Bruce Weirdan
6abce3525a
Enforce use
sort ( #5900 )
2021-06-07 22:55:21 -04:00
Oliver Hader
b259296457
[BUGFIX] Continue processing psalm-flow graph after first taint sink ( #5832 )
...
Related: #5830
2021-05-26 16:04:22 -04:00
Oliver Hader
4898cd262e
[TASK] Enrich taint details for outputting core stubs ( #5827 )
...
Affects `printf`, `print_r`, `var_dump`, `var_export`
2021-05-24 16:42:18 -04:00
Matt Brown
f41deeab0a
Taint through reset call
2021-03-28 13:14:35 -04:00
Matt Brown
10ccbdd8be
Add tainting for array keys
...
Fixes #5470
2021-03-24 15:32:56 -04:00
Matt Brown
0f2a07a9a3
Fix #5137 – support @psalm-flow in methods
2021-01-31 22:40:48 -05:00
Adrien LUCAS
d1398f2b12
Avoid false positives for taint specialized calls even when not using a variable ( #4948 )
2021-01-07 16:39:51 -05:00
Adrien LUCAS
0f5886746f
Taint specialized calls even when not using a variable ( #4940 )
2021-01-06 14:14:52 -05:00
Matt Brown
9c0e9a3d7e
Taint all when conditional return is used
...
Ref #4792
2020-12-06 11:24:48 -05:00
Matt Brown
3f155792a7
Allow nested specialisation
2020-12-04 15:44:29 -05:00
Matt Brown
fd67d41120
Fix #4769 – don’t use unique ids for new generated nodes
2020-12-04 15:44:29 -05:00
Matt Brown
9a03a9a5d0
Move param taint sink addition after arguuments have been analysed
2020-11-22 19:39:40 -05:00
Matt Brown
b782dd4225
Make sure conditional escaping works for static methods too
2020-11-22 13:39:32 -05:00
Matt Brown
af008953a8
Fix #4661 - support conditional escaping for functions
2020-11-22 13:24:33 -05:00
Lukas Reschke
ffb0c4ae17
Implement variadic taint propagation ( #4649 )
...
* Implement variadic taint propagation
* Lint code
2020-11-21 17:41:40 -05:00
Lukas Reschke
3943b55f8a
Add psalm-flow for string functions from sscanf to wordwrap ( #4591 )
...
* Add string functions from sscanf to wordwrap
This should conclude all string functions from https://www.php.net/manual/en/book.strings.php
Continuation of https://github.com/vimeo/psalm/pull/4576
Ref https://github.com/vimeo/psalm/issues/3636
* Add StrTrReturnTypeProvider
* Fix psalm error
* phpcs
* Line length
* Ignore false return on vsprintf
Co-authored-by: Matthew Brown <github@muglug.com>
2020-11-21 17:35:07 -05:00
Matt Brown
78d644d1a1
Change TaintedText to TaintedCallable
2020-11-19 19:01:19 -05:00
Lukas Reschke
78f4a0691c
Add dedicated types for 'file', 'header' and 'cookie' ( #4630 )
...
* [WIP] Add dedicated sinks for 'file', 'header' and 'cookie'
* Add documentation
* Add mapping for taint flows
* Add tests
* Fix test
2020-11-19 17:47:29 -05:00
Matt Brown
7c02fa76d1
Fix #4620 - reconciled literal strings cannot carry taints
2020-11-19 09:06:25 -05:00
Matt Brown
95de6cf177
Allow immutable classes to be specialised through calls
2020-11-19 01:38:20 -05:00
Matt Brown
be275ae972
Fix #4605 - taint parent-declared property
2020-11-18 13:34:47 -05:00
Lukas Reschke
ddbfbb28e6
Split LDAP into custom category ( #4604 )
...
- Adds ldap_escape as sanitizer
- Defines the right parameters to ldap_search as sink
- Wrote documentation
- Added tests
2020-11-18 11:39:36 -05:00
Matt Brown
3f7f959726
Fix #4599 - propagate taints to parent callers where necessary
2020-11-18 09:59:54 -05:00
Lukas Reschke
5ba4681c17
Add SSRF sinks ( #4592 )
2020-11-18 00:52:48 -05:00
Matt Brown
28dee4146a
Fix tests
2020-11-17 17:53:46 -05:00
Matt Brown
2aa98bc5d0
Simplify tainted output a bit, removing duplicate paths
2020-11-17 17:17:18 -05:00
Matt Brown
adeaa33a64
Don’t propagate taints to child constructor args
2020-11-17 16:49:29 -05:00
Matt Brown
43af3b1a57
Break out TaintedInput issues into a lot of separate ones
2020-11-17 12:44:31 -05:00
Lukas Reschke
09abcfb650
Add sinks for popen and proc_open ( #4572 )
...
