mirror of
https://github.com/danog/psalm.git
synced 2024-12-11 08:49:52 +01:00
1094 lines
32 KiB
PHP
1094 lines
32 KiB
PHP
<?php
|
|
namespace Psalm\Tests;
|
|
|
|
use Psalm\Config;
|
|
use Psalm\Context;
|
|
|
|
class TaintTest extends TestCase
|
|
{
|
|
/**
|
|
* @return void
|
|
*/
|
|
public function testTaintedInputFromReturnType()
|
|
{
|
|
$this->expectException(\Psalm\Exception\CodeException::class);
|
|
$this->expectExceptionMessage('TaintedInput');
|
|
|
|
$this->project_analyzer->trackTaintedInputs();
|
|
|
|
$this->addFile(
|
|
'somefile.php',
|
|
'<?php
|
|
class A {
|
|
public function getUserId() : string {
|
|
return (string) $_GET["user_id"];
|
|
}
|
|
|
|
public function getAppendedUserId() : string {
|
|
return "aaaa" . $this->getUserId();
|
|
}
|
|
|
|
public function deleteUser(PDO $pdo) : void {
|
|
$userId = $this->getAppendedUserId();
|
|
$pdo->exec("delete from users where user_id = " . $userId);
|
|
}
|
|
}'
|
|
);
|
|
|
|
$this->analyzeFile('somefile.php', new Context());
|
|
}
|
|
|
|
/**
|
|
* @return void
|
|
*/
|
|
public function testTaintedInputFromReturnTypeToEcho()
|
|
{
|
|
$this->expectException(\Psalm\Exception\CodeException::class);
|
|
$this->expectExceptionMessage('TaintedInput');
|
|
|
|
$this->project_analyzer->trackTaintedInputs();
|
|
|
|
$this->addFile(
|
|
'somefile.php',
|
|
'<?php
|
|
class A {
|
|
public function getUserId() : string {
|
|
return (string) $_GET["user_id"];
|
|
}
|
|
|
|
public function getAppendedUserId() : string {
|
|
return "aaaa" . $this->getUserId();
|
|
}
|
|
|
|
public function deleteUser(PDO $pdo) : void {
|
|
$userId = $this->getAppendedUserId();
|
|
echo $userId;
|
|
}
|
|
}'
|
|
);
|
|
|
|
$this->analyzeFile('somefile.php', new Context());
|
|
}
|
|
|
|
/**
|
|
* @return void
|
|
*/
|
|
public function testTaintedInputDirectly()
|
|
{
|
|
$this->expectException(\Psalm\Exception\CodeException::class);
|
|
$this->expectExceptionMessage('TaintedInput');
|
|
|
|
$this->project_analyzer->trackTaintedInputs();
|
|
|
|
$this->addFile(
|
|
'somefile.php',
|
|
'<?php
|
|
class A {
|
|
public function deleteUser(PDO $pdo) : void {
|
|
$userId = (string) $_GET["user_id"];
|
|
$pdo->exec("delete from users where user_id = " . $userId);
|
|
}
|
|
}'
|
|
);
|
|
|
|
$this->analyzeFile('somefile.php', new Context());
|
|
}
|
|
|
|
/**
|
|
* @return void
|
|
*/
|
|
public function testTaintedInputDirectlySuppressed()
|
|
{
|
|
$this->project_analyzer->trackTaintedInputs();
|
|
|
|
$this->addFile(
|
|
'somefile.php',
|
|
'<?php
|
|
class A {
|
|
/** @psalm-suppress TaintedInput */
|
|
public function deleteUser(PDO $pdo) : void {
|
|
$userId = (string) $_GET["user_id"];
|
|
$pdo->exec("delete from users where user_id = " . $userId);
|
|
}
|
|
}'
|
|
);
|
|
|
|
$this->analyzeFile('somefile.php', new Context());
|
|
}
|
|
|
|
/**
|
|
* @return void
|
|
*/
|
|
public function testTaintedInputDirectlySuppressedWithOtherUse()
|
|
{
|
|
$this->project_analyzer->trackTaintedInputs();
|
|
|
|
$this->addFile(
|
|
'somefile.php',
|
|
'<?php
|
|
class A {
|
|
/** @psalm-suppress TaintedInput */
|
|
public function deleteUser(PDOWrapper $pdo) : void {
