1
0
mirror of https://github.com/danog/psalm.git synced 2024-12-15 02:47:02 +01:00
Commit Graph

129 Commits

Author SHA1 Message Date
Matt Brown
43af3b1a57 Break out TaintedInput issues into a lot of separate ones 2020-11-17 12:44:31 -05:00
Lukas Reschke
09abcfb650
Add sinks for popen and proc_open (#4572)
User input in those two functions could lead to a RCE.

popen: https://www.php.net/manual/en/function.popen.php
proc_open: https://www.php.net/manual/en/function.proc-open.php
2020-11-16 15:04:22 -05:00
Adrien LUCAS
4cb8e86737
Add a proxy capability to the flow annotation (#4495)
* Add a `passthru` capability to the flow annotation

* Fix passthru-calls type

* Fix types and rename to proxy

* Allow to proxy a method

Co-authored-by: Matthew Brown <github@muglug.com>
2020-11-09 15:22:35 -05:00
Matt Brown
67f9853756 Preserve reconciled taints for all but non-string scalar types 2020-11-08 10:27:58 -05:00
Matt Brown
14efde286f 4.x - refactor unused variable detection
This turns unused variable detection into an explicit control-flow problem, where before we had a more simplistic mark-and-sweep algorithm
2020-09-30 12:28:13 -04:00
orklah
37a2f8a33d
unused use statements (#4228) 2020-09-22 01:10:46 -04:00
Brown
5c23a3d7b3 Localise taint analysis better 2020-09-20 19:26:49 -04:00
orklah
ead107fa9e
More return types (#4173)
* add native return types

* redundant phpdoc
2020-09-12 11:24:05 -04:00
Bruce Weirdan
4dcb7183f5
Fix windows tests (#4040)
* Fix windows tests by not mangling the expectations

* Use platform-dependent directory separator in expected messages

* fix CS
2020-08-22 10:00:36 -04:00
Adrien LUCAS
d44130191b
Allow taint through strval sprintf (#3836)
* Add psalm-flow to strval

* Unexpected behavior with implode
2020-07-17 10:12:04 -04:00
Brown
67b2edc328 Allow more things to be suppressed with @psalm-suppress TaintedInput 2020-07-02 11:53:51 -04:00
Brown
ae7c5b095b Fix #3712 - allow taints to be suppressed with @psalm-suppress 2020-07-01 23:23:45 -04:00
Tyson Andre
e3d59bf5d4
Support taint detection on Throwable::getTraceAsString() (#3731)
And `__toString()`, which uses getTraceAsString().

