From 46ae2927f8d0ab940e1e298c0620ac63cb0fb612 Mon Sep 17 00:00:00 2001 From: Patrick Remy Date: Fri, 15 Sep 2023 11:56:56 +0200 Subject: [PATCH 01/29] fix: add taint source on plugin-added taints --- .../Statements/Expression/ArrayAnalyzer.php | 13 +++++++++++++ .../InstancePropertyAssignmentAnalyzer.php | 13 +++++++++++++ .../Statements/Expression/AssignmentAnalyzer.php | 7 +++++++ .../Statements/Expression/BinaryOpAnalyzer.php | 7 +++++++ .../Statements/Expression/Call/ArgumentAnalyzer.php | 7 +++++++ .../Expression/Call/FunctionCallAnalyzer.php | 7 +++++++ .../Statements/Expression/Call/NewAnalyzer.php | 7 +++++++ .../Expression/EncapsulatedStringAnalyzer.php | 8 ++++++++ .../Analyzer/Statements/Expression/EvalAnalyzer.php | 7 +++++++ .../Expression/Fetch/ArrayFetchAnalyzer.php | 7 +++++++ .../Fetch/AtomicPropertyFetchAnalyzer.php | 13 +++++++++++++ .../Statements/Expression/IncludeAnalyzer.php | 7 +++++++ src/Psalm/Internal/DataFlow/TaintSource.php | 9 +++++++++ 13 files changed, 112 insertions(+) diff --git a/src/Psalm/Internal/Analyzer/Statements/Expression/ArrayAnalyzer.php b/src/Psalm/Internal/Analyzer/Statements/Expression/ArrayAnalyzer.php index d6bc276e025..7af03aaf6c6 100644 --- a/src/Psalm/Internal/Analyzer/Statements/Expression/ArrayAnalyzer.php +++ b/src/Psalm/Internal/Analyzer/Statements/Expression/ArrayAnalyzer.php @@ -14,6 +14,7 @@ use Psalm\Internal\Codebase\TaintFlowGraph; use Psalm\Internal\Codebase\VariableUseGraph; use Psalm\Internal\DataFlow\DataFlowNode; +use Psalm\Internal\DataFlow\TaintSource; use Psalm\Internal\Type\Comparator\UnionTypeComparator; use Psalm\Internal\Type\TypeCombiner; use Psalm\Issue\DuplicateArrayKey; @@ -453,6 +454,12 @@ private static function analyzeArrayItem( } $array_creation_info->parent_taint_nodes += [$new_parent_node->id => $new_parent_node]; + + if ($statements_analyzer->data_flow_graph instanceof TaintFlowGraph) { + $taint_source = TaintSource::fromNode($new_parent_node); + $statements_analyzer->data_flow_graph->addSource($taint_source); + $item_value_type = $item_value_type->addParentNodes([$taint_source->id => $taint_source]); + } } if ($item_key_type @@ -487,6 +494,12 @@ private static function analyzeArrayItem( } $array_creation_info->parent_taint_nodes += [$new_parent_node->id => $new_parent_node]; + + if ($statements_analyzer->data_flow_graph instanceof TaintFlowGraph) { + $taint_source = TaintSource::fromNode($new_parent_node); + $statements_analyzer->data_flow_graph->addSource($taint_source); + $item_value_type = $item_value_type->addParentNodes([$taint_source->id => $taint_source]); + } } } } diff --git a/src/Psalm/Internal/Analyzer/Statements/Expression/Assignment/InstancePropertyAssignmentAnalyzer.php b/src/Psalm/Internal/Analyzer/Statements/Expression/Assignment/InstancePropertyAssignmentAnalyzer.php index 1b061a3cbd1..f22fb44c554 100644 --- a/src/Psalm/Internal/Analyzer/Statements/Expression/Assignment/InstancePropertyAssignmentAnalyzer.php +++ b/src/Psalm/Internal/Analyzer/Statements/Expression/Assignment/InstancePropertyAssignmentAnalyzer.php @@ -28,6 +28,7 @@ use Psalm\Internal\Codebase\TaintFlowGraph; use Psalm\Internal\Codebase\VariableUseGraph; use Psalm\Internal\DataFlow\DataFlowNode; +use Psalm\Internal\DataFlow\TaintSource; use Psalm\Internal\FileManipulation\FileManipulationBuffer; use Psalm\Internal\MethodIdentifier; use Psalm\Internal\Type\Comparator\TypeComparisonResult; @@ -520,6 +521,12 @@ private static function taintProperty( } } + if ($statements_analyzer->data_flow_graph instanceof TaintFlowGraph) { + $taint_source = TaintSource::fromNode($property_node); + $statements_analyzer->data_flow_graph->addSource($taint_source); + $assignment_value_type = $assignment_value_type->addParentNodes([$taint_source->id => $taint_source]); + } + if (isset($context->vars_in_scope[$var_id])) { $stmt_var_type = $context->vars_in_scope[$var_id]->setParentNodes( [$var_node->id => $var_node], @@ -620,6 +627,12 @@ public static function taintUnspecializedProperty( } } + if ($statements_analyzer->data_flow_graph instanceof TaintFlowGraph) { + $taint_source = TaintSource::fromNode($property_node); + $statements_analyzer->data_flow_graph->addSource($taint_source); + $assignment_value_type = $assignment_value_type->addParentNodes([$taint_source->id => $taint_source]); + } + $declaring_property_class = $codebase->properties->getDeclaringClassForProperty( $property_id, false, diff --git a/src/Psalm/Internal/Analyzer/Statements/Expression/AssignmentAnalyzer.php b/src/Psalm/Internal/Analyzer/Statements/Expression/AssignmentAnalyzer.php index b0815c020a9..3ab39303e46 100644 --- a/src/Psalm/Internal/Analyzer/Statements/Expression/AssignmentAnalyzer.php +++ b/src/Psalm/Internal/Analyzer/Statements/Expression/AssignmentAnalyzer.php @@ -33,6 +33,7 @@ use Psalm\Internal\Codebase\TaintFlowGraph; use Psalm\Internal\Codebase\VariableUseGraph; use Psalm\Internal\DataFlow\DataFlowNode; +use Psalm\Internal\DataFlow\TaintSource; use Psalm\Internal\FileManipulation\FileManipulationBuffer; use Psalm\Internal\ReferenceConstraint; use Psalm\Internal\Scanner\VarDocblockComment; @@ -834,6 +835,12 @@ private static function taintAssignment( } $type = $type->setParentNodes($new_parent_nodes, false); + + if ($data_flow_graph instanceof TaintFlowGraph) { + $taint_source = TaintSource::fromNode($new_parent_node); + $data_flow_graph->addSource($taint_source); + $type = $type->addParentNodes([$taint_source->id => $taint_source]); + } } public static function analyzeAssignmentOperation( diff --git a/src/Psalm/Internal/Analyzer/Statements/Expression/BinaryOpAnalyzer.php b/src/Psalm/Internal/Analyzer/Statements/Expression/BinaryOpAnalyzer.php index 9a782307f13..49274172236 100644 --- a/src/Psalm/Internal/Analyzer/Statements/Expression/BinaryOpAnalyzer.php +++ b/src/Psalm/Internal/Analyzer/Statements/Expression/BinaryOpAnalyzer.php @@ -18,6 +18,7 @@ use Psalm\Internal\Codebase\TaintFlowGraph; use Psalm\Internal\Codebase\VariableUseGraph; use Psalm\Internal\DataFlow\DataFlowNode; +use Psalm\Internal\DataFlow\TaintSource; use Psalm\Internal\MethodIdentifier; use Psalm\Issue\DocblockTypeContradiction; use Psalm\Issue\ImpureMethodCall; @@ -171,6 +172,12 @@ public static function analyze( $added_taints = $codebase->config->eventDispatcher->dispatchAddTaints($event); $removed_taints = $codebase->config->eventDispatcher->dispatchRemoveTaints($event); + if ($statements_analyzer->data_flow_graph instanceof TaintFlowGraph) { + $taint_source = TaintSource::fromNode($new_parent_node); + $statements_analyzer->data_flow_graph->addSource($taint_source); + $stmt_type = $stmt_type->addParentNodes([$taint_source->id => $taint_source]); + } + if ($stmt_left_type && $stmt_left_type->parent_nodes) { foreach ($stmt_left_type->parent_nodes as $parent_node) { $statements_analyzer->data_flow_graph->addPath( diff --git a/src/Psalm/Internal/Analyzer/Statements/Expression/Call/ArgumentAnalyzer.php b/src/Psalm/Internal/Analyzer/Statements/Expression/Call/ArgumentAnalyzer.php index 90134492699..0ff798507a0 100644 --- a/src/Psalm/Internal/Analyzer/Statements/Expression/Call/ArgumentAnalyzer.php +++ b/src/Psalm/Internal/Analyzer/Statements/Expression/Call/ArgumentAnalyzer.php @@ -22,6 +22,7 @@ use Psalm\Internal\Codebase\TaintFlowGraph; use Psalm\Internal\Codebase\VariableUseGraph; use Psalm\Internal\DataFlow\DataFlowNode; +use Psalm\Internal\DataFlow\TaintSource; use Psalm\Internal\MethodIdentifier; use Psalm\Internal\Type\Comparator\CallableTypeComparator; use Psalm\Internal\Type\Comparator\TypeComparisonResult; @@ -1892,5 +1893,11 @@ private static function processTaintedness( $removed_taints, ); } + + if ($statements_analyzer->data_flow_graph instanceof TaintFlowGraph) { + $taint_source = TaintSource::fromNode($argument_value_node); + $statements_analyzer->data_flow_graph->addSource($taint_source); + $input_type = $input_type->addParentNodes([$taint_source->id => $taint_source]); + } } } diff --git a/src/Psalm/Internal/Analyzer/Statements/Expression/Call/FunctionCallAnalyzer.php b/src/Psalm/Internal/Analyzer/Statements/Expression/Call/FunctionCallAnalyzer.php index 76501316200..4cb93ba6b58 100644 --- a/src/Psalm/Internal/Analyzer/Statements/Expression/Call/FunctionCallAnalyzer.php +++ b/src/Psalm/Internal/Analyzer/Statements/Expression/Call/FunctionCallAnalyzer.php @@ -19,6 +19,7 @@ use Psalm\Internal\Codebase\InternalCallMapHandler; use Psalm\Internal\Codebase\TaintFlowGraph; use Psalm\Internal\DataFlow\TaintSink; +use Psalm\Internal\DataFlow\TaintSource; use Psalm\Internal\MethodIdentifier; use Psalm\Internal\Type\Comparator\CallableTypeComparator; use Psalm\Internal\Type\TemplateResult; @@ -862,6 +863,12 @@ private static function getAnalyzeNamedExpression( $removed_taints, ); } + + if ($statements_analyzer->data_flow_graph instanceof TaintFlowGraph) { + $taint_source = TaintSource::fromNode($custom_call_sink); + $statements_analyzer->data_flow_graph->addSource($taint_source); + $stmt_name_type = $stmt_name_type->addParentNodes([$taint_source->id => $taint_source]); + } } } diff --git