1
0
mirror of https://github.com/danog/psalm.git synced 2025-01-10 15:09:04 +01:00
Commit Graph

155 Commits

Author SHA1 Message Date
cgocast
84e7423175 Detect DoS by sleep vimeo#10178 2023-09-06 15:58:08 +02:00
cgocast
5545873f44 Fix tests 2023-08-31 05:44:57 +02:00
cgocast
c16216bc42 Xpath injection #10162 2023-08-30 18:56:10 +02:00
cgocast
c8b47b17bf Fix typo 2023-08-26 21:54:26 +02:00
cgocast
72c9bf8575 New sinks for TaintedCallable #10117 2023-08-26 19:29:00 +02:00
Mark McEver
b5781c34e8 Fixed a case where the conditional taint, specialize, & flow features were not playing nicely together 2023-02-01 15:41:52 -06:00
Mark McEver
53c3f1ebb3 Prevent other DB escaping functions from escaping non-sql taints 2022-12-28 14:19:01 -06:00
Mark McEver
69f31dcd4a Prevent mysqli escaping functions from escaping non-sql taints 2022-12-28 13:39:01 -06:00
Jack Worman
1c19260cdd Require trailing commas 2022-12-18 13:20:31 -06:00
Jack Worman
643542346b Add codesniffer rules and expand php-cs-fixer to bin and test 2022-12-14 13:29:09 -06:00
Mark McEver
9764803c55 Allowed taints to pass through urlencode() 2022-12-05 17:25:36 -06:00
Matthew Brown
8d36bdc3ed
Make array shapes strict by default (#8701)
* Make array shapes strict by default

* Fix PSL tests
2022-11-11 20:14:21 -05:00
1986c8b4a8
Add support for strict arrays, fix type alias intersection, fix array_is_list assertion on non-lists (#8395)
* Immutable CodeLocation

* Remove excess clones

* Remove external clones

* Remove leftover clones

* Fix final clone issue

* Immutable storages

* Refactoring

* Fixes

* Fixes

* Fix

* Fix

* Fixes

* Simplify

* Fixes

* Fix

* Fixes

* Update

* Fix

* Cache global types

* Fix

* Update

* Update

* Fixes

* Fixes

* Refactor

* Fixes

* Fix

* Fix

* More caching

* Fix

* Fix

* Update

* Update

* Fix

* Fixes

* Update

* Refactor

* Update

* Fixes

* Break one more test

* Fix

* FIx

* Fix

* Fix

* Fix

* Fix

* Improve performance and readability

* Equivalent logic

* Fixes

* Revert

* Revert "Revert"

This reverts commit f9175100c8452c80559234200663fd4c4f4dd889.

* Fix

* Fix reference bug

* Make default TypeVisitor immutable

* Bugfix

* Remove clones

* Partial refactoring

* Refactoring

* Fixes

* Fix

* Fixes

* Fixes

* cs-fix

* Fix final bugs

* Add test

* Misc fixes

* Update

* Fixes

* Experiment with removing different property

* revert "Experiment with removing different property"

This reverts commit ac1156e077fc4ea633530d51096d27b6e88bfdf9.

* Uniform naming

* Uniform naming

* Hack hotfix

* Clean up $_FILES ref #8621

* Undo hack, try fixing properly

* Helper method

* Remove redundant call

* Partially fix bugs

* Cleanup

* Change defaults

* Fix bug

* Fix (?, hope this doesn't break anything else)

* cs-fix

* Review fixes

* Bugfix

* Bugfix

* Improve logic

* Add support for list{} and callable-list{} types, properly implement array_is_list assertions (fixes #8389)

* Default to sealed arrays

* Fix array_merge bug

* Fixes

* Fix

* Sealed type checks

* Properly infer properties-of and get_object_vars on final classes

* Fix array_map zipping

* Fix tests

* Fixes

* Fixes

* Fix more stuff

* Recursively resolve type aliases

* Fix typo

* Fixes

* Fix array_is_list assertion on keyed array

* Add BC docs

* Fixes

* fix

* Update

* Update

* Update

* Update

* Seal arrays with count assertions

* Fix #8528

* Fix

* Update

* Improve sealed array foreach logic

* get_object_vars on template properties

* Fix sealed array assertion reconciler logic

* Improved reconciler

* Add tests

* Single source of truth for test types

* Fix tests

* Fixup tests

* Fixup tests

* Fixup tests

* Update

* Fix tests

* Fix tests

* Final fixes

* Fixes

* Use list syntax only when needed

* Fix tests

* Cs-fix

* Update docs

* Update docs

* Update docs

* Update docs

* Update docs

* Document missing types

* Update docs

* Improve class-string-map docs

* Update

* Update

* I love working on psalm :)