Fixes #3696

```php
function login($username, $password, $secret) {
    throw new RuntimeException('login failure');
}
try {
    login('user', $_GET['pass'], SECRET);
} catch (Exception $e) {
    // This output includes unescaped 'pass' and SECRET
    echo $e, "\n";
    echo $e->getTraceAsString();
}
```
2020-07-01 21:27:40 -04:00
Tyson Andre
b0a3de47e8
Mark create_function() as a taint sink (#3729)
create_function() is a thin wrapper around eval().
Fixes #3723
2020-07-01 18:09:30 -04:00
Brown
cb0f65dd91 Skip taint tests in Windows 2020-07-01 09:49:52 -04:00
Brown
671009a70c Specialize constructor taints cc @TysonAndre 2020-06-29 21:08:43 -04:00
Brown
e56483bb54 Fix #3711 - generalize call of specialized class without specializations 2020-06-29 17:42:01 -04:00
Brown
f6e2e0a84a Perform string casting for taints in ArgumentAnalyzer 2020-06-29 13:21:33 -04:00
Brown
45c21853e5 Fix #3709 - don’t crash on inherited __toString tainting 2020-06-29 12:11:11 -04:00
Matthew Brown
18f9e7487b
Remove string cast
Cc @TysonAndre
2020-06-29 09:54:07 -04:00
Brown
38977d797e Fix #3697 - cast types via implied __toString method 2020-06-29 09:13:19 -04:00
Brown
559b3d3471 Fix #3681 - taint exit like echo 2020-06-25 17:17:08 -04:00
Brown
07f7e5ccaf Reconciling should preserve taints
Fixes #3680
2020-06-25 17:04:18 -04:00
Brown
9837a60853 Fix #3675 - add taints to filter_var return
Doesn’t yet take callback into account
2020-06-25 13:24:26 -04:00
Brown
95bf7f835b Improve handling of array_map, faking out calls where nececssary 2020-06-25 13:05:34 -04:00
Brown
b8ebed0b85 Add a bit more accuracy 2020-06-25 01:00:11 -04:00
Brown
e26922010a Improve accuracy of array nesting checks 2020-06-25 00:50:52 -04:00
Brown
b84cf74754 Fix #3668 - taint property types for magic properties without @property 2020-06-25 00:24:37 -04:00
Brown
dd25b81d3a Fix #3670 - taint mixed foreach access 2020-06-24 19:16:30 -04:00
Brown
a6c7a48387 Add support for argument unpacking
Ref #3670
2020-06-24 18:43:15 -04:00
Brown
d03a53a5ad Fix return type 2020-06-24 18:33:09 -04:00
Brown
828d9defb4 Use compact test format 2020-06-24 18:28:21 -04:00
Tyson Andre
1670848267
Mark print() statement as the same sink type as echo (#3669) 2020-06-24 17:23:16 -04:00
Brown
96d05ab06b Fix #3654 - use correct function id for namespaced functions 2020-06-23 16:53:11 -04:00
Brown
6a746b65ea Fix #3655 - taint encapsulated strings 2020-06-23 16:38:59 -04:00
Brown
13fc8a75fd Allow taints to flow where no return type exists
Fixes #3652
2020-06-23 15:52:19 -04:00
Brown
f46236ad71 Taint flows through preg_replace_callback 2020-06-23 15:28:31 -04:00
Brown
fc8212e207 Fix static call specialisation via annotation 2020-06-22 18:40:43 -04:00
Brown
e8be2c500e Support taint flows in more functions 2020-06-22 17:53:03 -04:00
Brown
dddc159694 Add explicit path object 2020-06-22 02:10:03 -04:00
Brown
36f1630e03 Add more steps for clearer output 2020-06-22 01:08:58 -04:00
Brown
fbe3433edd Use escape terminology 2020-06-21 11:43:08 -04:00
Brown
dc83c2e2fc Add annotation for taint sources 2020-06-21 00:58:56 -04:00
Brown
f21d3a8346 Remove html and sql taints for simple preg_replace patterns 2020-06-20 23:11:42 -04:00
Brown
a7a23b4c1c Remove letter 2020-06-19 09:41:25 -04:00
Brown
b1c836e5f3 Improve specialisation after call 2020-06-19 01:59:45 -04:00
Brown
8f2e28c36b Improve tainting of specializable classes 2020-06-19 01:22:51 -04:00
Brown
49f0592794 Improve tracking of array taints 2020-06-18 18:48:19 -04:00
Brown
562a7c1ca4 Track taints from all tainted arrays 2020-06-18 13:45:58 -04:00
Brown
03e9649d49 Fix tainting of function calls absent taintable params 2020-06-15 20:59:48 -04:00
Brown
56ef220e49 Fix bugs in taint specialisation 2020-06-15 18:34:56 -04:00
Brown
7e7456c863 Make taint checks more thorough 2020-05-25 17:10:53 -04:00
Brown
92a9a7efdf Handle flows into arguments a little better 2020-05-23 23:54:16 -04:00
Brown
a198b09eb7 Add intermediary concat op node 2020-05-23 21:38:09 -04:00
Brown
16af6a5773 Improve concat taint propagation 2020-05-23 01:11:16 -04:00
Brown
10c106f7eb Add eval sink 2020-05-23 00:03:29 -04:00
Brown
dc73e25157 Detect taints in include calls 2020-05-22 23:53:37 -04:00
Brown
8632cdb3cd Improve taint tracking during scanning phase 2020-05-22 12:33:48 -04:00
Brown
63c3678ae5 Improve property location resolution 2020-05-22 12:33:38 -04:00
Matthew Brown
187b944680 Add faster taint analysis 2020-05-22 12:33:29 -04:00
Matthew Brown
5910a362ea Improve report output of taint analysis 2019-10-19 17:59:10 -04:00
Brown
b29227aaf6 Allow taints to be removed via annotation 2019-10-15 16:25:27 -04:00
Brown
5e649f684c Fix erroneous return type resolution 2019-10-14 17:10:30 -04:00
Matthew Brown
8c6b234c2c Improve speed of taint analysis 2019-10-13 20:10:31 -04:00
Matthew Brown
7e2d00d6ed Allow taints to be added to root array types 2019-10-12 12:23:40 -04:00
Matthew Brown
4478d31593 Taint arrays in creation 2019-10-11 23:28:17 -04:00
Brown
3001eb9d34 Move taint location to end 2019-08-21 09:53:00 -04:00
Brown
9696fb8dce Follow taint to source when reporting 2019-08-20 17:38:15 -04:00
Brown
e92896f145 Fix taint records 2019-08-14 09:52:59 -04:00
Matthew Brown
600999a3a8 Add better typing 2019-08-14 00:47:57 -04:00
Brown
c3949e3194 Improve taint protection for exec-related commands 2019-08-13 19:18:50 -04:00
Matthew Brown
d5b026839c Add support for different taint types ref #1990 2019-08-12 23:16:05 -04:00
Brown
14b37b95af Fix potential recursion 2019-08-06 17:29:44 -04:00
Brown
37d93141c4 Only register taints on known magic properties 2019-08-06 13:05:34 -04:00
Brown
17753865f3 Add detection to mixed params 2019-08-06 10:33:21 -04:00
Matthew Brown
8f6d432dd0 Add support for magic property comprehension 2019-08-05 23:19:22 -04:00
Brown
6eb62591ab Specialise calls when functions are pure 2019-08-05 18:33:33 -04:00
Brown
87bf907c1e Fix echo checks 2019-08-05 10:21:23 -04:00
Matthew Brown
b2c0993cdc Add framework for taint analysis to Psalm
Ref #611
2019-08-04 10:37:36 -04:00