a/src/Psalm/Internal/Analyzer/Statements/Expression/Call/NewAnalyzer.php b/src/Psalm/Internal/Analyzer/Statements/Expression/Call/NewAnalyzer.php index f4b7e5c09f7..d4d5fd86e28 100644 --- a/src/Psalm/Internal/Analyzer/Statements/Expression/Call/NewAnalyzer.php +++ b/src/Psalm/Internal/Analyzer/Statements/Expression/Call/NewAnalyzer.php @@ -21,6 +21,7 @@ use Psalm\Internal\Codebase\TaintFlowGraph; use Psalm\Internal\DataFlow\DataFlowNode; use Psalm\Internal\DataFlow\TaintSink; +use Psalm\Internal\DataFlow\TaintSource; use Psalm\Internal\MethodIdentifier; use Psalm\Internal\Type\TemplateResult; use Psalm\Internal\Type\TemplateStandinTypeReplacer; @@ -749,6 +750,12 @@ private static function analyzeConstructorExpression( $removed_taints, ); } + + if ($statements_analyzer->data_flow_graph instanceof TaintFlowGraph) { + $taint_source = TaintSource::fromNode($custom_call_sink); + $statements_analyzer->data_flow_graph->addSource($taint_source); + $stmt_class_type = $stmt_class_type->addParentNodes([$taint_source->id => $taint_source]); + } } if (self::checkMethodArgs( diff --git a/src/Psalm/Internal/Analyzer/Statements/Expression/EncapsulatedStringAnalyzer.php b/src/Psalm/Internal/Analyzer/Statements/Expression/EncapsulatedStringAnalyzer.php index 88ef13bc054..13ed339be2b 100644 --- a/src/Psalm/Internal/Analyzer/Statements/Expression/EncapsulatedStringAnalyzer.php +++ b/src/Psalm/Internal/Analyzer/Statements/Expression/EncapsulatedStringAnalyzer.php @@ -11,7 +11,9 @@ use Psalm\Context; use Psalm\Internal\Analyzer\Statements\ExpressionAnalyzer; use Psalm\Internal\Analyzer\StatementsAnalyzer; +use Psalm\Internal\Codebase\TaintFlowGraph; use Psalm\Internal\DataFlow\DataFlowNode; +use Psalm\Internal\DataFlow\TaintSource; use Psalm\Plugin\EventHandler\Event\AddRemoveTaintsEvent; use Psalm\Type; use Psalm\Type\Atomic\TLiteralFloat; @@ -117,6 +119,12 @@ public static function analyze( ); } } + + if ($statements_analyzer->data_flow_graph instanceof TaintFlowGraph) { + $taint_source = TaintSource::fromNode($new_parent_node); + $statements_analyzer->data_flow_graph->addSource($taint_source); + $casted_part_type = $casted_part_type->addParentNodes([$taint_source->id => $taint_source]); + } } } else { $all_literals = false; diff --git a/src/Psalm/Internal/Analyzer/Statements/Expression/EvalAnalyzer.php b/src/Psalm/Internal/Analyzer/Statements/Expression/EvalAnalyzer.php index 093dd94e10d..a2b57bb2962 100644 --- a/src/Psalm/Internal/Analyzer/Statements/Expression/EvalAnalyzer.php +++ b/src/Psalm/Internal/Analyzer/Statements/Expression/EvalAnalyzer.php @@ -11,6 +11,7 @@ use Psalm\Internal\Analyzer\StatementsAnalyzer; use Psalm\Internal\Codebase\TaintFlowGraph; use Psalm\Internal\DataFlow\TaintSink; +use Psalm\Internal\DataFlow\TaintSource; use Psalm\Issue\ForbiddenCode; use Psalm\IssueBuffer; use Psalm\Plugin\EventHandler\Event\AddRemoveTaintsEvent; @@ -71,6 +72,12 @@ public static function analyze( $removed_taints, ); } + + if ($statements_analyzer->data_flow_graph instanceof TaintFlowGraph) { + $taint_source = TaintSource::fromNode($eval_param_sink); + $statements_analyzer->data_flow_graph->addSource($taint_source); + $expr_type = $expr_type->addParentNodes([$taint_source->id => $taint_source]); + } } } diff --git a/src/Psalm/Internal/Analyzer/Statements/Expression/Fetch/ArrayFetchAnalyzer.php b/src/Psalm/Internal/Analyzer/Statements/Expression/Fetch/ArrayFetchAnalyzer.php index 5ca784170fa..5b17a7357c3 100644 --- a/src/Psalm/Internal/Analyzer/Statements/Expression/Fetch/ArrayFetchAnalyzer.php +++ b/src/Psalm/Internal/Analyzer/Statements/Expression/Fetch/ArrayFetchAnalyzer.php @@ -19,6 +19,7 @@ use Psalm\Internal\Codebase\TaintFlowGraph; use Psalm\Internal\Codebase\VariableUseGraph; use Psalm\Internal\DataFlow\DataFlowNode; +use Psalm\Internal\DataFlow\TaintSource; use Psalm\Internal\Type\Comparator\AtomicTypeComparator; use Psalm\Internal\Type\Comparator\TypeComparisonResult; use Psalm\Internal\Type\Comparator\UnionTypeComparator; @@ -463,6 +464,12 @@ public static function taintArrayFetch( $stmt_type = $stmt_type->setParentNodes([$new_parent_node->id => $new_parent_node]); + if ($statements_analyzer->data_flow_graph instanceof TaintFlowGraph) { + $taint_source = TaintSource::fromNode($new_parent_node); + $statements_analyzer->data_flow_graph->addSource($taint_source); + $stmt_type = $stmt_type->addParentNodes([$taint_source->id => $taint_source]); + } + if ($array_key_node) { $offset_type = $offset_type->setParentNodes([$array_key_node->id => $array_key_node]); } diff --git a/src/Psalm/Internal/Analyzer/Statements/Expression/Fetch/AtomicPropertyFetchAnalyzer.php b/src/Psalm/Internal/Analyzer/Statements/Expression/Fetch/AtomicPropertyFetchAnalyzer.php index 3448ca749aa..6013d593b65 100644 --- a/src/Psalm/Internal/Analyzer/Statements/Expression/Fetch/AtomicPropertyFetchAnalyzer.php +++ b/src/Psalm/Internal/Analyzer/Statements/Expression/Fetch/AtomicPropertyFetchAnalyzer.php @@ -24,6 +24,7 @@ use Psalm\Internal\Analyzer\StatementsAnalyzer; use Psalm\Internal\Codebase\TaintFlowGraph; use Psalm\Internal\DataFlow\DataFlowNode; +use Psalm\Internal\DataFlow\TaintSource; use Psalm\Internal\FileManipulation\FileManipulationBuffer; use Psalm\Internal\MethodIdentifier; use Psalm\Internal\Type\TemplateInferredTypeReplacer; @@ -898,6 +899,12 @@ public static function processTaints( } $type = $type->setParentNodes([$property_node->id => $property_node], true); + + if ($statements_analyzer->data_flow_graph instanceof TaintFlowGraph) { + $taint_source = TaintSource::fromNode($var_node); + $statements_analyzer->data_flow_graph->addSource($taint_source); + $type = $type->addParentNodes([$taint_source->id => $taint_source]); + } } } else { self::processUnspecialTaints( @@ -974,6 +981,12 @@ public static function processUnspecialTaints( } $type = $type->setParentNodes([$localized_property_node->id => $localized_property_node], true); + + if ($statements_analyzer->data_flow_graph instanceof TaintFlowGraph) { + $taint_source = TaintSource::fromNode($localized_property_node); + $statements_analyzer->data_flow_graph->addSource($taint_source); + $type = $type->addParentNodes([$taint_source->id => $taint_source]); + } } private static function handleEnumName( diff --git a/src/Psalm/Internal/Analyzer/Statements/Expression/IncludeAnalyzer.php b/src/Psalm/Internal/Analyzer/Statements/Expression/IncludeAnalyzer.php index ce884452f53..195b51cf2ea 100644 --- a/src/Psalm/Internal/Analyzer/Statements/Expression/IncludeAnalyzer.php +++ b/src/Psalm/Internal/Analyzer/Statements/Expression/IncludeAnalyzer.php @@ -16,6 +16,7 @@ use Psalm\Internal\Analyzer\StatementsAnalyzer; use Psalm\Internal\Codebase\TaintFlowGraph; use Psalm\Internal\DataFlow\TaintSink; +use Psalm\Internal\DataFlow\TaintSource; use Psalm\Internal\Provider\NodeDataProvider; use Psalm\Issue\MissingFile; use Psalm\Issue\UnresolvableInclude; @@ -143,6 +144,12 @@ public static function analyze( $removed_taints, ); } + + if ($statements_analyzer->data_flow_graph instanceof TaintFlowGraph) { + $taint_source = TaintSource::fromNode($include_param_sink); + $statements_analyzer->data_flow_graph->addSource($taint_source); + $stmt_expr_type = $stmt_expr_type->addParentNodes([$taint_source->id => $taint_source]); + } } if ($path_to_file) { diff --git a/src/Psalm/Internal/DataFlow/TaintSource.php b/src/Psalm/Internal/DataFlow/TaintSource.php index 5b5f076dd1e..a34cdd15d4e 100644 --- a/src/Psalm/Internal/DataFlow/TaintSource.php +++ b/src/Psalm/Internal/DataFlow/TaintSource.php @@ -9,4 +9,13 @@ */ final class TaintSource extends DataFlowNode { + public static function fromNode(DataFlowNode $node): self { + return new self( + $node->id, + $node->label, + $node->code_location, + $node->specialization_key, + $node->taints + ); + } } From e557916eae4b2906970bafedb62b8f4970bc12f2 Mon Sep 17 00:00:00 2001 From: Patrick Remy Date: Fri, 15 Sep 2023 12:38:06 +0200 Subject: [PATCH 02/29] style: fix code style and redundant conditions --- .../Assignment/InstancePropertyAssignmentAnalyzer.php | 8 ++++++-- .../Statements/Expression/Call/FunctionCallAnalyzer.php | 8 +++----- .../Analyzer/Statements/Expression/Call/NewAnalyzer.php | 8 +++----- .../Analyzer/Statements/Expression/EvalAnalyzer.php | 8 +++----- .../Analyzer/Statements/Expression/IncludeAnalyzer.php | 8 +++----- src/Psalm/Internal/DataFlow/TaintSource.php | 5 +++-- 6 files changed, 21 insertions(+), 24 deletions(-) diff --git a/src/Psalm/Internal/Analyzer/Statements/Expression/Assignment/InstancePropertyAssignmentAnalyzer.php b/src/Psalm/Internal/Analyzer/Statements/Expression/Assignment/InstancePropertyAssignmentAnalyzer.php index f22fb44c554..669e38cd0ed 100644 --- a/src/Psalm/Internal/Analyzer/Statements/Expression/Assignment/InstancePropertyAssignmentAnalyzer.php +++ b/src/Psalm/Internal/Analyzer/Statements/Expression/Assignment/InstancePropertyAssignmentAnalyzer.php @@ -524,7 +524,9 @@ private static function taintProperty( if ($statements_analyzer->data_flow_graph instanceof TaintFlowGraph) { $taint_source = TaintSource::fromNode($property_node); $statements_analyzer->data_flow_graph->addSource($taint_source); - $assignment_value_type = $assignment_value_type->addParentNodes([$taint_source->id => $taint_source]); + $assignment_value_type = $assignment_value_type->addParentNodes([ + $taint_source->id => $taint_source, + ]); } if (isset($context->vars_in_scope[$var_id])) { @@ -630,7 +632,9 @@ public static function taintUnspecializedProperty( if ($statements_analyzer->data_flow_graph instanceof TaintFlowGraph) { $taint_source = TaintSource::fromNode($property_node); $statements_analyzer->data_flow_graph->addSource($taint_source); - $assignment_value_type = $assignment_value_type->addParentNodes([$taint_source->id => $taint_source]); + $assignment_value_type = $assignment_value_type->addParentNodes([ + $taint_source->id => $taint_source, + ]); } $declaring_property_class = $codebase->properties->getDeclaringClassForProperty( diff --git a/src/Psalm/Internal/Analyzer/Statements/Expression/Call/FunctionCallAnalyzer.php b/src/Psalm/Internal/Analyzer/Statements/Expression/Call/FunctionCallAnalyzer.php index 4cb93ba6b58..f5f874be62a 100644 --- a/src/Psalm/Internal/Analyzer/Statements/Expression/Call/FunctionCallAnalyzer.php +++ b/src/Psalm/Internal/Analyzer/Statements/Expression/Call/FunctionCallAnalyzer.php @@ -864,11 +864,9 @@ private static function getAnalyzeNamedExpression( ); } - if ($statements_analyzer->data_flow_graph instanceof TaintFlowGraph) { - $taint_source = TaintSource::fromNode($custom_call_sink); - $statements_analyzer->data_flow_graph->addSource($taint_source); - $stmt_name_type = $stmt_name_type->addParentNodes([$taint_source->id => $taint_source]); - } + $taint_source = TaintSource::fromNode($custom_call_sink); + $statements_analyzer->data_flow_graph->addSource($taint_source); + $stmt_name_type = $stmt_name_type->addParentNodes([$taint_source->id => $taint_source]); } } diff --git a/src/Psalm/Internal/Analyzer/Statements/Expression/Call/NewAnalyzer.php b/src/Psalm/Internal/Analyzer/Statements/Expression/Call/NewAnalyzer.php index d4d5fd86e28..c591ec0d8de 100644 --- a/src/Psalm/Internal/Analyzer/Statements/Expression/Call/NewAnalyzer.php +++ b/src/Psalm/Internal/Analyzer/Statements/Expression/Call/NewAnalyzer.php @@ -751,11 +751,9 @@ private static function analyzeConstructorExpression( ); } - if ($statements_analyzer->data_flow_graph instanceof TaintFlowGraph) { - $taint_source = TaintSource::fromNode($custom_call_sink); - $statements_analyzer->data_flow_graph->addSource($taint_source); - $stmt_class_type = $stmt_class_type->addParentNodes([$taint_source->id => $taint_source]); - } + $taint_source = TaintSource::fromNode($custom_call_sink); + $statements_analyzer->data_flow_graph->addSource($taint_source); + $stmt_class_type = $stmt_class_type->addParentNodes([$taint_source->id => $taint_source]); } if (self::checkMethodArgs( diff --git a/src/Psalm/Internal/Analyzer/Statements/Expression/EvalAnalyzer.php b/src/Psalm/Internal/Analyzer/Statements/Expression/EvalAnalyzer.php index a2b57bb2962..748edd9ec6b 100644 --- a/src/Psalm/Internal/Analyzer/Statements/Expression/EvalAnalyzer.php +++ b/src/Psalm/Internal/Analyzer/Statements/Expression/EvalAnalyzer.php @@ -73,11 +73,9 @@ public static function analyze( ); } - if ($statements_analyzer->data_flow_graph instanceof TaintFlowGraph) { - $taint_source = TaintSource::fromNode($eval_param_sink); - $statements_analyzer->data_flow_graph->addSource($taint_source); - $expr_type = $expr_type->addParentNodes([$taint_source->id => $taint_source]); - } + $taint_source = TaintSource::fromNode($eval_param_sink); + $statements_analyzer->data_flow_graph->addSource($taint_source); + $expr_type = $expr_type->addParentNodes([$taint_source->id => $taint_source]); } } diff --git a/src/Psalm/Internal/Analyzer/Statements/Expression/IncludeAnalyzer.php b/src/Psalm/Internal/Analyzer/Statements/Expression/IncludeAnalyzer.php index 195b51cf2ea..66c0f885314 100644 --- a/src/Psalm/Internal/Analyzer/Statements/Expression/IncludeAnalyzer.php +++ b/src/Psalm/Internal/Analyzer/Statements/Expression/IncludeAnalyzer.php @@ -145,11 +145,9 @@ public static function analyze( ); } - if ($statements_analyzer->data_flow_graph instanceof TaintFlowGraph) { - $taint_source = TaintSource::fromNode($include_param_sink); - $statements_analyzer->data_flow_graph->addSource($taint_source); - $stmt_expr_type = $stmt_expr_type->addParentNodes([$taint_source->id => $taint_source]); - } + $taint_source = TaintSource::fromNode($include_param_sink); + $statements_analyzer->data_flow_graph->addSource($taint_source); + $stmt_expr_type = $stmt_expr_type->addParentNodes([$taint_source->id => $taint_source]); } if ($path_to_file) { diff --git a/src/Psalm/Internal/DataFlow/TaintSource.php b/src/Psalm/Internal/DataFlow/TaintSource.php index a34cdd15d4e..e971bf19237 100644 --- a/src/Psalm/Internal/DataFlow/TaintSource.php +++ b/src/Psalm/Internal/DataFlow/TaintSource.php @@ -9,13 +9,14 @@ */ final class TaintSource extends DataFlowNode { - public static function fromNode(DataFlowNode $node): self { + public static function fromNode(DataFlowNode $node): self + { return new self( $node->id, $node->label, $node->code_location, $node->specialization_key, - $node->taints + $node->taints, ); } } From ec5bf1f8bd216c51dcf5f67c571ceeca8b823f7e Mon Sep 17 00:00:00 2001 From: Patrick Remy Date: Tue, 19 Sep 2023 20:06:32 +0200 Subject: [PATCH 03/29] test: add addTaints plugin test --- examples/plugins/TaintActiveRecords.php | 90 +++++++++++++++++++++++++ tests/Config/PluginTest.php | 58 ++++++++++++++++ 2 files changed, 148 insertions(+) create mode 100644 examples/plugins/TaintActiveRecords.php diff --git a/examples/plugins/TaintActiveRecords.php b/examples/plugins/TaintActiveRecords.php new file mode 100644 index 00000000000..d6b315fb35f --- /dev/null +++ b/examples/plugins/TaintActiveRecords.php @@ -0,0 +1,90 @@ + + */ + public static function addTaints(AddRemoveTaintsEvent $event): array + { + $expr = $event->getExpr(); + $statements_source = $event->getStatementsSource(); + + // For all property fetch expressions, walk through the full fetch path + // (e.g. `$model->property->subproperty`) and check if it contains + // any class of namespace \app\models\ + do { + $expr_type = $statements_source->getNodeTypeProvider()->getType($expr); + if (!$expr_type) { + continue; + } + + if (self::containsActiveRecord($expr_type)) { + return TaintKindGroup::ALL_INPUT; + } + } while ($expr = self::getParentNode($expr)); + + return []; + } + + /** + * @return bool `true` if union contains a type of model + */ + private static function containsActiveRecord(Union $union_type): bool + { + foreach ($union_type->getAtomicTypes() as $type) { + if (self::isActiveRecord($type)) { + return true; + } + } + + return false; + } + + /** + * @return bool `true` if namespace of type is in namespace `app\models` + */ + private static function isActiveRecord(Atomic $type): bool + { + if (!$type instanceof TNamedObject) { + return false; + } + + + return strpos($type->value, 'app\models\\') === 0; + } + + + /** + * Return next node that should be followed for active record search + */ + private static function getParentNode(Expr $expr): ?Expr + { + // Model properties are always accessed by a property fetch + if ($expr instanceof PropertyFetch) { + return $expr->var; + } + + return null; + } +} diff --git a/tests/Config/PluginTest.php b/tests/Config/PluginTest.php index 0ba40e9d83e..f2cf308720a 100644 --- a/tests/Config/PluginTest.php +++ b/tests/Config/PluginTest.php @@ -923,6 +923,64 @@ function b(int $e): int { return $e; } $this->analyzeFile($file_path, new Context()); } + public function testAddTaints(): void + { + $this->project_analyzer = $this->getProjectAnalyzerWithConfig( + TestConfig::loadFromXML( + dirname(__DIR__, 2) . DIRECTORY_SEPARATOR, + ' + + + + + + + + ', + ), + ); + + $this->project_analyzer->getCodebase()->config->initializePlugins($this->project_analyzer); + + $file_path = getcwd() . '/src/somefile.php'; + + $this->addFile( + $file_path, + ' + */ + public static function findAll(): array { + $mockUser = new self(); + $mockUser->name = "

Micky Mouse