|
|
$userId = (string) $_GET["user_id"];
|
|
$pdo->exec("delete from users where user_id = " . $userId);
|
|
}
|
|
|
|
public function deleteUserSafer(PDOWrapper $pdo) : void {
|
|
$userId = $this->getSafeId();
|
|
$pdo->exec("delete from users where user_id = " . $userId);
|
|
}
|
|
|
|
public function getSafeId() : string {
|
|
return "5";
|
|
}
|
|
}
|
|
|
|
class PDOWrapper {
|
|
/**
|
|
* @psalm-taint-sink $sql
|
|
*/
|
|
public function exec(string $sql) : void {}
|
|
}'
|
|
);
|
|
|
|
$this->analyzeFile('somefile.php', new Context());
|
|
}
|
|
|
|
/**
|
|
* @return void
|
|
*/
|
|
public function testTaintedInputFromReturnTypeWithBranch()
|
|
{
|
|
$this->expectException(\Psalm\Exception\CodeException::class);
|
|
$this->expectExceptionMessage('TaintedInput');
|
|
|
|
$this->project_analyzer->trackTaintedInputs();
|
|
|
|
$this->addFile(
|
|
'somefile.php',
|
|
'<?php
|
|
class A {
|
|
public function getUserId() : string {
|
|
return (string) $_GET["user_id"];
|
|
}
|
|
|
|
public function getAppendedUserId() : string {
|
|
$userId = $this->getUserId();
|
|
|
|
if (rand(0, 1)) {
|
|
$userId .= "aaa";
|
|
} else {
|
|
$userId .= "bb";
|
|
}
|
|
|
|
return $userId;
|
|
}
|
|
|
|
public function deleteUser(PDO $pdo) : void {
|
|
$userId = $this->getAppendedUserId();
|
|
$pdo->exec("delete from users where user_id = " . $userId);
|
|
}
|
|
}'
|
|
);
|
|
|
|
$this->analyzeFile('somefile.php', new Context());
|
|
}
|
|
|
|
/**
|
|
* @return void
|
|
*/
|
|
public function testSinkAnnotation()
|
|
{
|
|
$this->expectException(\Psalm\Exception\CodeException::class);
|
|
$this->expectExceptionMessage('TaintedInput');
|
|
|
|
$this->project_analyzer->trackTaintedInputs();
|
|
|
|
$this->addFile(
|
|
'somefile.php',
|
|
'<?php
|
|
class A {
|
|
public function getUserId() : string {
|
|
return (string) $_GET["user_id"];
|
|
}
|
|
|
|
public function getAppendedUserId() : string {
|
|
return "aaaa" . $this->getUserId();
|
|
}
|
|
|
|
public function deleteUser(PDOWrapper $pdo) : void {
|
|
$userId = $this->getAppendedUserId();
|
|
$pdo->exec("delete from users where user_id = " . $userId);
|
|
}
|
|
}
|
|
|
|
class PDOWrapper {
|
|
/**
|
|
* @psalm-taint-sink $sql
|
|
*/
|
|
public function exec(string $sql) : void {}
|
|
}'
|
|
);
|
|
|
|
$this->analyzeFile('somefile.php', new Context());
|
|
}
|
|
|
|
/**
|
|
* @return void
|
|
*/
|
|
public function testTaintedInputFromParam()
|
|
{
|
|
$this->expectException(\Psalm\Exception\CodeException::class);
|
|
$this->expectExceptionMessage('path: $_GET (somefile.php:4:41) -> A::getUserId (somefile.php:3:37) -> A::getAppendedUserId (somefile.php:7:37) -> A::getAppendedUserId (somefile.php:12:42) -> A::deleteUser#2 (somefile.php:16:65) -> PDO::exec#1 (somefile.php:17:36)');
|
|
|
|
$this->project_analyzer->trackTaintedInputs();
|
|
|
|
$this->addFile(
|
|
'somefile.php',
|
|
'<?php
|
|
class A {
|
|
public function getUserId() : string {
|
|
return (string) $_GET["user_id"];
|
|
}
|
|
|
|
public function getAppendedUserId() : string {
|
|
return "aaaa" . $this->getUserId();
|
|
}
|
|
|
|
public function doDelete(PDO $pdo) : void {
|
|
