Adrien LUCAS
d44130191b
Allow taint through strval sprintf ( #3836 )
...
* Add psalm-flow to strval
* Unexpected behavior with implode
2020-07-17 10:12:04 -04:00
Nat Zimmermann
a1a403e046
make meta path optional ( #3833 )
2020-07-17 10:09:42 -04:00
Nat Zimmermann
2ee126c567
correct *getcsv return types ( #3832 )
2020-07-17 10:09:21 -04:00
Brown
5392ae0b39
Fix UnusedMethodCall examples
2020-07-16 18:14:15 -04:00
Brown
d950ddfff6
Fix adding sink method
2020-07-16 16:04:17 -04:00
Brown
d1e62f1413
Add programattic sink method
...
Ref #3828
2020-07-16 16:02:26 -04:00
Brown
26a61c47c0
Prevent mixed erasure in get_class call
2020-07-16 13:56:42 -04:00
Brown
a2dbd31371
Fix usage of array_push results
2020-07-16 13:44:51 -04:00
Brown
262bb9fd89
Invalidate memoized getter method results after property assignment
2020-07-16 12:59:49 -04:00
Brown
b361b44889
Rip out plain getter property logic cc @m0003r
...
It gets in the way of the other IMO more useful memoisation logic (e.g. when a getter is declared final)
2020-07-16 12:42:59 -04:00
Brown
96bfd144df
Fix #3825 - ensure final getters are treated as mutation free
2020-07-16 11:58:27 -04:00
kesselb
aaba3a08ec
Add option to supress a referenced but undefined global variable. ( #3827 )
2020-07-16 09:49:59 -04:00
Brown
8fbc8de98a
Fix #3820 - don’t treat a method call as memoisable if it has assertions
2020-07-15 15:09:19 -04:00
Brown
06ee1b71c7
Improve check for empty array
2020-07-15 09:49:30 -04:00
ygottschalk
94e2552d1c
Fix #3810 removing ignore-nullable-return ( #3817 )
...
* Fix #3810 removing ignore-nullable-return form stubs of key, array_key_first, array_key_last
* fixed test failing due to changes to key()
* Improve key return type
* Remove unnecessary check
Co-authored-by: Matthew Brown <github@muglug.com>
2020-07-14 17:43:26 -04:00
Tyson Andre
f17a4911d5
Add more impure functions ( #3814 )
2020-07-14 17:14:09 -04:00
Evgeniy
fcd2ac3078
array_column check result non-emptyness ( #3813 )
...
* Update
* Update test
* Fix test
* Fix test
* inline function res in test
* cs
2020-07-14 17:13:45 -04:00
Brown
3c9028c182
Fix #3808 - allow detection of paradoxes in switch condition function calls
2020-07-14 10:51:12 -04:00
Brown
f0a5463834
Catch string subtypes that cannot be identical
2020-07-14 10:08:31 -04:00
Brown
2399643472
Fix #3811 - allow more complex negations inside boolean expressions
2020-07-13 21:31:58 -04:00
Bruce Weirdan
931d35a703
Collect and scan files included by the autoloaders ( #3183 )
...
Refs vimeo/psalm#2861
2020-07-11 17:17:22 -04:00
Joe Hoyle
b8c4abf08b
Add ability to Go to Definition on Use statements ( #3805 )
...
This adds the ability to use the LSP's "Go to Definition" on `use MyClass` statements.
Co-authored-by: Matthew Brown <github@muglug.com>
2020-07-11 17:16:44 -04:00
Joe Hoyle
0b6d682964
Fix going to definition on return type ( #3806 )
...
* Fix going to definition on return type
If a return type of a method or function is set incorrectly (with the PHP doc), then the references are not added for the `function() : MyClass` symbol, so the "Go to definition" feature of the LSP won't work. I don't believe an invalid return type or not should stop the symbol location being tracked (and not allowing code navigation).
In moved the symbol location tracking to be before the return early short circuit.
* Update SymbolLookupTest.php
Co-authored-by: Matthew Brown <github@muglug.com>
2020-07-11 17:14:39 -04:00
Joe Hoyle
11af82a97f
Fix jumping to definition on nullable parameters ( #3804 )
...
Currently it's not possible to "Go to definition" (LSP) on nullable args like `function( ?MyClass )` as the reference is stored a `MyClass|null` in the reference map, which will now resolve to a class name.
This PR removed any nullable type from the union before adding it to the reference map (as the reference map is only use to indicate a symbol was used in a given location, I think this makes sense).