* Keep arrays unsealed by default

* Fixup tests

* Fix syntax mistake

* cs-fix

* Fix typo

* Re-import missing types

* Keep strict types only in return types

* argc/argv fixes

* argc/argv fixes

* Fix test

* Comment-out valinor code, pinging @romm pls merge https://github.com/CuyZ/Valinor/pull/246 so we can add valinor to the psalm docs :)
2022-11-05 22:34:42 +01:00
15f5c593a7 Fix 2022-10-17 12:40:50 +02:00
748a74bb2c Merge remote-tracking branch 'origin/4.x' into HEAD 2022-10-16 13:41:27 +02:00
kkmuffme
5c39e66b15 fix tests 2022-09-15 19:38:51 +02:00
Matt Brown
8c716f8be7 Support taints in new $_GET["a"] calls 2022-07-15 22:17:59 -04:00
Matt Brown
e6c444410c Remove debug code 2022-06-23 18:03:33 -04:00
Matt Brown
15387d19cd Track taints in static properties 2022-06-23 16:43:42 -04:00
Matt Brown
6fa0da9e37 Fix minor taint analysis bug with nested array assignment 2022-06-21 12:42:32 -04:00
Mark McEver
828b093964 Prevent unnecessary filter_var() warnings on primitive types 2022-02-15 14:13:44 -06:00
orklah
5aa06ae64e fix merge issues 2022-02-14 00:12:31 +01:00
orklah
1142c818c2 Merge remote-tracking branch 'upstream/4.x' into upstream-master9 2022-02-14 00:10:28 +01:00
AndrolGenhald
7b1599d783 Fix false positive for unused variable in try (fixes #7613). 2022-02-13 15:14:59 -06:00
orklah
af1888b631 Merge remote-tracking branch 'upstream/4.x' into upstream-master4 2022-01-22 17:48:42 +01:00
orklah
52a7f0694e drop compatibility aliases 2022-01-19 19:29:16 +01:00
Matthew Brown
f439d6550b
Ensure that all entries in test arrays have explicit keys (#7386)
* Transformation that updates assertions

* Simplify transformation

* Ensure that all tests have keys

* Fix a few remaining keys
2022-01-13 13:49:37 -05:00
Bruce Weirdan
8726065d21
Applied ClosureToArrowFunctionRector 2022-01-06 00:48:04 +02:00
rarila
97e6511fab Set number of lines before and after namespace. 2021-12-15 04:58:32 +01:00
ralila
2a956498bf Import instead of using fqn functions 2021-12-03 21:07:25 +01:00
ralila
711be643c6 Import instead of using fqn exceptions 2021-12-03 20:29:06 +01:00
orklah
3bc06a8eab Taint can't transmit through numerics nor bool 2021-11-25 22:40:01 +01:00
orklah
39dc7608ef ignore comments after taint-sink 2021-11-07 10:29:08 +01:00
orklah
3322801903 ignore comments after taint-sink 2021-11-07 10:17:25 +01:00
orklah
cd74f665dc
Merge pull request #6813 from orklah/intTaint
don't register taints for numeric variables
2021-11-04 15:30:52 +01:00
orklah
e6dccaa07c
Merge pull request #6809 from orklah/binaryOpTaint
don't taint the result of most binary operations
2021-11-04 13:18:07 +01:00
orklah
bf993452a8
Merge pull request #6810 from orklah/castArrayTaints
Array cast pass taints
2021-11-04 13:17:20 +01:00
orklah
9fb74a4f28 exclude Plus on arrays too 2021-11-04 00:30:09 +01:00
orklah
3b01713257 don't taint the result of most binary operations 2021-11-04 00:30:09 +01:00
orklah
24137bdbad Array cast pass taints 2021-11-04 00:29:36 +01:00
orklah
eca530d792 don't register taints for numeric variables 2021-11-04 00:29:07 +01:00
orklah
fbe305e5bb detect taint in backticks 2021-11-04 00:28:40 +01:00
orklah
9d9dba156c
Merge pull request #6538 from orklah/taint-windows
enable test on taint
2021-09-27 20:37:27 +02:00
orklah
caf4d57438 enable test on taint 2021-09-27 20:16:50 +02:00
Mark McEver
79340b4a6f Prevent unnecessary filter_var() warnings 2021-09-27 18:46:01 +01:00
Mark McEver
76dade477d Prevent unnecessary filter_var() warning 2021-09-27 18:34:58 +01:00
Matt Brown
667dcc2e49 No false-positives for tainting through array keys 2021-06-29 17:05:39 -04:00
Oliver Hader
38d3b15f8d
[BUGFIX] Specialize TaintSink in IncludeAnalyzer (#5986)
* [TEST] Assert more details in TaintTest

* [TEST] Add test for multiple tainted includes

* [BUGFIX] Specialize TaintSink in IncludeAnalyzer

Fixes: #5986
2021-06-23 08:27:03 -04:00
Matt Brown
47bf5ed567 Fix #5918 - add new issue to detect unquoted strings 2021-06-10 17:43:04 -04:00
Bruce Weirdan
6abce3525a
Enforce use sort (#5900) 2021-06-07 22:55:21 -04:00