$userId = $this->getAppendedUserId();
|
|
$this->deleteUser($pdo, $userId);
|
|
}
|
|
|
|
public function deleteUser(PDO $pdo, string $userId) : void {
|
|
$pdo->exec("delete from users where user_id = " . $userId);
|
|
}
|
|
}'
|
|
);
|
|
|
|
$this->analyzeFile('somefile.php', new Context());
|
|
}
|
|
|
|
/**
|
|
* @return void
|
|
*/
|
|
public function testTaintedInputToParam()
|
|
{
|
|
$this->expectException(\Psalm\Exception\CodeException::class);
|
|
$this->expectExceptionMessage('TaintedInput');
|
|
|
|
$this->project_analyzer->trackTaintedInputs();
|
|
|
|
$this->addFile(
|
|
'somefile.php',
|
|
'<?php
|
|
class A {
|
|
public function getUserId(PDO $pdo) : void {
|
|
$this->deleteUser(
|
|
$pdo,
|
|
$this->getAppendedUserId((string) $_GET["user_id"])
|
|
);
|
|
}
|
|
|
|
public function getAppendedUserId(string $user_id) : string {
|
|
return "aaa" . $user_id;
|
|
}
|
|
|
|
public function deleteUser(PDO $pdo, string $userId) : void {
|
|
$pdo->exec("delete from users where user_id = " . $userId);
|
|
}
|
|
}'
|
|
);
|
|
|
|
$this->analyzeFile('somefile.php', new Context());
|
|
}
|
|
|
|
/**
|
|
* @return void
|
|
*/
|
|
public function testTaintedInputToParamAfterAssignment()
|
|
{
|
|
$this->expectException(\Psalm\Exception\CodeException::class);
|
|
$this->expectExceptionMessage('TaintedInput');
|
|
|
|
$this->project_analyzer->trackTaintedInputs();
|
|
|
|
$this->addFile(
|
|
'somefile.php',
|
|
'<?php
|
|
class A {
|
|
public function getUserId(PDO $pdo) : void {
|
|
$this->deleteUser(
|
|
$pdo,
|
|
$this->getAppendedUserId((string) $_GET["user_id"])
|
|
);
|
|
}
|
|
|
|
public function getAppendedUserId(string $user_id) : string {
|
|
return "aaa" . $user_id;
|
|
}
|
|
|
|
public function deleteUser(PDO $pdo, string $userId) : void {
|
|
$userId2 = $userId;
|
|
$pdo->exec("delete from users where user_id = " . $userId2);
|
|
}
|
|
}'
|
|
);
|
|
|
|
$this->analyzeFile('somefile.php', new Context());
|
|
}
|
|
|
|
/**
|
|
* @return void
|
|
*/
|
|
public function testTaintedInputToParamButSafe()
|
|
{
|
|
$this->project_analyzer->trackTaintedInputs();
|
|
|
|
$this->addFile(
|
|
'somefile.php',
|
|
'<?php
|
|
class A {
|
|
public function getUserId(PDO $pdo) : void {
|
|
$this->deleteUser(
|
|
$pdo,
|
|
$this->getAppendedUserId((string) $_GET["user_id"])
|
|
);
|
|
}
|
|
|
|
public function getAppendedUserId(string $user_id) : string {
|
|
return "aaa" . $user_id;
|
|
}
|
|
|
|
public function deleteUser(PDO $pdo, string $userId) : void {
|
|
$userId2 = strlen($userId);
|
|
$pdo->exec("delete from users where user_id = " . $userId2);
|
|
}
|
|
}'
|
|
);
|
|
|
|
$this->analyzeFile('somefile.php', new Context());
|
|
}
|
|
|
|
/**
|
|
* @return void
|
|
*/
|
|
public function testTaintedInputToParamAlternatePath()
|
|
{
|
|
$this->expectException(\Psalm\Exception\CodeException::class);
|
|
$this->expectExceptionMessage('TaintedInput - somefile.php:23:40 - path: $_GET (somefile.php:7:63) -> A::getAppendedUserId#1 (somefile.php:7:54) -> A::getAppendedUserId (somefile.php:11:37) -> A::getAppendedUserId (somefile.php:7:36) -> A::deleteUser#3 (somefile.php:19:81) -> PDO::exec#1 (somefile.php:23:40)');