2020-07-11 17:12:03 -04:00
Brown
2afbf58324
Prevent adding trait property types
2020-07-10 19:11:06 -04:00
Brown
9177ad5ce0
Add back fix
2020-07-10 17:13:11 -04:00
Brown
8d022307d2
Fix #3797 - prevent many chained assignments crashing Psalm
2020-07-10 16:49:45 -04:00
Brown
d71f12d250
Fix #3802 - allow increment inside isset expression
2020-07-10 16:14:24 -04:00
Brown
4f872674f9
Add space
2020-07-10 14:40:25 -04:00
Jon Ursenbach
6aca4c169e
feat: adding a runTaintAnalysis option into the config ( #3800 )
2020-07-10 13:22:03 -04:00
Brown
8349564cc4
Fix #3790 - removing false/null from template not redundant
2020-07-10 13:19:23 -04:00
Brown
cd8420aa94
Skip optimisation for unpacked args
2020-07-10 13:04:37 -04:00
Brown
d8eca89b44
Remove redundancy
2020-07-10 10:35:26 -04:00
Brown
38fdf4bef6
Treat array_push($a, ... as $a[]= ...
2020-07-10 10:20:02 -04:00
Joe Hoyle
d1ca68e57a
Fix offset calculation in getReferenceAtPosition ( #3783 )
...
* Fix calculation of getPositionFromOffse
* Add test for testGetSymbolPositionRange
* Fix code formatting.
2020-07-09 16:24:51 -04:00
Joe Hoyle
0119cd09c1
Always deep scan stubs ( #3781 )
...
In many sitations, stub files will receive a shallow _and_ deep scan when project files require extra analysys on things like parent classes. This makes stub file scanning inconsistent (orders become much less predictable for example), and adds extra process time to scan the files twice. In the case of stubs providing classes and functions for large projects, this is a non-trivial amount of time.
As deep scanning stubs should take just about as long as a shallow scan, it makes sense to just always deep scan them.
Fixes #3568 .
2020-07-08 17:42:51 -04:00
Tyson Andre
018c4bf545
Support generating a .console report text file. ( #3777 )
...
This is useful for use cases such as saving multiline taint detection results.
Only the compact and console reports seem to use color right now.
In many cases, adding color codes to a text file would make it harder to read
in an editor.
2020-07-08 15:09:31 -04:00
Tyson Andre
80e46cdb13
Support generating multiple report files ( #3776 )
...
E.g. `psalm --report=report.txt --report=report.pylint`.
It may be useful to have both a machine-readable and human readable
report, e.g. during taint analysis.
Previously, psalm would generate neither report if the report option was
repeated.
2020-07-08 15:08:17 -04:00
Brown
bf7bcc0dca
Fix #3779 - allow ParadoxicalCondition of default to be suppressed
2020-07-08 14:51:20 -04:00
Brown
33a834bb0b
Fix some property inference bugs
2020-07-08 14:43:36 -04:00
Brown
619c384509
Add indentation as necessary between property docblocks
2020-07-08 14:32:16 -04:00
Brown
f173ef6ef0
Add mixed types to prevent bad recommendations
2020-07-08 12:18:36 -04:00
Brown
cf67b9eef1
Fix #435 - add psalter fix for MissingPropertyType
2020-07-08 12:03:12 -04:00
Brown
6bdff42cda
Add support for potentially-assigned properties
2020-07-08 11:46:55 -04:00
Brown
0034f2e4bd
Don’t manipulate property storage during analysis
2020-07-07 19:32:44 -04:00
Tyson Andre
cda6bd0553
Fix "Could not get class storage" from cache ( #3769 )
...
Fixes #3671
This is better than an uncaught exception, at least, and I can detect
new issues if the constructor body changes
2020-07-07 17:10:51 -04:00
Brown
8ecee6df6d
Fix #3760 - prevent param remapping twice
2020-07-07 11:44:22 -04:00
Brown
82a85791f2
Fix #3764 - preserve sealed-ness of array into array_map
2020-07-07 09:31:43 -04:00
Brown
279cad3599
Fix #3755 - prevent crash when throw class not found
2020-07-07 00:29:46 -04:00
Tyson Andre
cad86aae5b
Fix typo for printr
( #3754 )
...
Related to #3744
`print_r` is only a taint sink when `$return` is false or absent.
2020-07-07 00:25:14 -04:00
Brown
1b498e6dae
Remove unused variable
2020-07-06 17:41:07 -04:00
Brown
eb3ce8d368
Remove unused code
2020-07-06 15:39:52 -04:00
Brown
ada2fe033e
Remove comma
2020-07-05 15:21:44 -04:00
Brown
ab6df0a5d1
Fix #3753 - resolve self-references in trait as statements earlier
2020-07-05 12:05:25 -04:00
Brown
42a3cedd31
Fix #3742 - add null to type after possibly null array access
2020-07-05 09:12:07 -04:00
jarstelfox
3096afed99
Fix echo false issue ( #3751 )
...
