-06-25 00:50:52 -04:00
Brown
b84cf74754 Fix #3668 - taint property types for magic properties without @property 2020-06-25 00:24:37 -04:00
Brown
dd25b81d3a Fix #3670 - taint mixed foreach access 2020-06-24 19:16:30 -04:00