|
|
|
|
$this->project_analyzer->trackTaintedInputs();
|
|
|
|
$this->addFile(
|
|
'somefile.php',
|
|
'<?php
|
|
class A {
|
|
public function getUserId(PDO $pdo) : void {
|
|
$this->deleteUser(
|
|
$pdo,
|
|
self::doFoo(),
|
|
$this->getAppendedUserId((string) $_GET["user_id"])
|
|
);
|
|
}
|
|
|
|
public function getAppendedUserId(string $user_id) : string {
|
|
return "aaa" . $user_id;
|
|
}
|
|
|
|
public static function doFoo() : string {
|
|
return "hello";
|
|
}
|
|
|
|
public function deleteUser(PDO $pdo, string $userId, string $userId2) : void {
|
|
$pdo->exec("delete from users where user_id = " . $userId);
|
|
|
|
if (rand(0, 1)) {
|
|
$pdo->exec("delete from users where user_id = " . $userId2);
|
|
}
|
|
}
|
|
}'
|
|
);
|
|
|
|
$this->analyzeFile('somefile.php', new Context());
|
|
}
|
|
|
|
/**
|
|
* @return void
|
|
*/
|
|
public function testTaintedInParentLoader()
|
|
{
|
|
$this->expectException(\Psalm\Exception\CodeException::class);
|
|
$this->expectExceptionMessage('TaintedInput - somefile.php:16:40 - path: $_GET (somefile.php:28:39) -> C::foo#1 (somefile.php:28:30) -> AGrandChild::loadFull#1 (somefile.php:24:47) -> AGrandChild::loadFull#1 (somefile.php:6:45) -> A::loadPartial#1 (somefile.php:16:40) -> PDO::exec#1 (somefile.php:16:40)');
|
|
|
|
$this->project_analyzer->trackTaintedInputs();
|
|
|
|
$this->addFile(
|
|
'somefile.php',
|
|
'<?php
|
|
abstract class A {
|
|
abstract public static function loadPartial(string $sink) : void;
|
|
|
|
public static function loadFull(string $sink) : void {
|
|
static::loadPartial($sink);
|
|
}
|
|
}
|
|
|
|
function getPdo() : PDO {
|
|
return new PDO("connectionstring");
|
|
}
|
|
|
|
class AChild extends A {
|
|
public static function loadPartial(string $sink) : void {
|
|
getPdo()->exec("select * from foo where bar = " . $sink);
|
|
}
|
|
}
|
|
|
|
class AGrandChild extends AChild {}
|
|
|
|
class C {
|
|
public function foo(string $user_id) : void {
|
|
AGrandChild::loadFull($user_id);
|
|
}
|
|
}
|
|
|
|
(new C)->foo((string) $_GET["user_id"]);'
|
|
);
|
|
|
|
$this->analyzeFile('somefile.php', new Context());
|
|
}
|
|
|
|
/**
|
|
* @return void
|
|
*/
|
|
public function testValidatedInputFromParam()
|
|
{
|
|
$this->project_analyzer->trackTaintedInputs();
|
|
|
|
$this->addFile(
|
|
'somefile.php',
|
|
'<?php
|
|
/**
|
|
* @psalm-assert-untainted $userId
|
|
*/
|
|
function validateUserId(string $userId) : void {
|
|
if (!is_numeric($userId)) {
|
|
throw new \Exception("bad");
|
|
}
|
|
}
|
|
|
|
class A {
|
|
public function getUserId() : string {
|
|
return (string) $_GET["user_id"];
|
|
}
|
|
|
|
public function doDelete(PDO $pdo) : void {
|
|
$userId = $this->getUserId();
|
|
validateUserId($userId);
|
|
$this->deleteUser($pdo, $userId);
|
|
}
|
|
|
|
public function deleteUser(PDO $pdo, string $userId) : void {
|
|
$pdo->exec("delete from users where user_id = " . $userId);
|
|
}
|
|
}'
|
|
);
|
|
|
|
$this->analyzeFile('somefile.php', new Context());
|
|
}
|
|
|
|
/**
|
|
* @return void
|
|
*/
|
|
public function testUntaintedInput()
|
|
{
|
|
$this->project_analyzer->trackTaintedInputs();
|
|
