getTestName(); if (strpos($test_name, 'SKIPPED-') !== false) { $this->markTestSkipped('Skipped due to a bug.'); } $file_path = self::$src_dir_path . 'somefile.php'; $this->addFile( $file_path, $code ); $this->project_analyzer->trackTaintedInputs(); $this->project_analyzer->getCodebase()->config->initializePlugins($this->project_analyzer); $this->analyzeFile($file_path, new Context(), false); } /** * @dataProvider providerInvalidCodeParse */ public function testInvalidCode(string $code, string $error_message): void { if (strpos($this->getTestName(), 'SKIPPED-') !== false) { $this->markTestSkipped(); } $this->expectException(CodeException::class); $this->expectExceptionMessageMatches('/\b' . preg_quote($error_message, '/') . '\b/'); $file_path = self::$src_dir_path . 'somefile.php'; $this->addFile( $file_path, $code ); $this->project_analyzer->trackTaintedInputs(); $this->analyzeFile($file_path, new Context(), false); } /** * @return array */ public function providerValidCodeParse(): array { return [ 'taintedInputInCreatedArrayNotEchoed' => [ ' $name, "id" => $id]; echo "

" . htmlentities($data["name"], \ENT_QUOTES) . "

"; echo "

" . $data["id"] . "

";' ], 'taintedInputInAssignedArrayNotEchoed' => [ '" . htmlentities($data["name"], \ENT_QUOTES) . ""; echo "

" . $data["id"] . "

";' ], 'taintedInputDirectlySuppressed' => [ 'exec("delete from users where user_id = " . $userId); } }' ], 'taintedInputDirectlySuppressedWithOtherUse' => [ 'exec("delete from users where user_id = " . $userId); } public function deleteUserSafer(PDOWrapper $pdo) : void { $userId = $this->getSafeId(); $pdo->exec("delete from users where user_id = " . $userId); } public function getSafeId() : string { return "5"; } } class PDOWrapper { /** * @psalm-taint-sink sql $sql */ public function exec(string $sql) : void {} }' ], 'taintedInputToParamButSafe' => [ 'deleteUser( $pdo, $this->getAppendedUserId((string) $_GET["user_id"]) ); } public function getAppendedUserId(string $user_id) : string { return "aaa" . $user_id; } public function deleteUser(PDO $pdo, string $userId) : void { $userId2 = strlen($userId); $pdo->exec("delete from users where user_id = " . $userId2); } }' ], 'ValidatedInputFromParam' => [ 'getUserId(); validateUserId($userId); $this->deleteUser($pdo, $userId); } public function deleteUser(PDO $pdo, string $userId) : void { $pdo->exec("delete from users where user_id = " . $userId); } }' ], 'untaintedInputAfterIntCast' => [ 'getUserId(); } public function deleteUser(PDO $pdo) : void { $userId = $this->getAppendedUserId(); $pdo->exec("delete from users where user_id = " . $userId); } }' ], 'specializedCoreFunctionCall' => [ ' [ ' [ ' [ ' [ ' [ ' [ ' [ 's = (string) $_GET["FOO"]; } } class V1 extends V { public function foo(O1 $o) : void { echo U::shorten($o->s); } }' ], 'taintOnPregReplaceCallRemovedInFunction' => [ 's = (string) $_GET["FOO"]; } } class V1 extends V { public function foo(O1 $o) : void { echo U::shorten($o->s); } }' ], 'taintOnStrReplaceCallRemovedInline' => [ 's = (string) $_GET["FOO"]; } } class V1 extends V { public function foo(O1 $o) : void { /** * @psalm-taint-escape html * @psalm-taint-escape has_quotes */ $a = str_replace("foo", "bar", $o->s); echo $a; } }' ], 'NoTaintsOnSimilarPureCall' => [ 's = $s; } } class O2 { public string $t; public function __construct() { $this->t = (string) $_GET["FOO"]; } } class V1 { public function foo() : void { $o = new O1((string) $_GET["FOO"]); echo U::escape(U::shorten($o->s)); } } class V2 { public function foo(O2 $o) : void { echo U::shorten(U::escape($o->t)); } }' ], 'taintPropertyPassingObjectWithDifferentValue' => [ 'id = $userId; } } class UserUpdater { public static function doDelete(PDO $pdo, User $user) : void { self::deleteUser($pdo, $user->name); } public static function deleteUser(PDO $pdo, string $userId) : void { $pdo->exec("delete from users where user_id = " . $userId); } } $userObj = new User((string) $_GET["user_id"]); UserUpdater::doDelete(new PDO(), $userObj);' ], 'taintPropertyWithoutPassingObject' => [ 'id = $userId; } public function setId(string $userId) : void { $this->id = $userId; } } function echoId(User $u2) : void { echo $u2->id; } $u = new User("5"); echoId($u); $u->setId($_GET["user_id"]);', ], 'specializeStaticMethod' => [ ' [ ' $_GET["name"], "b" => "foo"]; foreach ($a as $m) { echo $m["b"]; }' ], 'taintFreeNestedArrayWithOffsetAccessedExplicitly' => [ ' $_GET["name"], "b" => "foo"]; echo $a[0]["b"];', ], 'intUntainted' => [ ' [ 'x = $x; } } $a = new StringHolder("a"); $b = new StringHolder($_GET["x"]); echo $a->x;' ], 'dontTaintSpecializedCallsForAnonymousInstance' => [ 'render($_GET["untrusted"]); echo (new StringRenderer())->render("a");' ], 'dontTaintSpecializedCallsForStubMadeInstance' => [ 'render($_GET["untrusted"]); echo stub()->render("a");' ], 'suppressTaintedInput' => [ ' [ ' [ ' [ 'taint = $taint; } public function getTaint() : string { return $this->taint; } } class B extends A { public function __construct($taint) {} } $b = new B($_GET["bar"]); echo $b->getTaint();' ], 'immutableClassTrackInputThroughMethod' => [ 'taint = $taint; } public function getTaint() : string { return $this->taint; } } $b = new A($_GET["bar"]); $a = new A("bar"); echo $a->getTaint();', ], 'literalStringCannotCarryTaint' => [ ' [ ' [ ' [ ' [ ' [ ' $_) { echo $key; } } takesArray(["good" => $_GET["bad"]]);' ], 'resultOfComparisonIsNotTainted' => [ ' [ ' [ ' [ ' */ public function providerInvalidCodeParse(): array { return [ 'taintedInputFromMethodReturnTypeSimple' => [ 'getUserId(); } public function deleteUser(PDO $pdo) : void { $userId = $this->getAppendedUserId(); $pdo->exec("delete from users where user_id = " . $userId); } }', 'error_message' => 'TaintedSql', ], 'taintedInputFromFunctionReturnType' => [ ' 'TaintedHtml - src' . DIRECTORY_SEPARATOR . 'somefile.php:6:26 - Detected tainted HTML in path: $_GET -> $_GET[\'name\'] (src' . DIRECTORY_SEPARATOR . 'somefile.php:3:32) -> coalesce (src' . DIRECTORY_SEPARATOR . 'somefile.php:3:32) -> getName (src' . DIRECTORY_SEPARATOR . 'somefile.php:2:42) -> call to echo (src' . DIRECTORY_SEPARATOR . 'somefile.php:6:26) -> echo#1', ], 'taintedInputFromExplicitTaintSource' => [ ' 'TaintedHtml', ], 'taintedInputFromExplicitTaintSourceStaticMethod' => [ ' 'TaintedHtml', ], 'taintedInputFromGetArray' => [ ' 'TaintedHtml', ], 'taintedInputFromReturnToInclude' => [ ' 'TaintedInclude', ], 'taintedInputFromReturnToEval' => [ ' 'TaintedEval', ], 'taintedInputFromReturnTypeToEcho' => [ 'getUserId(); } public function deleteUser(PDO $pdo) : void { $userId = $this->getAppendedUserId(); echo $userId; } }', 'error_message' => 'TaintedHtml', ], 'taintedInputInCreatedArrayIsEchoed' => [ ' $name]; echo "