* Echo: add failing test case
echo false; is a noop, not an issue
* Echo: Fix failing test case
2020-07-05 08:55:42 -04:00
Brown
7c7ebd068f
Make invalidation more robust
2020-07-03 12:59:07 -04:00
Brown
5da29955ee
Use better replacement when analysing potentially-inherited templated type
2020-07-03 12:25:33 -04:00
Brown
44d7f51857
Generalise init vars inside for loops
...
Ref #3085
2020-07-03 11:13:44 -04:00
Brown
3d0a8c4c59
Fix #3738 - allow storing references to class-strings inside immutable
2020-07-03 08:47:50 -04:00
Brown
6419788a49
Remove false from template param as necessary
...
Fixes #3737
2020-07-03 01:07:50 -04:00
lhchavez
ba63ccb825
Improve \Psalm\Internal\Scanner\DocblockParser::parse() ( #3736 )
...
This change avoids calling `str_replace()` on the original docblock and
instead only operates on the parsed (and modified) lines. This now makes
it so that if there are substrings of the docblock that match a tag
match, it won't get prematurely removed, therefore avoiding mangling of
the parsed docblock's description.
Fixes : #3735
2020-07-02 17:55:57 -04:00
Brown
1745f5cafa
Fix too-long line
2020-07-02 15:32:13 -04:00
Brown
cb94764d22
Prevent false-positive for Exception::__toString overriding
2020-07-02 14:09:56 -04:00
Brown
0c582e9993
Fix #3685 - improve handling of if conditionals inside do
2020-07-02 13:59:59 -04:00
Brown
cf1a8ac5fc
Suppress taints in instance properties
2020-07-02 12:08:42 -04:00
Brown
67b2edc328
Allow more things to be suppressed with @psalm-suppress TaintedInput
2020-07-02 11:53:51 -04:00
Matthew Brown
fab07c58bd
Add slash
2020-07-02 01:32:40 -04:00
Brown
ea82cdc6ea
Fix #3726 - infer generic template from class-string
2020-07-02 01:11:46 -04:00
Brown
ae7c5b095b
Fix #3712 - allow taints to be suppressed with @psalm-suppress
2020-07-01 23:23:45 -04:00
Tyson Andre
e3d59bf5d4
Support taint detection on Throwable::getTraceAsString() ( #3731 )
...
And `__toString()`, which uses getTraceAsString().
Fixes #3696
```php
function login($username, $password, $secret) {
throw new RuntimeException('login failure');
}
try {
login('user', $_GET['pass'], SECRET);
} catch (Exception $e) {
// This output includes unescaped 'pass' and SECRET
echo $e, "\n";
echo $e->getTraceAsString();
}
```
2020-07-01 21:27:40 -04:00
Brown
0f548c83ea
Fix redundant condition
2020-07-01 19:31:10 -04:00
Brown
6c62e46d15
Only emit one error for erroneous array_map string closure types
2020-07-01 19:18:01 -04:00
Brown
4d73b2501b
Allow multiple args passed to array_map
2020-07-01 19:11:49 -04:00
Brown
70ab4c18f4
Fix #3720 - allow literal unions in keys to map to object-like arrays
2020-07-01 18:57:19 -04:00
Olle Härstedt
d8e8ce428e
Add new annotation: @psalm-self-out ( #3650 )
...
* Add new config: sealAllMethods
* Add some more tests
* Fix codesniffer issue with preg_quote
* Fix missing method in test
* New tag @self-out (WIP)
* Add self_out_type to method storage
* Add some notes
* More work on self-out (WIP)
* More work on self-out (WIP)
* Use psalm-self-out instead of self-out
* Remove extra file
* Cleanup
* Wrap around try-catch - how to check if a method has/should have storage?
* New method hasStorage()
* Fix indentation
* Fix some errors
* Fix indentation
* Cast storage type to type
* Add proper use-statement in method storage
* Correct test class name
* Allow self_out to be null
* method_id can be string (why, when?)
Co-authored-by: Olle <noemail>
2020-07-01 18:10:24 -04:00
Tyson Andre
b0a3de47e8
Mark create_function() as a taint sink ( #3729 )
...
create_function() is a thin wrapper around eval().