|
|
$this->addFile(
|
|
'somefile.php',
|
|
'<?php
|
|
class A {
|
|
public function getUserId() : int {
|
|
return (int) $_GET["user_id"];
|
|
}
|
|
|
|
public function getAppendedUserId() : string {
|
|
return "aaaa" . $this->getUserId();
|
|
}
|
|
|
|
public function deleteUser(PDO $pdo) : void {
|
|
$userId = $this->getAppendedUserId();
|
|
$pdo->exec("delete from users where user_id = " . $userId);
|
|
}
|
|
}'
|
|
);
|
|
|
|
$this->analyzeFile('somefile.php', new Context());
|
|
}
|
|
|
|
/**
|
|
* @return void
|
|
*/
|
|
public function testTaintedInputFromProperty()
|
|
{
|
|
$this->expectException(\Psalm\Exception\CodeException::class);
|
|
$this->expectExceptionMessage('TaintedInput');
|
|
|
|
$this->project_analyzer->trackTaintedInputs();
|
|
|
|
$this->addFile(
|
|
'somefile.php',
|
|
'<?php
|
|
class A {
|
|
public string $userId;
|
|
|
|
public function __construct() {
|
|
$this->userId = (string) $_GET["user_id"];
|
|
}
|
|
|
|
public function getAppendedUserId() : string {
|
|
return "aaaa" . $this->userId;
|
|
}
|
|
|
|
public function doDelete(PDO $pdo) : void {
|
|
$userId = $this->getAppendedUserId();
|
|
$this->deleteUser($pdo, $userId);
|
|
}
|
|
|
|
public function deleteUser(PDO $pdo, string $userId) : void {
|
|
$pdo->exec("delete from users where user_id = " . $userId);
|
|
}
|
|
}'
|
|
);
|
|
|
|
$this->analyzeFile('somefile.php', new Context());
|
|
}
|
|
|
|
/**
|
|
* @return void
|
|
*/
|
|
public function testTaintedInputViaStaticFunction()
|
|
{
|
|
$this->expectException(\Psalm\Exception\CodeException::class);
|
|
$this->expectExceptionMessage('TaintedInput');
|
|
|
|
$this->project_analyzer->trackTaintedInputs();
|
|
|
|
$this->addFile(
|
|
'somefile.php',
|
|
'<?php
|
|
class Utils {
|
|
public static function shorten(string $str) : string {
|
|
return $str;
|
|
}
|
|
}
|
|
|
|
class A {
|
|
public function foo() : void {
|
|
echo(Utils::shorten((string) $_GET["user_id"]));
|
|
}
|
|
}'
|
|
);
|
|
|
|
$this->analyzeFile('somefile.php', new Context());
|
|
}
|
|
|
|
/**
|
|
* @return void
|
|
*/
|
|
public function testTaintedInputViaPureStaticFunction()
|
|
{
|
|
$this->expectException(\Psalm\Exception\CodeException::class);
|
|
$this->expectExceptionMessage('TaintedInput');
|
|
|
|
$this->project_analyzer->trackTaintedInputs();
|
|
|
|
$this->addFile(
|
|
'somefile.php',
|
|
'<?php
|
|
class Utils {
|
|
/**
|
|
* @psalm-pure
|
|
*/
|
|
public static function shorten(string $str) : string {
|
|
return $str;
|
|
}
|
|
}
|
|
|
|
class A {
|
|
public function foo() : void {
|
|
echo(Utils::shorten((string) $_GET["user_id"]));
|
|
}
|
|
}'
|
|
);
|
|
|
|
$this->analyzeFile('somefile.php', new Context());
|
|
}
|
|
|
|
/**
|
|
* @return void
|
|
*/
|
|
public function testUntaintedInputViaStaticFunction()
|
|
{
|
|
$this->project_analyzer->trackTaintedInputs();
|
|
|
|
$this->addFile(
|
|
'somefile.php',
|
|
'<?php
|
|
class Utils {
|
|
/**
|
|
* @psalm-pure
|
|
*/
|
|
public static function shorten(string $str) : string {
|
|
return $str;
|
|
}
|
|
}
|
|
|
|
class A {
|
|
public function foo() : void {
|
|
echo(htmlentities(Utils::shorten((string) $_GET["user_id"])));