" . $data["name"] . "

";', 'error_message' => 'TaintedHtml', ], 'testTaintedInputInAssignedArrayIsEchoed' => [ '" . $data["name"] . "";', 'error_message' => 'TaintedHtml', ], 'taintedInputDirectly' => [ 'exec("delete from users where user_id = " . $userId); } }', 'error_message' => 'TaintedSql', ], 'taintedInputFromReturnTypeWithBranch' => [ 'getUserId(); if (rand(0, 1)) { $userId .= "aaa"; } else { $userId .= "bb"; } return $userId; } public function deleteUser(PDO $pdo) : void { $userId = $this->getAppendedUserId(); $pdo->exec("delete from users where user_id = " . $userId); } }', 'error_message' => 'TaintedSql', ], 'sinkAnnotation' => [ 'getUserId(); } public function deleteUser(PDOWrapper $pdo) : void { $userId = $this->getAppendedUserId(); $pdo->exec("delete from users where user_id = " . $userId); } } class PDOWrapper { /** * @psalm-taint-sink sql $sql */ public function exec(string $sql) : void {} }', 'error_message' => 'TaintedSql', ], 'taintedInputFromParam' => [ 'getUserId(); } public function doDelete(PDO $pdo) : void { $userId = $this->getAppendedUserId(); $this->deleteUser($pdo, $userId); } public function deleteUser(PDO $pdo, string $userId) : void { $pdo->exec("delete from users where user_id = " . $userId); } }', 'error_message' => 'TaintedSql - src' . DIRECTORY_SEPARATOR . 'somefile.php:17:40 - Detected tainted SQL in path: $_GET -> $_GET[\'user_id\'] (src' . DIRECTORY_SEPARATOR . 'somefile.php:4:45) -> A::getUserId (src' . DIRECTORY_SEPARATOR . 'somefile.php:3:55) -> concat (src' . DIRECTORY_SEPARATOR . 'somefile.php:8:36) -> A::getAppendedUserId (src' . DIRECTORY_SEPARATOR . 'somefile.php:7:63) -> $userId (src' . DIRECTORY_SEPARATOR . 'somefile.php:12:29) -> call to A::deleteUser (src' . DIRECTORY_SEPARATOR . 'somefile.php:13:53) -> $userId (src' . DIRECTORY_SEPARATOR . 'somefile.php:16:69) -> call to PDO::exec (src' . DIRECTORY_SEPARATOR . 'somefile.php:17:40) -> PDO::exec#1', ], 'taintedInputToParam' => [ 'deleteUser( $pdo, $this->getAppendedUserId((string) $_GET["user_id"]) ); } public function getAppendedUserId(string $user_id) : string { return "aaa" . $user_id; } public function deleteUser(PDO $pdo, string $userId) : void { $pdo->exec("delete from users where user_id = " . $userId); } }', 'error_message' => 'TaintedSql', ], 'taintedInputToParamAfterAssignment' => [ 'deleteUser( $pdo, $this->getAppendedUserId((string) $_GET["user_id"]) ); } public function getAppendedUserId(string $user_id) : string { return "aaa" . $user_id; } public function deleteUser(PDO $pdo, string $userId) : void { $userId2 = $userId; $pdo->exec("delete from users where user_id = " . $userId2); } }', 'error_message' => 'TaintedSql', ], 'taintedInputToParamAlternatePath' => [ 'deleteUser( $pdo, self::doFoo(), $this->getAppendedUserId((string) $_GET["user_id"]) ); } public function getAppendedUserId(string $user_id) : string { return "aaa" . $user_id; } public static function doFoo() : string { return "hello"; } public function deleteUser(PDO $pdo, string $userId, string $userId2) : void { $pdo->exec("delete from users where user_id = " . $userId); if (rand(0, 1)) { $pdo->exec("delete from users where user_id = " . $userId2); } } }', 'error_message' => 'TaintedSql - src' . DIRECTORY_SEPARATOR . 