User input in those two functions could lead to a RCE.
popen: https://www.php.net/manual/en/function.popen.php
proc_open: https://www.php.net/manual/en/function.proc-open.php
2020-11-16 15:04:22 -05:00
Adrien LUCAS
4cb8e86737
Add a proxy
capability to the flow annotation ( #4495 )
...
* Add a `passthru` capability to the flow annotation
* Fix passthru-calls type
* Fix types and rename to proxy
* Allow to proxy a method
Co-authored-by: Matthew Brown <github@muglug.com>
2020-11-09 15:22:35 -05:00
Matt Brown
67f9853756
Preserve reconciled taints for all but non-string scalar types
2020-11-08 10:27:58 -05:00
Matt Brown
14efde286f
4.x - refactor unused variable detection
...
This turns unused variable detection into an explicit control-flow problem, where before we had a more simplistic mark-and-sweep algorithm
2020-09-30 12:28:13 -04:00
orklah
37a2f8a33d
unused use statements ( #4228 )
2020-09-22 01:10:46 -04:00
Brown
5c23a3d7b3
Localise taint analysis better
2020-09-20 19:26:49 -04:00
orklah
ead107fa9e
More return types ( #4173 )
...
* add native return types
* redundant phpdoc
2020-09-12 11:24:05 -04:00
Bruce Weirdan
4dcb7183f5
Fix windows tests ( #4040 )
...
* Fix windows tests by not mangling the expectations
* Use platform-dependent directory separator in expected messages
* fix CS
2020-08-22 10:00:36 -04:00
Adrien LUCAS
d44130191b
Allow taint through strval sprintf ( #3836 )
...
* Add psalm-flow to strval
* Unexpected behavior with implode
2020-07-17 10:12:04 -04:00
Brown
67b2edc328
Allow more things to be suppressed with @psalm-suppress TaintedInput
2020-07-02 11:53:51 -04:00
Brown
ae7c5b095b
Fix #3712 - allow taints to be suppressed with @psalm-suppress
2020-07-01 23:23:45 -04:00
Tyson Andre
e3d59bf5d4
Support taint detection on Throwable::getTraceAsString() ( #3731 )
...
And `__toString()`, which uses getTraceAsString().
Fixes #3696
```php
function login($username, $password, $secret) {
throw new RuntimeException('login failure');
}
try {
login('user', $_GET['pass'], SECRET);
} catch (Exception $e) {
// This output includes unescaped 'pass' and SECRET
echo $e, "\n";
echo $e->getTraceAsString();
}
```
2020-07-01 21:27:40 -04:00
Tyson Andre
b0a3de47e8
Mark create_function() as a taint sink ( #3729 )
...
create_function() is a thin wrapper around eval().
Fixes #3723
2020-07-01 18:09:30 -04:00
Brown
cb0f65dd91
Skip taint tests in Windows
2020-07-01 09:49:52 -04:00
Brown
671009a70c
Specialize constructor taints cc @TysonAndre
2020-06-29 21:08:43 -04:00
Brown
e56483bb54
Fix #3711 - generalize call of specialized class without specializations
2020-06-29 17:42:01 -04:00
Brown
f6e2e0a84a
Perform string casting for taints in ArgumentAnalyzer
2020-06-29 13:21:33 -04:00
Brown
45c21853e5
Fix #3709 - don’t crash on inherited __toString tainting
2020-06-29 12:11:11 -04:00
Matthew Brown
18f9e7487b
Remove string cast
...
Cc @TysonAndre
2020-06-29 09:54:07 -04:00
Brown
38977d797e
Fix #3697 - cast types via implied __toString method
2020-06-29 09:13:19 -04:00
Brown
559b3d3471
Fix #3681 - taint exit like echo
2020-06-25 17:17:08 -04:00
Brown
07f7e5ccaf
Reconciling should preserve taints
...
Fixes #3680
2020-06-25 17:04:18 -04:00
Brown
9837a60853
Fix #3675 - add taints to filter_var return
...
Doesn’t yet take callback into account
2020-06-25 13:24:26 -04:00
Brown
95bf7f835b
Improve handling of array_map, faking out calls where nececssary
2020-06-25 13:05:34 -04:00
Brown
b8ebed0b85
Add a bit more accuracy
2020-06-25 01:00:11 -04:00
Brown
e26922010a
Improve accuracy of array nesting checks
2020-06-25 00:50:52 -04:00
Brown
b84cf74754
Fix #3668 - taint property types for magic properties without @property
2020-06-25 00:24:37 -04:00
Brown
dd25b81d3a
Fix #3670 - taint mixed foreach access
2020-06-24 19:16:30 -04:00
Brown
a6c7a48387
Add support for argument unpacking
...