|
|
}
|
|
|
|
public function bar() : void {
|
|
echo(Utils::shorten("hello"));
|
|
}
|
|
}'
|
|
);
|
|
|
|
$this->analyzeFile('somefile.php', new Context());
|
|
}
|
|
|
|
public function testTaintedInputFromMagicProperty() : void
|
|
{
|
|
$this->expectException(\Psalm\Exception\CodeException::class);
|
|
$this->expectExceptionMessage('TaintedInput');
|
|
|
|
$this->project_analyzer->trackTaintedInputs();
|
|
|
|
$this->addFile(
|
|
'somefile.php',
|
|
'<?php
|
|
/**
|
|
* @property string $userId
|
|
*/
|
|
class A {
|
|
/** @var array<string, string> */
|
|
private $vars = [];
|
|
|
|
public function __get(string $s) : string {
|
|
return $this->vars[$s];
|
|
}
|
|
|
|
public function __set(string $s, string $t) {
|
|
$this->vars[$s] = $t;
|
|
}
|
|
}
|
|
|
|
function getAppendedUserId() : void {
|
|
$a = new A();
|
|
$a->userId = (string) $_GET["user_id"];
|
|
echo $a->userId;
|
|
}'
|
|
);
|
|
|
|
$this->analyzeFile('somefile.php', new Context());
|
|
}
|
|
|
|
public function testTaintOverMixed() : void
|
|
{
|
|
$this->expectException(\Psalm\Exception\CodeException::class);
|
|
$this->expectExceptionMessage('TaintedInput');
|
|
|
|
$this->project_analyzer->trackTaintedInputs();
|
|
|
|
$this->addFile(
|
|
'somefile.php',
|
|
'<?php
|
|
/**
|
|
* @psalm-suppress MixedAssignment
|
|
* @psalm-suppress MixedArgument
|
|
*/
|
|
function foo() : void {
|
|
$a = $_GET["bad"];
|
|
echo $a;
|
|
}'
|
|
);
|
|
|
|
$this->analyzeFile('somefile.php', new Context());
|
|
}
|
|
|
|
public function testTaintStrConversion() : void
|
|
{
|
|
$this->expectException(\Psalm\Exception\CodeException::class);
|
|
$this->expectExceptionMessage('TaintedInput');
|
|
|
|
$this->project_analyzer->trackTaintedInputs();
|
|
|
|
$this->addFile(
|
|
'somefile.php',
|
|
'<?php
|
|
function foo() : void {
|
|
$a = strtoupper(strtolower((string) $_GET["bad"]));
|
|
echo $a;
|
|
}'
|
|
);
|
|
|
|
$this->analyzeFile('somefile.php', new Context());
|
|
}
|
|
|
|
public function testTaintHtmlEntities() : void
|
|
{
|
|
$this->project_analyzer->trackTaintedInputs();
|
|
|
|
$this->addFile(
|
|
'somefile.php',
|
|
'<?php
|
|
function foo() : void {
|
|
$a = htmlentities((string) $_GET["bad"]);
|
|
echo $a;
|
|
}'
|
|
);
|
|
|
|
$this->analyzeFile('somefile.php', new Context());
|
|
}
|
|
|
|
public function testTaintIntoExec() : void
|
|
{
|
|
$this->expectException(\Psalm\Exception\CodeException::class);
|
|
$this->expectExceptionMessage('TaintedInput');
|
|
|
|
$this->project_analyzer->trackTaintedInputs();
|
|
|
|
$this->addFile(
|
|
'somefile.php',
|
|
'<?php
|
|
function foo() : void {
|
|
$a = (string) $_GET["bad"];
|
|
exec($a);
|
|
}'
|
|
);
|
|
|
|
$this->analyzeFile('somefile.php', new Context());
|
|
}
|
|
|
|
public function testTaintIntoExecMultipleConcat() : void
|
|
{
|
|
$this->expectException(\Psalm\Exception\CodeException::class);
|
|
$this->expectExceptionMessage('TaintedInput');
|
|
|
|
$this->project_analyzer->trackTaintedInputs();
|
|
|
|
$this->addFile(
|
|
'somefile.php',
|
|
'<?php
|
|
function foo() : void {
|
|
$a = "9" . "a" . "b" . "c" . ((string) $_GET["bad"]) . "d" . "e" . "f";
|