'somefile.php:23:44 - Detected tainted SQL in path: $_GET -> $_GET[\'user_id\'] (src' . DIRECTORY_SEPARATOR . 'somefile.php:7:67) -> call to A::getAppendedUserId (src' . DIRECTORY_SEPARATOR . 'somefile.php:7:58) -> $user_id (src' . DIRECTORY_SEPARATOR . 'somefile.php:11:66) -> concat (src' . DIRECTORY_SEPARATOR . 'somefile.php:12:36) -> A::getAppendedUserId (src' . DIRECTORY_SEPARATOR . 'somefile.php:11:78) -> call to A::deleteUser (src' . DIRECTORY_SEPARATOR . 'somefile.php:7:33) -> $userId2 (src' . DIRECTORY_SEPARATOR . 'somefile.php:19:85) -> call to PDO::exec (src' . DIRECTORY_SEPARATOR . 'somefile.php:23:44) -> PDO::exec#1', ], 'taintedInParentLoader' => [ 'exec("select * from foo where bar = " . $sink); } } class AGrandChild extends AChild {} class C { public function foo(string $user_id) : void { AGrandChild::loadFull($user_id); } } (new C)->foo((string) $_GET["user_id"]);', 'error_message' => 'TaintedSql - src' . DIRECTORY_SEPARATOR . 'somefile.php:16:44 - Detected tainted SQL in path: $_GET -> $_GET[\'user_id\'] (src' . DIRECTORY_SEPARATOR . 'somefile.php:28:43) -> call to C::foo (src' . DIRECTORY_SEPARATOR . 'somefile.php:28:34) -> $user_id (src' . DIRECTORY_SEPARATOR . 'somefile.php:23:52) -> call to AGrandChild::loadFull (src' . DIRECTORY_SEPARATOR . 'somefile.php:24:51) -> AGrandChild::loadFull#1 (src' . DIRECTORY_SEPARATOR . 'somefile.php:5:64) -> A::loadFull#1 (src' . DIRECTORY_SEPARATOR . 'somefile.php:24:51) -> $sink (src' . DIRECTORY_SEPARATOR . 'somefile.php:5:64) -> call to A::loadPartial (src' . DIRECTORY_SEPARATOR . 'somefile.php:6:49) -> A::loadPartial#1 (src' . DIRECTORY_SEPARATOR . 'somefile.php:3:76) -> AChild::loadPartial#1 (src' . DIRECTORY_SEPARATOR . 'somefile.php:6:49) -> $sink (src' . DIRECTORY_SEPARATOR . 'somefile.php:15:67) -> call to PDO::exec (src' . DIRECTORY_SEPARATOR . 'somefile.php:16:44) -> PDO::exec#1', ], 'taintedInputFromProperty' => [ 'userId = (string) $_GET["user_id"]; } public function getAppendedUserId() : string { return "aaaa" . $this->userId; } public function doDelete(PDO $pdo) : void { $userId = $this->getAppendedUserId(); $this->deleteUser($pdo, $userId); } public function deleteUser(PDO $pdo, string $userId) : void { $pdo->exec("delete from users where user_id = " . $userId); } }', 'error_message' => 'TaintedSql', ], 'taintedInputFromPropertyViaMixin' => [ 'userId = (string) $_GET["user_id"]; } } /** @mixin A */ class B { private A $a; public function __construct(A $a) { $this->a = $a; } public function __get(string $name) { return $this->a->$name; } } class C { private B $b; public function __construct(B $b) { $this->b = $b; } public function getAppendedUserId() : string { return "aaaa" . $this->b->userId; } public function doDelete(PDO $pdo) : void { $userId = $this->getAppendedUserId(); $this->deleteUser($pdo, $userId); } public function deleteUser(PDO $pdo, string $userId) : void { $pdo->exec("delete from users where user_id = " . $userId); } }', 'error_message' => 'TaintedSql', ], 'taintedInputViaStaticFunction' => [ ' 'TaintedHtml', ], 'taintedInputViaPureStaticFunction' => [ ' 'TaintedHtml', ], 