1
0
mirror of https://github.com/danog/psalm.git synced 2024-12-17 03:47:04 +01:00
Commit Graph

109 Commits

Author SHA1 Message Date
Matt Brown
667dcc2e49 No false-positives for tainting through array keys 2021-06-29 17:05:39 -04:00
Oliver Hader
38d3b15f8d
[BUGFIX] Specialize TaintSink in IncludeAnalyzer (#5986)
* [TEST] Assert more details in TaintTest

* [TEST] Add test for multiple tainted includes

* [BUGFIX] Specialize TaintSink in IncludeAnalyzer

Fixes: #5986
2021-06-23 08:27:03 -04:00
Matt Brown
47bf5ed567 Fix #5918 - add new issue to detect unquoted strings 2021-06-10 17:43:04 -04:00
Bruce Weirdan
6abce3525a
Enforce use sort (#5900) 2021-06-07 22:55:21 -04:00
Oliver Hader
b259296457
[BUGFIX] Continue processing psalm-flow graph after first taint sink (#5832)
Related: #5830
2021-05-26 16:04:22 -04:00
Oliver Hader
4898cd262e
[TASK] Enrich taint details for outputting core stubs (#5827)
Affects `printf`, `print_r`, `var_dump`, `var_export`
2021-05-24 16:42:18 -04:00
Matt Brown
f41deeab0a Taint through reset call 2021-03-28 13:14:35 -04:00
Matt Brown
10ccbdd8be Add tainting for array keys
Fixes #5470
2021-03-24 15:32:56 -04:00
Matt Brown
0f2a07a9a3 Fix #5137 – support @psalm-flow in methods 2021-01-31 22:40:48 -05:00
Adrien LUCAS
d1398f2b12
Avoid false positives for taint specialized calls even when not using a variable (#4948) 2021-01-07 16:39:51 -05:00
Adrien LUCAS
0f5886746f
Taint specialized calls even when not using a variable (#4940) 2021-01-06 14:14:52 -05:00
Matt Brown
9c0e9a3d7e Taint all when conditional return is used
Ref #4792
2020-12-06 11:24:48 -05:00
Matt Brown
3f155792a7 Allow nested specialisation 2020-12-04 15:44:29 -05:00
Matt Brown
fd67d41120 Fix #4769 – don’t use unique ids for new generated nodes 2020-12-04 15:44:29 -05:00
Matt Brown
9a03a9a5d0 Move param taint sink addition after arguuments have been analysed 2020-11-22 19:39:40 -05:00
Matt Brown
b782dd4225 Make sure conditional escaping works for static methods too 2020-11-22 13:39:32 -05:00
Matt Brown
af008953a8 Fix #4661 - support conditional escaping for functions 2020-11-22 13:24:33 -05:00
Lukas Reschke
ffb0c4ae17
Implement variadic taint propagation (#4649)
* Implement variadic taint propagation

* Lint code
2020-11-21 17:41:40 -05:00
Lukas Reschke
3943b55f8a
Add psalm-flow for string functions from sscanf to wordwrap (#4591)
* Add string functions from sscanf to wordwrap

This should conclude all string functions from https://www.php.net/manual/en/book.strings.php

Continuation of https://github.com/vimeo/psalm/pull/4576

Ref https://github.com/vimeo/psalm/issues/3636

* Add StrTrReturnTypeProvider

* Fix psalm error

* phpcs

* Line length

* Ignore false return on vsprintf

Co-authored-by: Matthew Brown <github@muglug.com>
2020-11-21 17:35:07 -05:00
Matt Brown
78d644d1a1 Change TaintedText to TaintedCallable 2020-11-19 19:01:19 -05:00
Lukas Reschke
78f4a0691c
Add dedicated types for 'file', 'header' and 'cookie' (#4630)
* [WIP] Add dedicated sinks for 'file', 'header' and 'cookie'