"; + + return [$mockUser]; + } + } + + foreach (User::findAll() as $user) { + echo $user->name; + } + ', + ); + + $this->project_analyzer->trackTaintedInputs(); + + $this->expectException(CodeException::class); + $this->expectExceptionMessageMatches('/TaintedHtml/'); + + $this->analyzeFile($file_path, new Context()); + } + public function testRemoveTaints(): void { $this->project_analyzer = $this->getProjectAnalyzerWithConfig( From 67766c7d73e10e5d8ff17b7c6d3e90046cea3fde Mon Sep 17 00:00:00 2001 From: Patrick Remy Date: Tue, 19 Sep 2023 20:09:03 +0200 Subject: [PATCH 04/29] docs: update custom taint plugin docs --- .../security_analysis/custom_taint_sources.md | 42 +++++-------------- 1 file changed, 10 insertions(+), 32 deletions(-) diff --git a/docs/security_analysis/custom_taint_sources.md b/docs/security_analysis/custom_taint_sources.md index d3bdb0a3205..1ff4062da32 100644 --- a/docs/security_analysis/custom_taint_sources.md +++ b/docs/security_analysis/custom_taint_sources.md @@ -26,49 +26,27 @@ For example this plugin treats all variables named `$bad_data` as taint sources. namespace Some\Ns; use PhpParser; -use Psalm\CodeLocation; -use Psalm\Context; -use Psalm\FileManipulation; -use Psalm\Plugin\EventHandler\AfterExpressionAnalysisInterface; -use Psalm\Plugin\EventHandler\Event\AfterExpressionAnalysisEvent; +use Psalm\Plugin\EventHandler\AddTaintsInterface; +use Psalm\Plugin\EventHandler\Event\AddRemoveTaintsEvent; use Psalm\Type\TaintKindGroup; -class BadSqlTainter implements AfterExpressionAnalysisInterface +class BadSqlTainter implements AddTaintsInterface { /** - * Called after an expression has been checked + * Called to see what taints should be added * - * @param PhpParser\Node\Expr $expr - * @param Context $context - * @param FileManipulation[] $file_replacements - * - * @return void + * @return list */ - public static function afterExpressionAnalysis(AfterExpressionAnalysisEvent $event): ?bool { + public static function addTaints(AddRemoveTaintsEvent $event): array + { $expr = $event->getExpr(); - $statements_source = $event->getStatementsSource(); - $codebase = $event->getCodebase(); if ($expr instanceof PhpParser\Node\Expr\Variable && $expr->name === 'bad_data' ) { - $expr_type = $statements_source->getNodeTypeProvider()->getType($expr); - - // should be a globally unique id - // you can use its line number/start offset - $expr_identifier = '$bad_data' - . '-' . $statements_source->getFileName() - . ':' . $expr->getAttribute('startFilePos'); - - if ($expr_type) { - $codebase->addTaintSource( - $expr_type, - $expr_identifier, - TaintKindGroup::ALL_INPUT, - new CodeLocation($statements_source, $expr) - ); - } + return TaintKindGroup::ALL_INPUT; } - return null; + + return []; } } ``` From 723ba1675fc1d10b5f2d68f1283d6a663e4e08f7 Mon Sep 17 00:00:00 2001 From: Patrick Remy Date: Tue, 19 Sep 2023 20:32:26 +0200 Subject: [PATCH 05/29] refactor: only add taint sources if required --- .../Statements/Expression/ArrayAnalyzer.php | 22 +++++++--------- .../InstancePropertyAssignmentAnalyzer.php | 26 +++++++------------ .../Expression/AssignmentAnalyzer.php | 11 ++++---- .../Expression/BinaryOpAnalyzer.php | 3 +-- .../Expression/Call/ArgumentAnalyzer.php | 3 +-- .../Expression/Call/FunctionCallAnalyzer.php | 7 ++--- .../Expression/Call/NewAnalyzer.php | 9 ++++--- .../Expression/EncapsulatedStringAnalyzer.php | 11 ++++---- .../Statements/Expression/EvalAnalyzer.php | 9 ++++--- .../Expression/Fetch/ArrayFetchAnalyzer.php | 3 +-- .../Fetch/AtomicPropertyFetchAnalyzer.php | 6 ++--- .../Statements/Expression/IncludeAnalyzer.php | 9 ++++--- 12 files changed, 54 insertions(+), 65 deletions(-) diff --git a/src/Psalm/Internal/Analyzer/Statements/Expression/ArrayAnalyzer.php b/src/Psalm/Internal/Analyzer/Statements/Expression/ArrayAnalyzer.php index 7af03aaf6c6..402ada1245c 100644 --- a/src/Psalm/Internal/Analyzer/Statements/Expression/ArrayAnalyzer.php +++ b/src/Psalm/Internal/Analyzer/Statements/Expression/ArrayAnalyzer.php @@ -442,6 +442,11 @@ private static function analyzeArrayItem( $added_taints = $codebase->config->eventDispatcher->dispatchAddTaints($event); $removed_taints = $codebase->config->eventDispatcher->dispatchRemoveTaints($event); + if ($added_taints !== [] && $statements_analyzer->data_flow_graph instanceof TaintFlowGraph) { + $taint_source = TaintSource::fromNode($new_parent_node); + $statements_analyzer->data_flow_graph->addSource($taint_source); + } + foreach ($item_value_type->parent_nodes as $parent_node) { $data_flow_graph->addPath( $parent_node, @@ -454,12 +459,6 @@ private static function analyzeArrayItem( } $array_creation_info->parent_taint_nodes += [$new_parent_node->id => $new_parent_node]; - - if ($statements_analyzer->data_flow_graph instanceof TaintFlowGraph) { - $taint_source = TaintSource::fromNode($new_parent_node); - $statements_analyzer->data_flow_graph->addSource($taint_source); - $item_value_type = $item_value_type->addParentNodes([$taint_source->id => $taint_source]); - } } if ($item_key_type @@ -483,6 +482,11 @@ private static function analyzeArrayItem( $added_taints = $codebase->config->eventDispatcher->dispatchAddTaints($event); $removed_taints = $codebase->config->eventDispatcher->dispatchRemoveTaints($event); + if ($added_taints !== [] && $statements_analyzer->data_flow_graph instanceof TaintFlowGraph) { + $taint_source = TaintSource::fromNode($new_parent_node); + $statements_analyzer->data_flow_graph->addSource($taint_source); + } + foreach ($item_key_type->parent_nodes as $parent_node) { $data_flow_graph->addPath( $parent_node, @@ -494,12 +498,6 @@ private static function analyzeArrayItem( } $array_creation_info->parent_taint_nodes += [$new_parent_node->id => $new_parent_node]; - - if ($statements_analyzer->data_flow_graph instanceof TaintFlowGraph) { - $taint_source = TaintSource::fromNode($new_parent_node); - $statements_analyzer->data_flow_graph->addSource($taint_source); - $item_value_type = $item_value_type->addParentNodes([$taint_source->id => $taint_source]); - } } } } diff --git a/src/Psalm/Internal/Analyzer/Statements/Expression/Assignment/InstancePropertyAssignmentAnalyzer.php b/src/Psalm/Internal/Analyzer/Statements/Expression/Assignment/InstancePropertyAssignmentAnalyzer.php index 669e38cd0ed..3be6612e59c 100644 --- a/src/Psalm/Internal/Analyzer/Statements/Expression/Assignment/InstancePropertyAssignmentAnalyzer.php +++ b/src/Psalm/Internal/Analyzer/Statements/Expression/Assignment/InstancePropertyAssignmentAnalyzer.php @@ -506,6 +506,11 @@ private static function taintProperty( $added_taints = $codebase->config->eventDispatcher->dispatchAddTaints($event); $removed_taints = $codebase->config->eventDispatcher->dispatchRemoveTaints($event); + if ($added_taints !== [] && $statements_analyzer->data_flow_graph instanceof TaintFlowGraph) { + $taint_source = TaintSource::fromNode($property_node); + $statements_analyzer->data_flow_graph->addSource($taint_source); + } + $data_flow_graph->addPath( $property_node, $var_node, @@ -521,14 +526,6 @@ private static function taintProperty( } } - if ($statements_analyzer->data_flow_graph instanceof TaintFlowGraph) { - $taint_source = TaintSource::fromNode($property_node); - $statements_analyzer->data_flow_graph->addSource($taint_source); - $assignment_value_type = $assignment_value_type->addParentNodes([ - $taint_source->id => $taint_source, - ]); - } - if (isset($context->vars_in_scope[$var_id])) { $stmt_var_type = $context->vars_in_scope[$var_id]->setParentNodes( [$var_node->id => $var_node], @@ -609,6 +606,11 @@ public static function taintUnspecializedProperty( $added_taints = $codebase->config->eventDispatcher->dispatchAddTaints($event); $removed_taints = $codebase->config->eventDispatcher->dispatchRemoveTaints($event); + if ($added_taints !== [] && $statements_analyzer->data_flow_graph instanceof TaintFlowGraph) { + $taint_source = TaintSource::fromNode($property_node); + $statements_analyzer->data_flow_graph->addSource($taint_source); + } + $data_flow_graph->addPath( $localized_property_node, $property_node, @@ -629,14 +631,6 @@ public static function taintUnspecializedProperty( } } - if ($statements_analyzer->data_flow_graph instanceof TaintFlowGraph) { - $taint_source = TaintSource::fromNode($property_node); - $statements_analyzer->data_flow_graph->addSource($taint_source); - $assignment_value_type = $assignment_value_type->addParentNodes([ - $taint_source->id => $taint_source, - ]); - } - $declaring_property_class = $codebase->properties->getDeclaringClassForProperty( $property_id, false, diff --git a/src/Psalm/Internal/Analyzer/Statements/Expression/AssignmentAnalyzer.php b/src/Psalm/Internal/Analyzer/Statements/Expression/AssignmentAnalyzer.php index 3ab39303e46..645e93fc983 100644 --- a/src/Psalm/Internal/Analyzer/Statements/Expression/AssignmentAnalyzer.php +++ b/src/Psalm/Internal/Analyzer/Statements/Expression/AssignmentAnalyzer.php @@ -824,6 +824,11 @@ private static function taintAssignment( $data_flow_graph->addNode($new_parent_node); $new_parent_nodes = [$new_parent_node->id => $new_parent_node]; + if ($added_taints !== [] && $data_flow_graph instanceof TaintFlowGraph) { + $taint_source = TaintSource::fromNode($new_parent_node); + $data_flow_graph->addSource($taint_source); + } + foreach ($parent_nodes as $parent_node) { $data_flow_graph->addPath( $parent_node, @@ -835,12 +840,6 @@ private static function taintAssignment( } $type = $type->setParentNodes($new_parent_nodes, false); - - if ($data_flow_graph instanceof TaintFlowGraph) { - $taint_source = TaintSource::fromNode($new_parent_node); - $data_flow_graph->addSource($taint_source); - $type = $type->addParentNodes([$taint_source->id => $taint_source]); - } } public static function analyzeAssignmentOperation( diff --git a/src/Psalm/Internal/Analyzer/Statements/Expression/BinaryOpAnalyzer.php b/src/Psalm/Internal/Analyzer/Statements/Expression/BinaryOpAnalyzer.php index 49274172236..316b193902b 100644 --- a/src/Psalm/Internal/Analyzer/Statements/Expression/BinaryOpAnalyzer.php +++ b/src/Psalm/Internal/Analyzer/Statements/Expression/BinaryOpAnalyzer.php @@ -172,10 +172,9 @@ public static function analyze( $added_taints = $codebase->config->eventDispatcher->dispatchAddTaints($event); $removed_taints = $codebase->config->eventDispatcher->dispatchRemoveTaints($event); - if ($statements_analyzer->data_flow_graph instanceof TaintFlowGraph) { + if ($added_taints !