'untaintedInputViaStaticFunctionWithoutSafePath' => [ ' 'TaintedHtml', ], 'taintedInputFromMagicProperty' => [ ' */ private $vars = []; public function __get(string $s) : string { return $this->vars[$s]; } public function __set(string $s, string $t) { $this->vars[$s] = $t; } } function getAppendedUserId() : void { $a = new A(); $a->userId = (string) $_GET["user_id"]; echo $a->userId; }', 'error_message' => 'TaintedHtml', ], 'taintOverMixed' => [ ' 'TaintedHtml', ], 'taintStrConversion' => [ ' 'TaintedHtml', ], 'taintIntoExec' => [ ' 'TaintedShell', ], 'taintIntoExecMultipleConcat' => [ ' 'TaintedShell', ], 'taintIntoNestedArrayUnnestedSeparately' => [ ' 'TaintedShell', ], 'taintIntoArrayAndThenOutAgain' => [ ' 'TaintedShell', ], 'taintAppendedToArray' => [ ' 'TaintedShell', ], 'taintOnSubstrCall' => [ 's = (string) $_GET["FOO"]; } } class V1 extends V { public function foo(O1 $o) : void { echo U::shorten($o->s); } }', 'error_message' => 'TaintedHtml', ], 'taintOnStrReplaceCallSimple' => [ 's = (string) $_GET["FOO"]; } } class V1 extends V { public function foo(O1 $o) : void { echo U::shorten($o->s); } }', 'error_message' => 'TaintedHtml', ], 'taintOnPregReplaceCall' => [ 's = (string) $_GET["FOO"]; } } class V1 extends V { public function foo(O1 $o) : void { echo U::shorten($o->s); } }', 'error_message' => 'TaintedHtml', ], 'IndirectGetAssignment' => [ 'name = $name; } /** * @psalm-specialize-call */ public function getArg(string $method, string $type) { $arg = null; switch ($method) { case "post": if (isset($_POST[$this->name])) { $arg = $_POST[$this->name]; } break; case "get": if (isset($_GET[$this->name])) { $arg = $_GET[$this->name]; } break; } return $this->filterInput($type, $arg); } protected function filterInput(string $type, $arg) { // input is null if ($arg === null) { return null; } // set to null if sanitize clears arg if ($arg === "") { $arg = null; } // type casting if ($arg !== null) { $arg = $this->typeCastInput($type, $arg); } return $arg; } protected function typeCastInput(string $type, $arg) { if ($type === "string") { return (string) $arg; } return null; } } echo (new InputFilter("hello"))->getArg("get", "string");', 'error_message' => 'TaintedHtml', ], 'taintPropertyPassingObject' => [ 'id = $userId; } } class UserUpdater { public static function doDelete(PDO $pdo, User $user) : void { self::deleteUser($pdo, $user->id); } public static function deleteUser(PDO $pdo, string $userId) : void { $pdo->exec("delete from users where user_id = " . $userId); } } $userObj = new User((string) $_GET["user_id"]); UserUpdater::doDelete(new PDO(), $userObj);', 'error_message' => 'TaintedSql', ], 'taintPropertyPassingObjectSettingValueLater' => [ 'id = $userId; } public function setId(string $userId) : void { $this->id = $userId; } } function echoId(User $u2) : void { echo $u2->id; } $u = new User("5"); $u->setId($_GET["user_id"]); echoId($u);', 'error_message' => 'TaintedHtml', ], 'ImplodeExplode' => [ ' 'TaintedHtml', ], 'ImplodeIndirect' => [ ' 'TaintedHtml', ], 'taintThroughPregReplaceCallback' => [ ' 'TaintedHtml', ], 'taintedFunctionWithNoTypes' => [ ' 'TaintedHtml', ], 'taintedStaticCallWithNoTypes' => [ ' 'TaintedHtml', ], 'taintedInstanceCallWithNoTypes' => [ 'rawinput();', 'error_message' => 'TaintedHtml', ], 