Ref #3670
2020-06-24 18:43:15 -04:00
Brown
d03a53a5ad
Fix return type
2020-06-24 18:33:09 -04:00
Brown
828d9defb4
Use compact test format
2020-06-24 18:28:21 -04:00
Tyson Andre
1670848267
Mark print() statement as the same sink type as echo ( #3669 )
2020-06-24 17:23:16 -04:00
Brown
96d05ab06b
Fix #3654 - use correct function id for namespaced functions
2020-06-23 16:53:11 -04:00
Brown
6a746b65ea
Fix #3655 - taint encapsulated strings
2020-06-23 16:38:59 -04:00
Brown
13fc8a75fd
Allow taints to flow where no return type exists
...
Fixes #3652
2020-06-23 15:52:19 -04:00
Brown
f46236ad71
Taint flows through preg_replace_callback
2020-06-23 15:28:31 -04:00
Brown
fc8212e207
Fix static call specialisation via annotation
2020-06-22 18:40:43 -04:00
Brown
e8be2c500e
Support taint flows in more functions
2020-06-22 17:53:03 -04:00
Brown
dddc159694
Add explicit path object
2020-06-22 02:10:03 -04:00
Brown
36f1630e03
Add more steps for clearer output
2020-06-22 01:08:58 -04:00
Brown
fbe3433edd
Use escape terminology
2020-06-21 11:43:08 -04:00
Brown
dc83c2e2fc
Add annotation for taint sources
2020-06-21 00:58:56 -04:00
Brown
f21d3a8346
Remove html and sql taints for simple preg_replace patterns
2020-06-20 23:11:42 -04:00
Brown
a7a23b4c1c
Remove letter
2020-06-19 09:41:25 -04:00
Brown
b1c836e5f3
Improve specialisation after call
2020-06-19 01:59:45 -04:00
Brown
8f2e28c36b
Improve tainting of specializable classes
2020-06-19 01:22:51 -04:00
Brown
49f0592794
Improve tracking of array taints
2020-06-18 18:48:19 -04:00
Brown
562a7c1ca4
Track taints from all tainted arrays
2020-06-18 13:45:58 -04:00
Brown
03e9649d49
Fix tainting of function calls absent taintable params
2020-06-15 20:59:48 -04:00
Brown
56ef220e49
Fix bugs in taint specialisation
2020-06-15 18:34:56 -04:00
Brown
7e7456c863
Make taint checks more thorough
2020-05-25 17:10:53 -04:00
Brown
92a9a7efdf
Handle flows into arguments a little better
2020-05-23 23:54:16 -04:00
Brown
a198b09eb7
Add intermediary concat op node
2020-05-23 21:38:09 -04:00
Brown
16af6a5773
Improve concat taint propagation
2020-05-23 01:11:16 -04:00
Brown
10c106f7eb
Add eval sink
2020-05-23 00:03:29 -04:00
Brown
dc73e25157
Detect taints in include calls
2020-05-22 23:53:37 -04:00
Brown
8632cdb3cd
Improve taint tracking during scanning phase
2020-05-22 12:33:48 -04:00
Brown
63c3678ae5
Improve property location resolution
2020-05-22 12:33:38 -04:00
Matthew Brown
187b944680
Add faster taint analysis
2020-05-22 12:33:29 -04:00
Matthew Brown
5910a362ea
Improve report output of taint analysis
2019-10-19 17:59:10 -04:00
Brown
b29227aaf6
Allow taints to be removed via annotation
2019-10-15 16:25:27 -04:00
Brown
5e649f684c
Fix erroneous return type resolution
2019-10-14 17:10:30 -04:00
Matthew Brown
8c6b234c2c
Improve speed of taint analysis
2019-10-13 20:10:31 -04:00
Matthew Brown
7e2d00d6ed
Allow taints to be added to root array types
2019-10-12 12:23:40 -04:00
Matthew Brown
4478d31593
Taint arrays in creation
2019-10-11 23:28:17 -04:00
Brown
3001eb9d34
Move taint location to end
2019-08-21 09:53:00 -04:00
Brown
9696fb8dce
Follow taint to source when reporting
2019-08-20 17:38:15 -04:00
Brown
e92896f145
Fix taint records
2019-08-14 09:52:59 -04:00
Matthew Brown
600999a3a8
Add better typing
2019-08-14 00:47:57 -04:00
Brown
c3949e3194
Improve taint protection for exec-related commands
2019-08-13 19:18:50 -04:00
Matthew Brown
d5b026839c
Add support for different taint types ref #1990
2019-08-12 23:16:05 -04:00
Brown
14b37b95af
Fix potential recursion
2019-08-06 17:29:44 -04:00