== [] && $statements_analyzer->data_flow_graph instanceof TaintFlowGraph) { $taint_source = TaintSource::fromNode($new_parent_node); $statements_analyzer->data_flow_graph->addSource($taint_source); - $stmt_type = $stmt_type->addParentNodes([$taint_source->id => $taint_source]); } if ($stmt_left_type && $stmt_left_type->parent_nodes) { diff --git a/src/Psalm/Internal/Analyzer/Statements/Expression/Call/ArgumentAnalyzer.php b/src/Psalm/Internal/Analyzer/Statements/Expression/Call/ArgumentAnalyzer.php index 0ff798507a0..1e98499acd2 100644 --- a/src/Psalm/Internal/Analyzer/Statements/Expression/Call/ArgumentAnalyzer.php +++ b/src/Psalm/Internal/Analyzer/Statements/Expression/Call/ArgumentAnalyzer.php @@ -1894,10 +1894,9 @@ private static function processTaintedness( ); } - if ($statements_analyzer->data_flow_graph instanceof TaintFlowGraph) { + if ($added_taints !== [] && $statements_analyzer->data_flow_graph instanceof TaintFlowGraph) { $taint_source = TaintSource::fromNode($argument_value_node); $statements_analyzer->data_flow_graph->addSource($taint_source); - $input_type = $input_type->addParentNodes([$taint_source->id => $taint_source]); } } } diff --git a/src/Psalm/Internal/Analyzer/Statements/Expression/Call/FunctionCallAnalyzer.php b/src/Psalm/Internal/Analyzer/Statements/Expression/Call/FunctionCallAnalyzer.php index f5f874be62a..0c734d6143a 100644 --- a/src/Psalm/Internal/Analyzer/Statements/Expression/Call/FunctionCallAnalyzer.php +++ b/src/Psalm/Internal/Analyzer/Statements/Expression/Call/FunctionCallAnalyzer.php @@ -864,9 +864,10 @@ private static function getAnalyzeNamedExpression( ); } - $taint_source = TaintSource::fromNode($custom_call_sink); - $statements_analyzer->data_flow_graph->addSource($taint_source); - $stmt_name_type = $stmt_name_type->addParentNodes([$taint_source->id => $taint_source]); + if ($added_taints !== []) { + $taint_source = TaintSource::fromNode($custom_call_sink); + $statements_analyzer->data_flow_graph->addSource($taint_source); + } } } diff --git a/src/Psalm/Internal/Analyzer/Statements/Expression/Call/NewAnalyzer.php b/src/Psalm/Internal/Analyzer/Statements/Expression/Call/NewAnalyzer.php index c591ec0d8de..d18697ea019 100644 --- a/src/Psalm/Internal/Analyzer/Statements/Expression/Call/NewAnalyzer.php +++ b/src/Psalm/Internal/Analyzer/Statements/Expression/Call/NewAnalyzer.php @@ -741,6 +741,11 @@ private static function analyzeConstructorExpression( $added_taints = $codebase->config->eventDispatcher->dispatchAddTaints($event); $removed_taints = $codebase->config->eventDispatcher->dispatchRemoveTaints($event); + if ($added_taints !== []) { + $taint_source = TaintSource::fromNode($custom_call_sink); + $statements_analyzer->data_flow_graph->addSource($taint_source); + } + foreach ($stmt_class_type->parent_nodes as $parent_node) { $statements_analyzer->data_flow_graph->addPath( $parent_node, @@ -750,10 +755,6 @@ private static function analyzeConstructorExpression( $removed_taints, ); } - - $taint_source = TaintSource::fromNode($custom_call_sink); - $statements_analyzer->data_flow_graph->addSource($taint_source); - $stmt_class_type = $stmt_class_type->addParentNodes([$taint_source->id => $taint_source]); } if (self::checkMethodArgs( diff --git a/src/Psalm/Internal/Analyzer/Statements/Expression/EncapsulatedStringAnalyzer.php b/src/Psalm/Internal/Analyzer/Statements/Expression/EncapsulatedStringAnalyzer.php index 13ed339be2b..0b557915418 100644 --- a/src/Psalm/Internal/Analyzer/Statements/Expression/EncapsulatedStringAnalyzer.php +++ b/src/Psalm/Internal/Analyzer/Statements/Expression/EncapsulatedStringAnalyzer.php @@ -108,6 +108,11 @@ public static function analyze( $added_taints = $codebase->config->eventDispatcher->dispatchAddTaints($event); $removed_taints = $codebase->config->eventDispatcher->dispatchRemoveTaints($event); + if ($added_taints !== [] && $statements_analyzer->data_flow_graph instanceof TaintFlowGraph) { + $taint_source = TaintSource::fromNode($new_parent_node); + $statements_analyzer->data_flow_graph->addSource($taint_source); + } + if ($casted_part_type->parent_nodes) { foreach ($casted_part_type->parent_nodes as $parent_node) { $statements_analyzer->data_flow_graph->addPath( @@ -119,12 +124,6 @@ public static function analyze( ); } } - - if ($statements_analyzer->data_flow_graph instanceof TaintFlowGraph) { - $taint_source = TaintSource::fromNode($new_parent_node); - $statements_analyzer->data_flow_graph->addSource($taint_source); - $casted_part_type = $casted_part_type->addParentNodes([$taint_source->id => $taint_source]); - } } } else { $all_literals = false; diff --git a/src/Psalm/Internal/Analyzer/Statements/Expression/EvalAnalyzer.php b/src/Psalm/Internal/Analyzer/Statements/Expression/EvalAnalyzer.php index 748edd9ec6b..939119e44aa 100644 --- a/src/Psalm/Internal/Analyzer/Statements/Expression/EvalAnalyzer.php +++ b/src/Psalm/Internal/Analyzer/Statements/Expression/EvalAnalyzer.php @@ -63,6 +63,11 @@ public static function analyze( $added_taints = $codebase->config->eventDispatcher->dispatchAddTaints($event); $removed_taints = $codebase->config->eventDispatcher->dispatchRemoveTaints($event); + if ($added_taints !== []) { + $taint_source = TaintSource::fromNode($eval_param_sink); + $statements_analyzer->data_flow_graph->addSource($taint_source); + } + foreach ($expr_type->parent_nodes as $parent_node) { $statements_analyzer->data_flow_graph->addPath( $parent_node, @@ -72,10 +77,6 @@ public static function analyze( $removed_taints, ); } - - $taint_source = TaintSource::fromNode($eval_param_sink); - $statements_analyzer->data_flow_graph->addSource($taint_source); - $expr_type = $expr_type->addParentNodes([$taint_source->id => $taint_source]); } } diff --git a/src/Psalm/Internal/Analyzer/Statements/Expression/Fetch/ArrayFetchAnalyzer.php b/src/Psalm/Internal/Analyzer/Statements/Expression/Fetch/ArrayFetchAnalyzer.php index 5b17a7357c3..4287472e066 100644 --- a/src/Psalm/Internal/Analyzer/Statements/Expression/Fetch/ArrayFetchAnalyzer.php +++ b/src/Psalm/Internal/Analyzer/Statements/Expression/Fetch/ArrayFetchAnalyzer.php @@ -464,10 +464,9 @@ public static function taintArrayFetch( $stmt_type = $stmt_type->setParentNodes([$new_parent_node->id => $new_parent_node]); - if ($statements_analyzer->data_flow_graph instanceof TaintFlowGraph) { + if ($added_taints !== [] && $statements_analyzer->data_flow_graph instanceof TaintFlowGraph) { $taint_source = TaintSource::fromNode($new_parent_node); $statements_analyzer->data_flow_graph->addSource($taint_source); - $stmt_type = $stmt_type->addParentNodes([$taint_source->id => $taint_source]); } if ($array_key_node) { diff --git a/src/Psalm/Internal/Analyzer/Statements/Expression/Fetch/AtomicPropertyFetchAnalyzer.php b/src/Psalm/Internal/Analyzer/Statements/Expression/Fetch/AtomicPropertyFetchAnalyzer.php index 6013d593b65..14b743b1069 100644 --- a/src/Psalm/Internal/Analyzer/Statements/Expression/Fetch/AtomicPropertyFetchAnalyzer.php +++ b/src/Psalm/Internal/Analyzer/Statements/Expression/Fetch/AtomicPropertyFetchAnalyzer.php @@ -900,10 +900,9 @@ public static function processTaints( $type = $type->setParentNodes([$property_node->id => $property_node], true); - if ($statements_analyzer->data_flow_graph instanceof TaintFlowGraph) { + if ($added_taints !== [] && $statements_analyzer->data_flow_graph instanceof TaintFlowGraph) { $taint_source = TaintSource::fromNode($var_node); $statements_analyzer->data_flow_graph->addSource($taint_source); - $type = $type->addParentNodes([$taint_source->id => $taint_source]); } } } else { @@ -982,10 +981,9 @@ public static function processUnspecialTaints( $type = $type->setParentNodes([$localized_property_node->id => $localized_property_node], true); - if ($statements_analyzer->data_flow_graph instanceof TaintFlowGraph) { + if ($added_taints !== [] && $statements_analyzer->data_flow_graph instanceof TaintFlowGraph) { $taint_source = TaintSource::fromNode($localized_property_node); $statements_analyzer->data_flow_graph->addSource($taint_source); - $type = $type->addParentNodes([$taint_source->id => $taint_source]); } } diff --git a/src/Psalm/Internal/Analyzer/Statements/Expression/IncludeAnalyzer.php b/src/Psalm/Internal/Analyzer/Statements/Expression/IncludeAnalyzer.php index 66c0f885314..54f16aad757 100644 --- a/src/Psalm/Internal/Analyzer/Statements/Expression/IncludeAnalyzer.php +++ b/src/Psalm/Internal/Analyzer/Statements/Expression/IncludeAnalyzer.php @@ -135,6 +135,11 @@ public static function analyze( $added_taints = $codebase->config->eventDispatcher->dispatchAddTaints($event); $removed_taints = $codebase->config->eventDispatcher->dispatchRemoveTaints($event); + if ($added_taints !