'taintStringObtainedUsingStrval' => [ ' 'TaintedHtml', ], 'taintStringObtainedUsingSprintf' => [ ' 'TaintedHtml', ], 'encapsulatedString' => [ ' 'TaintedHtml', ], 'encapsulatedToStringMagic' => [ ' 'TaintedHtml', ], 'castToStringMagic' => [ ' 'TaintedHtml', ], 'castToStringViaArgument' => [ ' 'TaintedHtml', ], 'toStringTaintInSubclass' => [ ' 'TaintedHtml', ], 'implicitToStringMagic' => [ ' 'TaintedHtml', ], 'namespacedFunction' => [ ' 'TaintedHtml', ], 'print' => [ ' 'TaintedHtml - src' . DIRECTORY_SEPARATOR . 'somefile.php:2:27 - Detected tainted HTML in path: $_GET -> $_GET[\'name\'] (src' . DIRECTORY_SEPARATOR . 'somefile.php:2:27) -> call to print (src' . DIRECTORY_SEPARATOR . 'somefile.php:2:27) -> print#1', ], 'printf' => [ ' 'TaintedHtml - src' . DIRECTORY_SEPARATOR . 'somefile.php:2:28 - Detected tainted HTML in path: $_GET -> $_GET[\'name\'] (src' . DIRECTORY_SEPARATOR . 'somefile.php:2:28) -> call to printf (src' . DIRECTORY_SEPARATOR . 'somefile.php:2:28) -> printf#1', ], 'print_r' => [ ' 'TaintedHtml - src' . DIRECTORY_SEPARATOR . 'somefile.php:2:29 - Detected tainted HTML in path: $_GET -> $_GET[\'name\'] (src' . DIRECTORY_SEPARATOR . 'somefile.php:2:29) -> call to print_r (src' . DIRECTORY_SEPARATOR . 'somefile.php:2:29) -> print_r#1', ], 'var_dump' => [ ' 'TaintedHtml - src' . DIRECTORY_SEPARATOR . 'somefile.php:2:30 - Detected tainted HTML in path: $_GET -> $_GET[\'name\'] (src' . DIRECTORY_SEPARATOR . 'somefile.php:2:30) -> call to var_dump (src' . DIRECTORY_SEPARATOR . 'somefile.php:2:30) -> var_dump#1', ], 'var_export' => [ ' 'TaintedHtml - src' . DIRECTORY_SEPARATOR . 'somefile.php:2:32 - Detected tainted HTML in path: $_GET -> $_GET[\'name\'] (src' . DIRECTORY_SEPARATOR . 'somefile.php:2:32) -> call to var_export (src' . DIRECTORY_SEPARATOR . 'somefile.php:2:32) -> var_export#1', ], 'unpackArgs' => [ ' 'TaintedHtml', ], 'foreachArg' => [ ' 'TaintedHtml', ], 'magicPropertyType' => [ 'params[$a]; } public function __set(string $a, $value) { $this->params[$a] = $value; } } $m = new Magic(); $m->taint = $_GET["input"]; echo $m->taint;', 'error_message' => 'TaintedHtml', ], 'taintNestedArrayWithOffsetAccessedInForeach' => [ ' $_GET["name"], "b" => "foo"]; foreach ($a as $m) { echo $m["a"]; }', 'error_message' => 'TaintedHtml', ], 'taintNestedArrayWithOffsetAccessedExplicitly' => [ ' $_GET["name"], "b" => "foo"]; echo $a[0]["a"];', 'error_message' => 'TaintedHtml', ], 'taintThroughArrayMapExplicitClosure' => [ ' 'TaintedHtml', ], 'taintThroughArrayMapExplicitTypedClosure' => [ ' 'TaintedHtml', ], 'taintThroughArrayMapExplicitArrowFunction' => [ ' trim($str), $_GET); echo $get["test"];', 'error_message' => 'TaintedHtml', ], 'taintThroughArrayMapImplicitFunctionCall' => [ ' $_GET["name"]]; $get = array_map("trim", $a); echo $get["test"];', 'error_message' => 'TaintedHtml', ], 'taintFilterVarCallback' => [ ' "trim"]); echo $get["test"];', 'error_message' => 'TaintedHtml', ], 'taintAfterReconciledType' => [ ' 'TaintedHtml', ], 'taintExit' => [ ' 'TaintedHtml', ], 'taintSpecializedMethod' => [ 'isUnsafe();', 'error_message' => 'TaintedHtml', ], 'taintSpecializedMethodForAnonymousInstance' => [ 'isUnsafe();', 'error_message' => 'TaintedHtml', ], 'taintSpecializedMethodForStubMadeInstance' => [ 