Fixes #3723
2020-07-01 18:09:30 -04:00
Brown
e13da22292
Allow cloning interfaces
2020-07-01 11:14:31 -04:00
Brown
fca350c498
Prevent a few crashes with really bad code
2020-07-01 10:30:10 -04:00
Brown
6047b7b6cb
Fix #3719 - prevent crash when cloning missing class
2020-07-01 10:10:55 -04:00
Brown
4c368da75e
Fix #3721 - prevent crash on empty @method
2020-07-01 09:00:33 -04:00
Brown
cceacde01d
Hide fixable issues when running with taint analysis
...
Fixes #3722
2020-07-01 08:55:58 -04:00
Brown
17558a5c0e
Fix #3676 - add multiline output for TaintedInput issues
2020-06-30 13:17:51 -04:00
Brown
671009a70c
Specialize constructor taints cc @TysonAndre
2020-06-29 21:08:43 -04:00
Brown
7288dfc620
Fix #3715 - unserialize is a taint sink
2020-06-29 17:54:47 -04:00
Brown
7253e01000
Fix #3716 - prevent crash for Foo|? return type
2020-06-29 17:52:55 -04:00
Brown
e56483bb54
Fix #3711 - generalize call of specialized class without specializations
2020-06-29 17:42:01 -04:00
Brown
ab29ac0e51
Only cast in echo when tracking taints
2020-06-29 15:06:11 -04:00
Brown
cff976049d
Remove unused vars
2020-06-29 13:24:05 -04:00
Brown
f6e2e0a84a
Perform string casting for taints in ArgumentAnalyzer
2020-06-29 13:21:33 -04:00
Brown
45c21853e5
Fix #3709 - don’t crash on inherited __toString tainting
2020-06-29 12:11:11 -04:00
Brown
aab90fb74e
Fix Psalm errors
2020-06-29 09:29:19 -04:00
Brown
38977d797e
Fix #3697 - cast types via implied __toString method
2020-06-29 09:13:19 -04:00
Brown
b54b832838
Break out method call tainting
2020-06-29 00:14:49 -04:00
Barney Laurance
3f8aa64ee9
Treat methods of internal or psalm internal classes as internal ( #3698 )
...
When both the method and the class are annotated as psalm-internal,
but to different namespaces, we consider the method internal to
whichever namespace is longer, i.e. the smaller code module.
Issue reported at https://github.com/vimeo/psalm/issues/3457
2020-06-28 13:15:54 -04:00
Simon Podlipsky
0f727e7607
Add RdKafka\ProducerTopic::producev() to CallMap ( #3700 )
2020-06-28 13:15:11 -04:00
Brown
c95ebfeb21
Fix #3694 - allow two args for PDO::query
2020-06-26 18:26:06 -04:00
Fabien Villepinte
c42dadaf0d
Redis::getDbNum|getHost can return false ( #3673 ) ( #3693 )
2020-06-26 18:14:10 -04:00
Tyson Andre
3a9c7432e1
Add psalm-taint-specialize for preg_replace_callback ( #3683 )
...
Fixes https://psalm.dev/r/517c4a169e
2020-06-26 08:58:57 -04:00
Brown
bcd7478352
Reduce memory footprint a little
2020-06-25 19:12:30 -04:00
Brown
8404fa0750
Allow use of a different baseline
...
Ref #3672
2020-06-25 17:31:03 -04:00
Brown
559b3d3471
Fix #3681 - taint exit like echo
2020-06-25 17:17:08 -04:00
Brown
07f7e5ccaf
Reconciling should preserve taints
...
Fixes #3680
2020-06-25 17:04:18 -04:00
Brown
9837a60853
Fix #3675 - add taints to filter_var return
...
Doesn’t yet take callback into account
2020-06-25 13:24:26 -04:00
Brown
9e7650586b
Fix bugs
2020-06-25 13:21:11 -04:00
Brown
95bf7f835b
Improve handling of array_map, faking out calls where nececssary
2020-06-25 13:05:34 -04:00
Brown
f458959af5
Add param type
2020-06-25 01:40:19 -04:00
Brown
d7f1bde6da
Refactor taint acccess checks
2020-06-25 01:32:57 -04:00
Brown
b8ebed0b85
Add a bit more accuracy
2020-06-25 01:00:11 -04:00
Brown
e26922010a
Improve accuracy of array nesting checks
2020-06-25 00:50:52 -04:00
Brown
b84cf74754
Fix #3668 - taint property types for magic properties without @property
2020-06-25 00:24:37 -04:00
Brown
dd25b81d3a
Fix #3670 - taint mixed foreach access
2020-06-24 19:16:30 -04:00
Brown
a6c7a48387
Add support for argument unpacking
...