|
exec($a);
|
|
}'
|
|
);
|
|
|
|
$this->analyzeFile('somefile.php', new Context());
|
|
}
|
|
|
|
public function testTaintIntoNestedArrayUnnestedSeparately() : void
|
|
{
|
|
$this->expectException(\Psalm\Exception\CodeException::class);
|
|
$this->expectExceptionMessage('TaintedInput');
|
|
|
|
$this->project_analyzer->trackTaintedInputs();
|
|
|
|
$this->addFile(
|
|
'somefile.php',
|
|
'<?php
|
|
function foo() : void {
|
|
$a = [[(string) $_GET["bad"]]];
|
|
exec($a[0][0]);
|
|
}'
|
|
);
|
|
|
|
$this->analyzeFile('somefile.php', new Context());
|
|
}
|
|
|
|
public function testTaintIntoArrayAndThenOutAgain() : void
|
|
{
|
|
$this->expectException(\Psalm\Exception\CodeException::class);
|
|
$this->expectExceptionMessage('TaintedInput');
|
|
|
|
$this->project_analyzer->trackTaintedInputs();
|
|
|
|
$this->addFile(
|
|
'somefile.php',
|
|
'<?php
|
|
class C {
|
|
public static function foo() : array {
|
|
$a = (string) $_GET["bad"];
|
|
return [$a];
|
|
}
|
|
|
|
public static function bar() {
|
|
exec(self::foo()[0]);
|
|
}
|
|
}'
|
|
);
|
|
|
|
$this->analyzeFile('somefile.php', new Context());
|
|
}
|
|
|
|
public function testTaintAppendedToArray() : void
|
|
{
|
|
$this->expectException(\Psalm\Exception\CodeException::class);
|
|
$this->expectExceptionMessage('TaintedInput');
|
|
|
|
$this->project_analyzer->trackTaintedInputs();
|
|
|
|
$this->addFile(
|
|
'somefile.php',
|
|
'<?php
|
|
class C {
|
|
public static function foo() : array {
|
|
$a = [];
|
|
$a[] = (string) $_GET["bad"];
|
|
return $a;
|
|
}
|
|
|
|
public static function bar() {
|
|
exec(self::foo()[0]);
|
|
}
|
|
}'
|
|
);
|
|
|
|
$this->analyzeFile('somefile.php', new Context());
|
|
}
|
|
|
|
public function testTaintOnSubstrCall() : void
|
|
{
|
|
$this->expectException(\Psalm\Exception\CodeException::class);
|
|
$this->expectExceptionMessage('TaintedInput');
|
|
|
|
$this->project_analyzer->trackTaintedInputs();
|
|
|
|
$this->addFile(
|
|
'somefile.php',
|
|
'<?php
|
|
class U {
|
|
/** @psalm-pure */
|
|
public static function shorten(string $s) : string {
|
|
return substr($s, 0, 15);
|
|
}
|
|
}
|
|
|
|
class V {}
|
|
|
|
class O1 {
|
|
public string $s;
|
|
|
|
public function __construct() {
|
|
$this->s = (string) $_GET["FOO"];
|
|
}
|
|
}
|
|
|
|
class V1 extends V {
|
|
public function foo(O1 $o) : void {
|
|
echo U::shorten($o->s);
|
|
}
|
|
}'
|
|
);
|
|
|
|
$this->analyzeFile('somefile.php', new Context());
|
|
}
|
|
|
|
public function testTaintOnStrReplaceCall() : void
|
|
{
|
|
$this->expectException(\Psalm\Exception\CodeException::class);
|
|
$this->expectExceptionMessage('TaintedInput');
|
|
|
|
$this->project_analyzer->trackTaintedInputs();
|
|
|
|
$this->addFile(
|
|
'somefile.php',
|
|
'<?php
|
|
class U {
|
|
/** @psalm-pure */
|
|
public static function shorten(string $s) : string {
|
|
return str_replace("foo", "bar", $s);
|
|
}
|
|
}
|
|
|
|
class V {}
|
|
|
|
class O1 {
|
|
public string $s;
|
|
|
|
public function __construct() {
|
|
$this->s = (string) $_GET["FOO"];
|
|
}
|
|
}
|
|
|
|
class V1 extends V {
|
|
public function foo(O1 $o) : void {
|
|
echo U::shorten($o->s);
|
|
}
|