'isUnsafe();', 'error_message' => 'TaintedHtml', ], 'doTaintSpecializedInstanceProperty' => [ 'x = $x; } } $b = new StringHolder($_GET["x"]); echo $b->x;', 'error_message' => 'TaintedHtml', ], 'taintUnserialize' => [ ' 'TaintedUnserialize', ], 'taintCreateFunction' => [ ' 'TaintedEval', ], 'taintException' => [ ' 'TaintedHtml', ], 'taintError' => [ 'getTraceAsString()}\n"; }', 'error_message' => 'TaintedHtml', ], 'taintThrowable' => [ ' 'TaintedHtml', ], 'taintReturnedArray' => [ ' 'TaintedHtml', ], 'taintFlow' => [ ' return */ function some_stub(string $r): string {} $r = $_GET["untrusted"]; echo some_stub($r);', 'error_message' => 'TaintedHtml', ], 'taintFlowProxy' => [ ' 'TaintedCallable', ], 'taintFlowProxyAndReturn' => [ ' return */ function some_stub(string $r): string {} $r = $_GET["untrusted"]; echo some_stub($r);', 'error_message' => 'TaintedHtml', ], 'taintFlowMethodProxyAndReturn' => [ ' return */ function some_stub(string $r): string {} $r = $_GET["untrusted"]; echo some_stub($r);', 'error_message' => 'TaintedHtml', ], 'taintPopen' => [ ' 'TaintedShell', ], 'taintProcOpen' => [ ' 'TaintedShell', ], 'taintedCurlInit' => [ ' 'TaintedSSRF', ], 'taintedCurlSetOpt' => [ ' 'TaintedSSRF', ], 'taintThroughChildConstructorWithoutMethodOverride' => [ 'taint = $taint; } public function getTaint() : string { return $this->taint; } } class B extends A {} $b = new B($_GET["bar"]); echo $b->getTaint();', 'error_message' => 'TaintedHtml', ], 'taintThroughChildConstructorCallingParentMethod' => [ 'taint = $taint; } public function getTaint() : string { return $this->taint; } } class B extends A {} class C extends B {} $c = new C($_GET["bar"]); function foo(B $b) { echo $b->getTaint(); }', 'error_message' => 'TaintedHtml', ], 'taintThroughChildConstructorCallingGrandParentMethod' => [ 'taint = $taint; } public function getTaint() : string { return $this->taint; } } class B extends A {} class C extends B {} $c = new C($_GET["bar"]); function foo(A $a) { echo $a->getTaint(); }', 'error_message' => 'TaintedHtml', ], 'taintThroughChildConstructorWhenMethodOverriddenWithParentConstructorCall' => [ 'taint = $taint; } public function getTaint() : string { return $this->taint; } } class B extends A { public function __construct($taint) { parent::__construct($taint); } } $b = new B($_GET["bar"]); echo $b->getTaint();', 'error_message' => 'TaintedHtml', ], 'taintedLdapSearch' => [ ' 'TaintedLdap', ], 'taintedFile' => [ ' 'TaintedFile', ], 'taintedHeader' => [ ' 'TaintedHeader', ], 'taintedCookie' => [ ' 'TaintedCookie', ], 'variadicTaintPropagation' => [ ' return */ function variadic_test(string $format, ...$args) : string { } echo variadic_test(\'\', \'\', $_GET[\'taint\'], \'\');', 'error_message' => 'TaintedHtml' ], 'potentialTaintThroughChildClassSettingProperty' => [ 'taint; } } class B extends A { public function __construct(string $taint) { $this->taint = $taint; } } $b = new B($_GET["bar"]); echo $b->getTaint();', 'error_message' => 'TaintedHtml', ], 'immutableClassTrackInputThroughMethod' => [ 'taint = $taint; } public function getTaint() : string { return $this->taint; } } $a = new A($_GET["bar"]); echo $a->getTaint();', 'error_message' => 'TaintedHtml', ], 'strTrReturnTypeTaint' => [ ' 'TaintedCookie', ], 