Ref #3670
2020-06-24 18:43:15 -04:00
Tyson Andre
1670848267
Mark print() statement as the same sink type as echo ( #3669 )
2020-06-24 17:23:16 -04:00
Brown
de85e7c539
Fix blips
2020-06-24 13:19:14 -04:00
Brown
7a7cd91c24
Fix #3631 - better treatment for assignments in complex conditionals
2020-06-24 13:16:52 -04:00
Brown
9aa0aca949
Fix handling of coerced callmap args
2020-06-24 11:51:31 -04:00
Brown
c29b3744ec
Change storage of out types
2020-06-24 11:51:31 -04:00
Brown
96d05ab06b
Fix #3654 - use correct function id for namespaced functions
2020-06-23 16:53:11 -04:00
Brown
6a746b65ea
Fix #3655 - taint encapsulated strings
2020-06-23 16:38:59 -04:00
Brown
13fc8a75fd
Allow taints to flow where no return type exists
...
Fixes #3652
2020-06-23 15:52:19 -04:00
Brown
f46236ad71
Taint flows through preg_replace_callback
2020-06-23 15:28:31 -04:00
Brown
f72b609d42
Fix #3642 - detect missing property when name matches
2020-06-23 13:12:46 -04:00
Brown
4d6fc4d0ca
Fix get_class($foo) === static::class checks
2020-06-23 13:11:19 -04:00
Brown
9b860214d5
Fix #3639 - allow coerced types to count when picking callmap options
2020-06-22 20:24:34 -04:00
Brown
1f86afece7
Revert "Fix #3631 - apply assertions to RHS of equality in conditional"
...
This reverts commit 9c17795545
.
2020-06-22 20:01:27 -04:00
Brown
fc8212e207
Fix static call specialisation via annotation
2020-06-22 18:40:43 -04:00
Tyson Andre
bee10a2eb4
Add a --debug-emitted-issues flag ( #3637 )
...
And support --debug-by-line in psalter and psalm-refactor.
Those were previously not supported in getopt()
Fixes #3634
2020-06-22 18:16:47 -04:00
Brown
e8be2c500e
Support taint flows in more functions
2020-06-22 17:53:03 -04:00
Brown
7f05b3c530
Add $_REQUEST as a taint source
...
Ref #3636
2020-06-22 17:16:15 -04:00
Tyson Andre
f2f5606ca8
Document other supported --report
file names ( #3633 )
2020-06-22 15:21:16 -04:00
Brown
9c17795545
Fix #3631 - apply assertions to RHS of equality in conditional
2020-06-22 15:16:16 -04:00
Brown
d46283075d
Add --taint-analysis to command line help
2020-06-22 11:39:46 -04:00
Brown
81e2745cf1
Add more options
2020-06-22 11:24:38 -04:00
Brown
dddc159694
Add explicit path object
2020-06-22 02:10:03 -04:00
Brown
36f1630e03
Add more steps for clearer output
2020-06-22 01:08:58 -04:00
Brown
02e8313c39
Allow taintedness to propagate to some stubbed methods
2020-06-21 18:07:39 -04:00
Brown
fbe3433edd
Use escape terminology
2020-06-21 11:43:08 -04:00
Brown
07adecc6eb
Use correct method id when creating taints
2020-06-21 02:06:08 -04:00
Brown
dc83c2e2fc
Add annotation for taint sources
2020-06-21 00:58:56 -04:00
Brown
cbd7ba8ed8
Fix return type
2020-06-20 23:34:39 -04:00
Brown
10e4e9ac65
Fix #3617 - prevent crash when constant class doesn’t exist
2020-06-20 23:30:36 -04:00
Brown
f21d3a8346
Remove html and sql taints for simple preg_replace patterns
2020-06-20 23:11:42 -04:00
Brown
8edee96d8d
Fix taint regression
2020-06-20 18:10:01 -04:00
Brown
80ed1daf33
Allow static method mixin to invoke instance method
2020-06-20 18:05:35 -04:00
Brown
2ccec821f8
Fix #3624 - inherit magic property annotations from traits
2020-06-20 16:53:17 -04:00
Brown
2c5c9e95e1
Don’t add two @return docblocks after @method
2020-06-20 15:30:47 -04:00
Brown
edbeec2c6a
Fix @method annotation namespacing
2020-06-20 15:18:22 -04:00
Ilija Tovilo
2f646d29db
Fix #3607 - constant string class reference with leading backslash ( #3612 )
2020-06-19 18:02:39 -04:00
Brown
51202c75ea
Add taint docs
2020-06-19 11:56:12 -04:00