|
}'
|
|
);
|
|
|
|
$this->analyzeFile('somefile.php', new Context());
|
|
}
|
|
|
|
public function testTaintOnStrReplaceCallRemoved() : void
|
|
{
|
|
$this->project_analyzer->trackTaintedInputs();
|
|
|
|
$this->addFile(
|
|
'somefile.php',
|
|
'<?php
|
|
class U {
|
|
/**
|
|
* @psalm-pure
|
|
* @psalm-remove-taint
|
|
*/
|
|
public static function shorten(string $s) : string {
|
|
return str_replace("foo", "bar", $s);
|
|
}
|
|
}
|
|
|
|
class V {}
|
|
|
|
class O1 {
|
|
public string $s;
|
|
|
|
public function __construct() {
|
|
$this->s = (string) $_GET["FOO"];
|
|
}
|
|
}
|
|
|
|
class V1 extends V {
|
|
public function foo(O1 $o) : void {
|
|
echo U::shorten($o->s);
|
|
}
|
|
}'
|
|
);
|
|
|
|
$this->analyzeFile('somefile.php', new Context());
|
|
}
|
|
|
|
public function testTaintOnStrReplaceCallRemovedInline() : void
|
|
{
|
|
$this->project_analyzer->trackTaintedInputs();
|
|
|
|
$this->addFile(
|
|
'somefile.php',
|
|
'<?php
|
|
class V {}
|
|
|
|
class O1 {
|
|
public string $s;
|
|
|
|
public function __construct() {
|
|
$this->s = (string) $_GET["FOO"];
|
|
}
|
|
}
|
|
|
|
class V1 extends V {
|
|
public function foo(O1 $o) : void {
|
|
/**
|
|
* @psalm-remove-taint
|
|
*/
|
|
$a = str_replace("foo", "bar", $o->s);
|
|
echo $a;
|
|
}
|
|
}'
|
|
);
|
|
|
|
$this->analyzeFile('somefile.php', new Context());
|
|
}
|
|
|
|
public function testTaintOnPregReplaceCall() : void
|
|
{
|
|
$this->expectException(\Psalm\Exception\CodeException::class);
|
|
$this->expectExceptionMessage('TaintedInput');
|
|
|
|
$this->project_analyzer->trackTaintedInputs();
|
|
|
|
$this->addFile(
|
|
'somefile.php',
|
|
'<?php
|
|
class U {
|
|
/** @psalm-pure */
|
|
public static function shorten(string $s) : string {
|
|
return preg_replace("/foo/", "bar", $s);
|
|
}
|
|
}
|
|
|
|
class V {}
|
|
|
|
class O1 {
|
|
public string $s;
|
|
|
|
public function __construct() {
|
|
$this->s = (string) $_GET["FOO"];
|
|
}
|
|
}
|
|
|
|
class V1 extends V {
|
|
public function foo(O1 $o) : void {
|
|
echo U::shorten($o->s);
|
|
}
|
|
}'
|
|
);
|
|
|
|
$this->analyzeFile('somefile.php', new Context());
|
|
}
|
|
|
|
public function testNoTaintsOnSimilarPureCall() : void
|
|
{
|
|
$this->project_analyzer->trackTaintedInputs();
|
|
|
|
$this->addFile(
|
|
'somefile.php',
|
|
'<?php
|
|
class U {
|
|
/** @psalm-pure */
|
|
public static function shorten(string $s) : string {
|
|
return substr($s, 0, 15);
|
|
}
|
|
|
|
/** @psalm-pure */
|
|
public static function escape(string $s) : string {
|
|
return htmlentities($s);
|
|
}
|
|
}
|
|
|
|
class O1 {
|
|
public string $s;
|
|
|
|
public function __construct(string $s) {
|
|
$this->s = $s;
|
|
}
|
|
}
|
|
|
|
class O2 {
|
|
public string $t;
|
|
|
|
public function __construct() {
|
|
$this->t = (string) $_GET["FOO"];
|
|
}
|
|
}
|
|
|
|
class V1 {
|
|
public function foo() : void {
|
|
$o = new O1((string) $_GET["FOO"]);
|
|
echo U::escape(U::shorten($o->s));
|
|
}
|
|
}
|
|
|
|
class V2 {
|
|
public function foo(O2 $o) : void {
|
|
echo U::shorten(U::escape($o->t));
|
|
}
|
|
}'
|
|
);
|
|
|
|
$this->analyzeFile('somefile.php', new Context());
|
|
}
|
|
}
|