== []) { + $taint_source = TaintSource::fromNode($include_param_sink); + $statements_analyzer->data_flow_graph->addSource($taint_source); + } + foreach ($stmt_expr_type->parent_nodes as $parent_node) { $statements_analyzer->data_flow_graph->addPath( $parent_node, @@ -144,10 +149,6 @@ public static function analyze( $removed_taints, ); } - - $taint_source = TaintSource::fromNode($include_param_sink); - $statements_analyzer->data_flow_graph->addSource($taint_source); - $stmt_expr_type = $stmt_expr_type->addParentNodes([$taint_source->id => $taint_source]); } if ($path_to_file) { From 221af98497a014cd460e69c441138e5fa228c8f6 Mon Sep 17 00:00:00 2001 From: Patrick Remy Date: Tue, 23 Jan 2024 21:16:50 +0100 Subject: [PATCH 06/29] test: move event handler tests to subfolder Remove taint tests from PluginTest.php and extract them into seperate classes. --- ...moveTaintsInterfaceTest_20250209161134.php | 173 ++++++++++++ ...moveTaintsInterfaceTest_20250209161257.php | 173 ++++++++++++ examples/plugins/TaintActiveRecords.php | 2 - .../AddTaints/AddTaintsInterfaceTest.php | 253 ++++++++++++++++++ .../RemoveTaints/RemoveAllTaintsPlugin.php | 20 ++ .../RemoveTaintsInterfaceTest.php | 173 ++++++++++++ tests/Config/PluginTest.php | 2 +- 7 files changed, 793 insertions(+), 3 deletions(-) create mode 100644 .history/tests/Config/Plugin/EventHandler/RemoveTaints/RemoveTaintsInterfaceTest_20250209161134.php create mode 100644 .history/tests/Config/Plugin/EventHandler/RemoveTaints/RemoveTaintsInterfaceTest_20250209161257.php create mode 100644 tests/Config/Plugin/EventHandler/AddTaints/AddTaintsInterfaceTest.php create mode 100644 tests/Config/Plugin/EventHandler/RemoveTaints/RemoveAllTaintsPlugin.php create mode 100644 tests/Config/Plugin/EventHandler/RemoveTaints/RemoveTaintsInterfaceTest.php diff --git a/.history/tests/Config/Plugin/EventHandler/RemoveTaints/RemoveTaintsInterfaceTest_20250209161134.php b/.history/tests/Config/Plugin/EventHandler/RemoveTaints/RemoveTaintsInterfaceTest_20250209161134.php new file mode 100644 index 00000000000..0740cee4f6e --- /dev/null +++ b/.history/tests/Config/Plugin/EventHandler/RemoveTaints/RemoveTaintsInterfaceTest_20250209161134.php @@ -0,0 +1,173 @@ +setIncludeCollector(new IncludeCollector()); + return new ProjectAnalyzer( + $config, + new Providers( + $this->file_provider, + new FakeParserCacheProvider(), + ), + new ReportOptions(), + ); + } + + public function setUp(): void + { + RuntimeCaches::clearAll(); + $this->file_provider = new FakeFileProvider(); + } + + + public function testRemoveAllTaints(): void + { + $this->project_analyzer = $this->getProjectAnalyzerWithConfig( + TestConfig::loadFromXML( + dirname(__DIR__, 5) . DIRECTORY_SEPARATOR, + ' + + + + + + + + ', + ), + ); + + $this->project_analyzer->getCodebase()->config->initializePlugins($this->project_analyzer); + + $file_path = getcwd() . '/src/somefile.php'; + + $this->addFile( + $file_path, + 'project_analyzer->trackTaintedInputs(); + + $this->analyzeFile($file_path, new Context()); + } + + public function testRemoveTaintsSafeArrayKeyChecker(): void + { + $this->project_analyzer = $this->getProjectAnalyzerWithConfig( + TestConfig::loadFromXML( + dirname(__DIR__, 5) . DIRECTORY_SEPARATOR, + ' + + + + + + + + ', + ), + ); + + $this->project_analyzer->getCodebase()->config->initializePlugins($this->project_analyzer); + + $file_path = getcwd() . '/src/somefile.php'; + + $this->addFile( + $file_path, + ' [ + "safe_key" => $_GET["input"], + ], + ]; + output($build);', + ); + + $this->project_analyzer->trackTaintedInputs(); + + $this->analyzeFile($file_path, new Context()); + + $this->addFile( + $file_path, + ' [ + "safe_key" => $_GET["input"], + "a" => $_GET["input"], + ], + ]; + output($build);', + ); + + $this->project_analyzer->trackTaintedInputs(); + + $this->expectException(CodeException::class); + $this->expectExceptionMessageMatches('/TaintedHtml/'); + + $this->analyzeFile($file_path, new Context()); + } +} diff --git a/.history/tests/Config/Plugin/EventHandler/RemoveTaints/RemoveTaintsInterfaceTest_20250209161257.php b/.history/tests/Config/Plugin/EventHandler/RemoveTaints/RemoveTaintsInterfaceTest_20250209161257.php new file mode 100644 index 00000000000..383e0211346 --- /dev/null +++ b/.history/tests/Config/Plugin/EventHandler/RemoveTaints/RemoveTaintsInterfaceTest_20250209161257.php @@ -0,0 +1,173 @@ +setIncludeCollector(new IncludeCollector()); + return new ProjectAnalyzer( + $config, + new Providers( + $this->file_provider, + new FakeParserCacheProvider(), + ), + new ReportOptions(), + ); + } + + public function setUp(): void + { + RuntimeCaches::clearAll(); + $this->file_provider = new FakeFileProvider(); + } + + + public function testRemoveAllTaints(): void + { + $this->project_analyzer = $this->getProjectAnalyzerWithConfig( + TestConfig::loadFromXML( + dirname(__DIR__, 5) . DIRECTORY_SEPARATOR, + ' + + + + + + + + ', + ), + ); + + $this->project_analyzer->getCodebase()->config->initializePlugins($this->project_analyzer); + + $file_path = (string) getcwd() . '/src/somefile.php'; + + $this->addFile( + $file_path, + 'project_analyzer->trackTaintedInputs(); + + $this->analyzeFile($file_path, new Context()); + } + + public function testRemoveTaintsSafeArrayKeyChecker(): void + { + $this->project_analyzer = $this->getProjectAnalyzerWithConfig( + TestConfig::loadFromXML( + dirname(__DIR__, 5) . DIRECTORY_SEPARATOR, + ' + + + + + + + + ', + ), + ); + + $this->project_analyzer->getCodebase()->config->initializePlugins($this->project_analyzer); + + $file_path = (string) getcwd() . '/src/somefile.php'; + + $this->addFile( + $file_path, + ' [ + "safe_key" => $_GET["input"], + ], + ]; + output($build);', + ); + + $this->project_analyzer->trackTaintedInputs(); + + $this->analyzeFile($file_path, new Context()); + + $this->addFile( + $file_path, + ' [ + "safe_key" => $_GET["input"], + "a" => $_GET["input"], + ], + ]; + output($build);', + ); + + $this->project_analyzer->trackTaintedInputs(); + + $this->expectException(CodeException::class); + $this->expectExceptionMessageMatches('/TaintedHtml/'); + + $this->analyzeFile($file_path, new Context()); + } +} diff --git a/examples/plugins/TaintActiveRecords.php b/examples/plugins/TaintActiveRecords.php index d6b315fb35f..3214e56525a 100644 --- a/examples/plugins/TaintActiveRecords.php +++ b/examples/plugins/TaintActiveRecords.php @@ -2,8 +2,6 @@ namespace Psalm\Example\Plugin; -use Exception; -use phpDocumentor\Reflection\DocBlock\Tags\Var_; use PhpParser\Node\Expr\PropertyFetch; use PhpParser\Node\Expr; use Psalm\Plugin\EventHandler\AddTaintsInterface; diff --git a/tests/Config/Plugin/EventHandler/AddTaints/AddTaintsInterfaceTest.php b/tests/Config/Plugin/EventHandler/AddTaints/AddTaintsInterfaceTest.php new file mode 100644 index 00000000000..02edf62e67d --- /dev/null +++ b/tests/Config/Plugin/EventHandler/AddTaints/AddTaintsInterfaceTest.php @@ -0,0 +1,253 @@ +setIncludeCollector(new IncludeCollector()); + return new ProjectAnalyzer( + $config, + new Providers( + $this->file_provider, + new FakeParserCacheProvider(), + ), + new ReportOptions(), + ); + } + + public function setUp(): void + { + RuntimeCaches::clearAll(); + $this->file_provider = new FakeFileProvider(); + } + + public function testTaintBadDataVariables(): void + { + $this->project_analyzer = $this->getProjectAnalyzerWithConfig( + TestConfig::loadFromXML( + dirname(__DIR__, 5) . DIRECTORY_SEPARATOR, + ' + + + + + + + + ', + ), + ); + + $this->project_analyzer->getCodebase()->config->initializePlugins($this->project_analyzer); + + $file_path = getcwd() . '/src/somefile.php'; + + $this->addFile( + $file_path, + 'project_analyzer->trackTaintedInputs(); + + $this->expectException(CodeException::class); + $this->expectExceptionMessageMatches('/TaintedHtml/'); + + $this->analyzeFile($file_path, new Context()); + } + + public function testAddTaintsActiveRecord(): void + { + $this->project_analyzer = $this->getProjectAnalyzerWithConfig( + TestConfig::loadFromXML( + dirname(__DIR__, 5) . DIRECTORY_SEPARATOR, + ' + + + + + + + + ', + ), + ); + + $this->project_analyzer->getCodebase()->config->initializePlugins($this->project_analyzer); + + $file_path = getcwd() . '/src/somefile.php'; + + $this->addFile( + $file_path, + 'Micky Mouse"; + } + + $user = new User(); + echo $user->name; + ', + ); + + $this->project_analyzer->trackTaintedInputs(); + + $this->expectException(CodeException::class); + $this->expectExceptionMessageMatches('/TaintedHtml/'); + + $this->analyzeFile($file_path, new Context()); + } + + public function testAddTaintsActiveRecordKeepInVariables(): void + { + $this->project_analyzer = $this->getProjectAnalyzerWithConfig( + TestConfig::loadFromXML( + dirname(__DIR__, 5) . DIRECTORY_SEPARATOR, + ' + + + + + + + + ', + ), + ); + + $this->project_analyzer->getCodebase()->config->initializePlugins($this->project_analyzer); + + $file_path = getcwd() . '/src/somefile.php'; + + $this->addFile( + $file_path, + 'Micky Mouse"; + } + + $user = new User(); + $userName = $user->name; + echo $userName; + ', + ); + + $this->project_analyzer->trackTaintedInputs(); + + $this->expectException(CodeException::class); + $this->expectExceptionMessageMatches('/TaintedHtml/'); + + $this->analyzeFile($file_path, new Context()); + } + + public function testAddTaintsActiveRecordList(): void + { + $this->project_analyzer = $this->getProjectAnalyzerWithConfig( + TestConfig::loadFromXML( + dirname(__DIR__, 5) . DIRECTORY_SEPARATOR, + ' + + + + + + + + ', + ), + ); + + $this->project_analyzer->getCodebase()->config->initializePlugins($this->project_analyzer); + + $file_path = getcwd() . '/src/somefile.php'; + + $this->addFile( + $file_path, + ' + */ + public static function findAll(): array { + $mockUser = new self(); + $mockUser->name = "