* Add documentation

* Add mapping for taint flows

* Add tests

* Fix test
2020-11-19 17:47:29 -05:00
Matt Brown
7c02fa76d1 Fix #4620 - reconciled literal strings cannot carry taints 2020-11-19 09:06:25 -05:00
Matt Brown
95de6cf177 Allow immutable classes to be specialised through calls 2020-11-19 01:38:20 -05:00
Matt Brown
be275ae972 Fix #4605 - taint parent-declared property 2020-11-18 13:34:47 -05:00
Lukas Reschke
ddbfbb28e6
Split LDAP into custom category (#4604)
- Adds ldap_escape as sanitizer
- Defines the right parameters to ldap_search as sink
- Wrote documentation
- Added tests
2020-11-18 11:39:36 -05:00
Matt Brown
3f7f959726 Fix #4599 - propagate taints to parent callers where necessary 2020-11-18 09:59:54 -05:00
Lukas Reschke
5ba4681c17
Add SSRF sinks (#4592) 2020-11-18 00:52:48 -05:00
Matt Brown
28dee4146a Fix tests 2020-11-17 17:53:46 -05:00
Matt Brown
2aa98bc5d0 Simplify tainted output a bit, removing duplicate paths 2020-11-17 17:17:18 -05:00
Matt Brown
adeaa33a64 Don’t propagate taints to child constructor args 2020-11-17 16:49:29 -05:00
Matt Brown
43af3b1a57 Break out TaintedInput issues into a lot of separate ones 2020-11-17 12:44:31 -05:00
Lukas Reschke
09abcfb650
Add sinks for popen and proc_open (#4572)
User input in those two functions could lead to a RCE.

popen: https://www.php.net/manual/en/function.popen.php
proc_open: https://www.php.net/manual/en/function.proc-open.php
2020-11-16 15:04:22 -05:00
Adrien LUCAS
4cb8e86737
Add a proxy capability to the flow annotation (#4495)
* Add a `passthru` capability to the flow annotation

* Fix passthru-calls type

* Fix types and rename to proxy

* Allow to proxy a method

Co-authored-by: Matthew Brown <github@muglug.com>
2020-11-09 15:22:35 -05:00
Matt Brown
67f9853756 Preserve reconciled taints for all but non-string scalar types 2020-11-08 10:27:58 -05:00
Matt Brown
14efde286f 4.x - refactor unused variable detection
This turns unused variable detection into an explicit control-flow problem, where before we had a more simplistic mark-and-sweep algorithm
2020-09-30 12:28:13 -04:00
orklah
37a2f8a33d
unused use statements (#4228) 2020-09-22 01:10:46 -04:00
Brown
5c23a3d7b3 Localise taint analysis better 2020-09-20 19:26:49 -04:00
orklah
ead107fa9e
More return types (#4173)
* add native return types

* redundant phpdoc
2020-09-12 11:24:05 -04:00
Bruce Weirdan
4dcb7183f5
Fix windows tests (#4040)
* Fix windows tests by not mangling the expectations

* Use platform-dependent directory separator in expected messages

* fix CS
2020-08-22 10:00:36 -04:00
Adrien LUCAS
d44130191b
Allow taint through strval sprintf (#3836)
* Add psalm-flow to strval

* Unexpected behavior with implode
2020-07-17 10:12:04 -04:00
Brown
67b2edc328 Allow more things to be suppressed with @psalm-suppress TaintedInput 2020-07-02 11:53:51 -04:00
Brown
ae7c5b095b Fix #3712 - allow taints to be suppressed with @psalm-suppress 2020-07-01 23:23:45 -04:00
Tyson Andre
e3d59bf5d4
Support taint detection on Throwable::getTraceAsString() (#3731)
And `__toString()`, which uses getTraceAsString().

Fixes #3696

```php
function login($username, $password, $secret) {
    throw new RuntimeException('login failure');
}
try {
    login('user', $_GET['pass'], SECRET);
} catch (Exception $e) {
    // This output includes unescaped 'pass' and SECRET
    echo $e, "\n";
    echo $e->getTraceAsString();
}
```
2020-07-01 21:27:40 -04:00
Tyson Andre
b0a3de47e8
Mark create_function() as a taint sink (#3729)
create_function() is a thin wrapper around eval().
Fixes #3723
2020-07-01 18:09:30 -04:00
Brown
cb0f65dd91 Skip taint tests in Windows 2020-07-01 09:49:52 -04:00
Brown
671009a70c Specialize constructor taints cc @TysonAndre 2020-06-29 21:08:43 -04:00
Brown
e56483bb54 Fix #3711 - generalize call of specialized class without specializations 2020-06-29 17:42:01 -04:00
Brown
f6e2e0a84a Perform string casting for taints in ArgumentAnalyzer 2020-06-29 13:21:33 -04:00
Brown
45c21853e5 Fix #3709 - don’t crash on inherited __toString tainting 2020-06-29 12:11:11 -04:00
Matthew Brown
18f9e7487b
Remove string cast
Cc @TysonAndre
2020-06-29 09:54:07 -04:00