'conditionallyEscapedTaintPassedFalse' => [ ' 'TaintedHtml', ], 'suppressOneCatchAnother' => [ ' 'TaintedHtml', ], 'taintSpecializedTwice' => [ ' 'TaintedHtml', ], 'conditionallyEscapedTaintsAll' => [ ' 'TaintedHtml', ], 'psalmFlowOnInstanceMethod' => [ ' return */ public function esc_like($text) {} /** * @param string $query * @return int|bool * * @psalm-taint-sink sql $query */ public function query($query){} } $wdb = new Wdb(); $order = $wdb->esc_like($_GET["order"]); $res = $wdb->query("SELECT blah FROM tablea ORDER BY ". $order. " DESC");', 'error_message' => 'TaintedSql', ], 'psalmFlowOnStaticMethod' => [ ' return */ public static function esc_like($text) {} /** * @param string $query * @return int|bool * * @psalm-taint-sink sql $query */ public static function query($query){} } $order = Wdb::esc_like($_GET["order"]); $res = Wdb::query("SELECT blah FROM tablea ORDER BY ". $order. " DESC");', 'error_message' => 'TaintedSql', ], 'keysAreTainted' => [ ' $_) { echo $key; } } takesArray([$_GET["bad"] => "good"]);', 'error_message' => 'TaintedHtml', ], 'resultOfPlusIsTaintedOnArrays' => [ ' 'TaintedHtml', ], 'taintArrayKeyWithExplicitSink' => [ ' "foo"]);', 'error_message' => 'TaintedHtml', ], 'taintThroughReset' => [ ' 'TaintedHtml', ], 'shellExecBacktick' => [ ' 'TaintedShell', ], /* // TODO: Stubs do not support this type of inference even with $this->message = $message. // Most uses of getMessage() would be with caught exceptions, so this is not representative of real code. 'taintException' => [ 'getMessage();', 'error_message' => 'TaintedHtml', ], */ 'castToArrayPassTaints' => [ ' 'TaintedSql', ], 'taintSinkWithComments' => [ ' 'TaintedHtml', ], 'taintEscapedInTryMightNotWork' => [ ' 'TaintedHtml', ], ]; } /** * @param string $code * @param list $expectedIssuesTypes * @test * @dataProvider multipleTaintIssuesAreDetectedDataProvider */ public function multipleTaintIssuesAreDetected(string $code, array $expectedIssuesTypes): void { if (strpos($this->getTestName(), 'SKIPPED-') !== false) { $this->markTestSkipped(); } // disables issue exceptions - we need all, not just the first $this->testConfig->throw_exception = false; $filePath = self::$src_dir_path . 'somefile.php'; $this->addFile($filePath, $code); $this->project_analyzer->trackTaintedInputs(); $this->analyzeFile($filePath, new Context(), false); $actualIssueTypes = array_map( function (IssueData $issue): string { return $issue->type . '{ ' . trim($issue->snippet) . ' }'; }, IssueBuffer::getIssuesDataForFile($filePath) ); self::assertSame($expectedIssuesTypes, $actualIssueTypes); } /** * @return array}> */ public function multipleTaintIssuesAreDetectedDataProvider(): array { return [ 'taintSinkFlow' => [ ' return * @psalm-taint-sink html $value */ function process(string $value): string {} $data = process((string)($_GET["inject"] ?? "")); exec($data); ', 'expectedIssueTypes' => [ 'TaintedHtml{ function process(string $value): string {} }', 'TaintedShell{ exec($data); }', ], ], 'taintSinkCascade' => [ ' [ 'TaintedHtml{ echo $value; }', 'TaintedTextWithQuotes{ echo $value; }', 'TaintedShell{ exec($value); }', 'TaintedFile{ file_get_contents($value); }', ], ], 'taintedIncludes' => [ ' [ 'TaintedInclude{ require $first; }', 'TaintedInclude{ require $second; }', ], ], ]; } }