Micky Mouse

"; + + return [$mockUser]; + } + } + + foreach (User::findAll() as $user) { + echo $user->name; + } + ', + ); + + $this->project_analyzer->trackTaintedInputs(); + + $this->expectException(CodeException::class); + $this->expectExceptionMessageMatches('/TaintedHtml/'); + + $this->analyzeFile($file_path, new Context()); + } +} diff --git a/tests/Config/Plugin/EventHandler/RemoveTaints/RemoveAllTaintsPlugin.php b/tests/Config/Plugin/EventHandler/RemoveTaints/RemoveAllTaintsPlugin.php new file mode 100644 index 00000000000..bbc38f14f32 --- /dev/null +++ b/tests/Config/Plugin/EventHandler/RemoveTaints/RemoveAllTaintsPlugin.php @@ -0,0 +1,20 @@ + + */ + public static function removeTaints(AddRemoveTaintsEvent $event): array + { + return TaintKindGroup::ALL_INPUT; + } +} diff --git a/tests/Config/Plugin/EventHandler/RemoveTaints/RemoveTaintsInterfaceTest.php b/tests/Config/Plugin/EventHandler/RemoveTaints/RemoveTaintsInterfaceTest.php new file mode 100644 index 00000000000..383e0211346 --- /dev/null +++ b/tests/Config/Plugin/EventHandler/RemoveTaints/RemoveTaintsInterfaceTest.php @@ -0,0 +1,173 @@ +setIncludeCollector(new IncludeCollector()); + return new ProjectAnalyzer( + $config, + new Providers( + $this->file_provider, + new FakeParserCacheProvider(), + ), + new ReportOptions(), + ); + } + + public function setUp(): void + { + RuntimeCaches::clearAll(); + $this->file_provider = new FakeFileProvider(); + } + + + public function testRemoveAllTaints(): void + { + $this->project_analyzer = $this->getProjectAnalyzerWithConfig( + TestConfig::loadFromXML( + dirname(__DIR__, 5) . DIRECTORY_SEPARATOR, + ' + + + + + + + + ', + ), + ); + + $this->project_analyzer->getCodebase()->config->initializePlugins($this->project_analyzer); + + $file_path = (string) getcwd() . '/src/somefile.php'; + + $this->addFile( + $file_path, + 'project_analyzer->trackTaintedInputs(); + + $this->analyzeFile($file_path, new Context()); + } + + public function testRemoveTaintsSafeArrayKeyChecker(): void + { + $this->project_analyzer = $this->getProjectAnalyzerWithConfig( + TestConfig::loadFromXML( + dirname(__DIR__, 5) . DIRECTORY_SEPARATOR, + ' + + + + + + + + ', + ), + ); + + $this->project_analyzer->getCodebase()->config->initializePlugins($this->project_analyzer); + + $file_path = (string) getcwd() . '/src/somefile.php'; + + $this->addFile( + $file_path, + ' [ + "safe_key" => $_GET["input"], + ], + ]; + output($build);', + ); + + $this->project_analyzer->trackTaintedInputs(); + + $this->analyzeFile($file_path, new Context()); + + $this->addFile( + $file_path, + ' [ + "safe_key" => $_GET["input"], + "a" => $_GET["input"], + ], + ]; + output($build);', + ); + + $this->project_analyzer->trackTaintedInputs(); + + $this->expectException(CodeException::class); + $this->expectExceptionMessageMatches('/TaintedHtml/'); + + $this->analyzeFile($file_path, new Context()); + } +} diff --git a/tests/Config/PluginTest.php b/tests/Config/PluginTest.php index f2cf308720a..1212b67095d 100644 --- a/tests/Config/PluginTest.php +++ b/tests/Config/PluginTest.php @@ -1003,7 +1003,7 @@ public function testRemoveTaints(): void $this->project_analyzer->getCodebase()->config->initializePlugins($this->project_analyzer); - $file_path = (string) getcwd() . '/src/somefile.php'; + $file_path = getcwd() . '/src/somefile.php'; $this->addFile( $file_path, From 7076fae6311cb1a36b61a1a52081825618f56554 Mon Sep 17 00:00:00 2001 From: Patrick Remy Date: Tue, 23 Jan 2024 21:19:11 +0100 Subject: [PATCH 07/29] docs: fix example for custom taint sources --- .../security_analysis/custom_taint_sources.md | 18 ++++++----- .../AddTaints/TaintBadDataPlugin.php | 30 +++++++++++++++++++ 2 files changed, 40 insertions(+), 8 deletions(-) create mode 100644 tests/Config/Plugin/EventHandler/AddTaints/TaintBadDataPlugin.php diff --git a/docs/security_analysis/custom_taint_sources.md b/docs/security_analysis/custom_taint_sources.md index 1ff4062da32..776e99ef9e1 100644 --- a/docs/security_analysis/custom_taint_sources.md +++ b/docs/security_analysis/custom_taint_sources.md @@ -23,14 +23,17 @@ For example this plugin treats all variables named `$bad_data` as taint sources. ```php getExpr(); - if ($expr instanceof PhpParser\Node\Expr\Variable - && $expr->name === 'bad_data' - ) { - return TaintKindGroup::ALL_INPUT; + + if (!$expr instanceof Variable) { + return []; } - return []; + return $expr->name === 'bad_data' ? TaintKindGroup::ALL_INPUT : []; } } ``` diff --git a/tests/Config/Plugin/EventHandler/AddTaints/TaintBadDataPlugin.php b/tests/Config/Plugin/EventHandler/AddTaints/TaintBadDataPlugin.php new file mode 100644 index 00000000000..b5047ebaf4f --- /dev/null +++ b/tests/Config/Plugin/EventHandler/AddTaints/TaintBadDataPlugin.php @@ -0,0 +1,30 @@ + + */ + public static function addTaints(AddRemoveTaintsEvent $event): array + { + $expr = $event->getExpr(); + + if (!$expr instanceof Variable) { + return []; + } + + return $expr->name === 'bad_data' ? TaintKindGroup::ALL_INPUT : []; + } +} From bb1da8efbeea77a3ee81f2301b5b79c13c82c419 Mon Sep 17 00:00:00 2001 From: Patrick Remy Date: Tue, 23 Jan 2024 21:50:53 +0100 Subject: [PATCH 08/29] test: simplify taint tests for variable assignment --- .../AddTaints/AddTaintsInterfaceTest.php | 59 +++++++++++++++---- 1 file changed, 46 insertions(+), 13 deletions(-) diff --git a/tests/Config/Plugin/EventHandler/AddTaints/AddTaintsInterfaceTest.php b/tests/Config/Plugin/EventHandler/AddTaints/AddTaintsInterfaceTest.php index 02edf62e67d..2fd9f389282 100644 --- a/tests/Config/Plugin/EventHandler/AddTaints/AddTaintsInterfaceTest.php +++ b/tests/Config/Plugin/EventHandler/AddTaints/AddTaintsInterfaceTest.php @@ -98,7 +98,7 @@ public function testTaintBadDataVariables(): void $this->analyzeFile($file_path, new Context()); } - public function testAddTaintsActiveRecord(): void + public function testTaintsArePassedByTaintedAssignments(): void { $this->project_analyzer = $this->getProjectAnalyzerWithConfig( TestConfig::loadFromXML( @@ -112,7 +112,7 @@ public function testAddTaintsActiveRecord(): void - + ', ), @@ -126,14 +126,8 @@ public function testAddTaintsActiveRecord(): void $file_path, 'Micky Mouse"; - } - - $user = new User(); - echo $user->name; + $foo = $bad_data; + echo $foo; ', ); @@ -145,7 +139,47 @@ class User { $this->analyzeFile($file_path, new Context()); } - public function testAddTaintsActiveRecordKeepInVariables(): void + public function testTaintsAreOverriddenByRawAssignments(): void + { + $this->project_analyzer = $this->getProjectAnalyzerWithConfig( + TestConfig::loadFromXML( + dirname(__DIR__, 5) . DIRECTORY_SEPARATOR, + ' + + + + + + + + ', + ), + ); + + $this->project_analyzer->getCodebase()->config->initializePlugins($this->project_analyzer); + + $file_path = getcwd() . '/src/somefile.php'; + + $this->addFile( + $file_path, + 'project_analyzer->trackTaintedInputs(); + // No exceptions should be thrown + + $this->analyzeFile($file_path, new Context()); + } + + public function testAddTaintsActiveRecord(): void { $this->project_analyzer = $this->getProjectAnalyzerWithConfig( TestConfig::loadFromXML( @@ -180,8 +214,7 @@ class User { } $user = new User(); - $userName = $user->name; - echo $userName; + echo $user->name; ', ); From f8cb480eea24a1dd2bef3c0e964bd8839e92f5c5 Mon Sep 17 00:00:00 2001 From: Patrick Remy Date: Tue, 23 Jan 2024 22:13:52 +0100 Subject: [PATCH 09/29] docs: simplify TaintBadDataPlugin example again --- docs/security_analysis/custom_taint_sources.md | 6 +++--- .../Plugin/EventHandler/AddTaints/TaintBadDataPlugin.php | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/security_analysis/custom_taint_sources.md b/docs/security_analysis/custom_taint_sources.md index 776e99ef9e1..938bd3455ba 100644 --- a/docs/security_analysis/custom_taint_sources.md +++ b/docs/security_analysis/custom_taint_sources.md @@ -44,11 +44,11 @@ class TaintBadDataPlugin implements AddTaintsInterface { $expr = $event->getExpr(); - if (!$expr instanceof Variable) { - return []; + if ($expr instanceof Variable && $expr->name === 'bad_data') { + return TaintKindGroup::ALL_INPUT; } - return $expr->name === 'bad_data' ? TaintKindGroup::ALL_INPUT : []; + return []; } } ``` diff --git a/tests/Config/Plugin/EventHandler/AddTaints/TaintBadDataPlugin.php b/tests/Config/Plugin/EventHandler/AddTaints/TaintBadDataPlugin.php index b5047ebaf4f..437eb6fd4c6 100644 --- a/tests/Config/Plugin/EventHandler/AddTaints/TaintBadDataPlugin.php +++ b/tests/Config/Plugin/EventHandler/AddTaints/TaintBadDataPlugin.php @@ -21,10 +21,10 @@ public static function addTaints(AddRemoveTaintsEvent $event): array { $expr = $event->getExpr(); - if (!$expr instanceof Variable) { - return []; + if ($expr instanceof Variable && $expr->name === 'bad_data') { + return TaintKindGroup::ALL_INPUT; } - return $expr->name === 'bad_data' ? TaintKindGroup::ALL_INPUT : []; + return []; } } From 9b3484c65ce0c7e36af16e6ef7d89440debc094c Mon Sep 17 00:00:00 2001 From: Patrick Remy Date: Tue, 31 Dec 2024 19:09:08 +0100 Subject: [PATCH 10/29] fix: add missing dispatch of taints event for assignment value --- .../Expression/AssignmentAnalyzer.php | 56 +++++++++++++++++++ 1 file changed, 56 insertions(+) diff --git a/src/Psalm/Internal/Analyzer/Statements/Expression/AssignmentAnalyzer.php b/src/Psalm/Internal/Analyzer/Statements/Expression/AssignmentAnalyzer.php index 645e93fc983..e8e2ecd97ca 100644 --- a/src/Psalm/Internal/Analyzer/Statements/Expression/AssignmentAnalyzer.php +++ b/src/Psalm/Internal/Analyzer/Statements/Expression/AssignmentAnalyzer.php @@ -339,6 +339,34 @@ public static function analyze( $assign_value_type = $assign_value_type->setParentNodes($parent_nodes); } + if ($statements_analyzer->data_flow_graph instanceof TaintFlowGraph + && !in_array('TaintedInput', $statements_analyzer->getSuppressedIssues())) { + $assign_value_location = new CodeLocation($statements_analyzer->getSource(), $assign_value); + + $event = new AddRemoveTaintsEvent($assign_value, $context, $statements_analyzer, $codebase); + + $added_taints = $codebase->config->eventDispatcher->dispatchAddTaints($event); + $removed_taints = [ + ...$removed_taints, + ...$codebase->config->eventDispatcher->dispatchRemoveTaints($event), + ]; + + $rhs_var_id = ExpressionIdentifier::getExtendedVarId( + $assign_value, + $statements_analyzer->getFQCLN(), + $statements_analyzer, + ) ?? 'assignment_expr'; + + self::taintAssignment( + $assign_value_type, + $statements_analyzer->data_flow_graph, + $rhs_var_id, + $assign_value_location, + $removed_taints, + $added_taints, + ); + } + if ($extended_var_id && isset($context->vars_in_scope[$extended_var_id])) { if ($context->vars_in_scope[$extended_var_id]->by_ref) { if ($context->mutation_free) { @@ -635,6 +663,7 @@ private static function analyzeAssignment( $assign_value_type, $var_id, $context, + $removed_taints, ); } elseif ($assign_var instanceof PhpParser\Node\Expr\List_ || $assign_var instanceof PhpParser\Node\Expr\Array_ @@ -1705,6 +1734,9 @@ private static function analyzePropertyAssignment( } } + /** + * @param list $removed_taints + */ private static function analyzeAssignmentToVariable( StatementsAnalyzer $statements_analyzer, Codebase $codebase, @@ -1713,6 +1745,7 @@ private static function analyzeAssignmentToVariable( Union $assign_value_type, ?string $var_id, Context $context, + array $removed_taints ): void { if (is_string($assign_var->name)) { if ($var_id) { @@ -1785,6 +1818,29 @@ private static function analyzeAssignmentToVariable( } } + if ($statements_analyzer->data_flow_graph instanceof TaintFlowGraph + && !in_array('TaintedInput', $statements_analyzer->getSuppressedIssues()) + ) { + $assign_location = new CodeLocation($statements_analyzer->getSource(), $assign_var); + + $event = new AddRemoveTaintsEvent($assign_value, $context, $statements_analyzer, $codebase); + + $added_taints = $codebase->config->eventDispatcher->dispatchAddTaints($event); + $removed_taints = [ + ...$removed_taints, + ...$codebase->config->eventDispatcher->dispatchRemoveTaints($event), + ]; + + self::taintAssignment( + $context->vars_in_scope[$var_id], + $statements_analyzer->data_flow_graph, + $var_id, + $assign_location, + $removed_taints, + $added_taints, + ); + } + if (isset($context->references_possibly_from_confusing_scope[$var_id])) { IssueBuffer::maybeAdd( new ReferenceReusedFromConfusingScope( From 55726f82f8ed016b67d455f9b79bb0bbe4094bfb Mon Sep 17 00:00:00 2001 From: Patrick Remy Date: Sun, 19 Jan 2025 13:26:04 +0100 Subject: [PATCH 11/29] fix: generate taint sources for function calls/returns --- .../Call/FunctionCallReturnTypeFetcher.php | 30 ++++-- .../Expression/ExpressionIdentifier.php | 19 ++++ .../Analyzer/Statements/ReturnAnalyzer.php | 21 +++++ .../AddTaints/AddTaintsInterfaceTest.php | 93 +++++++++++++++++++ .../AddTaints/TaintBadDataPlugin.php | 18 +++- 5 files changed, 169 insertions(+), 12 deletions(-) diff --git a/src/Psalm/Internal/Analyzer/Statements/Expression/Call/FunctionCallReturnTypeFetcher.php b/src/Psalm/Internal/Analyzer/Statements/Expression/Call/FunctionCallReturnTypeFetcher.php index 65763215a18..460ab919dd1 100644 --- a/src/Psalm/Internal/Analyzer/Statements/Expression/Call/FunctionCallReturnTypeFetcher.php +++ b/src/Psalm/Internal/Analyzer/Statements/Expression/Call/FunctionCallReturnTypeFetcher.php @@ -266,6 +266,7 @@ public static function fetch( $statements_analyzer, $stmt, $function_id, + $function_name->toCodeString(), $function_storage, $stmt_type, $template_result, @@ -535,6 +536,7 @@ private static function taintReturnType( StatementsAnalyzer $statements_analyzer, PhpParser\Node\Expr\FuncCall $stmt, string $function_id, + string $cased_function_id, FunctionLikeStorage $function_storage, Union &$stmt_type, TemplateResult $template_result, @@ -560,13 +562,12 @@ private static function taintReturnType( $function_call_node = DataFlowNode::getForMethodReturn( $function_id, - $function_id, + $cased_function_id, $statements_analyzer->data_flow_graph instanceof TaintFlowGraph ? ($function_storage->signature_return_type_location ?: $function_storage->location) : ($function_storage->return_type_location ?: $function_storage->location), $function_storage->specialize_call ? $node_location : null, ); - $statements_analyzer->data_flow_graph->addNode($function_call_node); $codebase = $statements_analyzer->getCodebase(); @@ -673,16 +674,25 @@ private static function taintReturnType( ); } - if ($function_storage->taint_source_types && $statements_analyzer->data_flow_graph instanceof TaintFlowGraph) { - $method_node = TaintSource::getForMethodReturn( - $function_id, - $function_id, - $node_location, - ); + if ($statements_analyzer->data_flow_graph instanceof TaintFlowGraph) { + // Docblock-defined taints should override inherited + $added_taints = []; + if ($function_storage->taint_source_types !== []) { + $added_taints = $function_storage->taint_source_types; + } else if ($function_storage->added_taints !== []) { + $added_taints = $function_storage->added_taints; + } - $method_node->taints = $function_storage->taint_source_types; + $added_taints = array_diff( + $added_taints, + $function_storage->removed_taints + ); + if ($added_taints !== []) { + $taint_source = TaintSource::fromNode($function_call_node); + $taint_source->taints = $added_taints; - $statements_analyzer->data_flow_graph->addSource($method_node); + $statements_analyzer->data_flow_graph->addSource($taint_source); + } } return $function_call_node; diff --git a/src/Psalm/Internal/Analyzer/Statements/Expression/ExpressionIdentifier.php b/src/Psalm/Internal/Analyzer/Statements/Expression/ExpressionIdentifier.php index 67f22a0a73a..b7624dd8690 100644 --- a/src/Psalm/Internal/Analyzer/Statements/Expression/ExpressionIdentifier.php +++ b/src/Psalm/Internal/Analyzer/Statements/Expression/ExpressionIdentifier.php @@ -209,6 +209,25 @@ public static function getExtendedVarId( } } + if ($stmt instanceof PhpParser\Node\Expr\FuncCall) { + if ($stmt->name instanceof PhpParser\Node\Name) { + $resolved_name = $stmt->name->toCodeString(); + } else { + $resolved_name = self::getExtendedVarId($stmt->name, $this_class_name, $source); + } + if ($resolved_name === null) { + return null; + } + + $argsPlaceholder = array_map( + fn ($index): string => is_int($index) ? '#' . ($index + 1) : $index, + array_keys($stmt->args) + ); + $argsPlaceholder = join(', ', $argsPlaceholder); + + return $resolved_name . '(' . $argsPlaceholder . ')'; + } + if ($stmt instanceof PhpParser\Node\Expr\MethodCall && $stmt->name instanceof PhpParser\Node\Identifier && !$stmt->isFirstClassCallable() diff --git a/src/Psalm/Internal/Analyzer/Statements/ReturnAnalyzer.php b/src/Psalm/Internal/Analyzer/Statements/ReturnAnalyzer.php index ec109d6b84c..5798b419fc4 100644 --- a/src/Psalm/Internal/Analyzer/Statements/ReturnAnalyzer.php +++ b/src/Psalm/Internal/Analyzer/Statements/ReturnAnalyzer.php @@ -37,6 +37,7 @@ use Psalm\Issue\NonVariableReferenceReturn; use Psalm\Issue\NullableReturnStatement; use Psalm\IssueBuffer; +use Psalm\Plugin\EventHandler\Event\AddRemoveTaintsEvent; use Psalm\Storage\FunctionLikeStorage; use Psalm\Storage\MethodStorage; use Psalm\Type; @@ -265,6 +266,7 @@ public static function analyze( $cased_method_id, $inferred_type, $storage, + $context ); } @@ -579,6 +581,7 @@ private static function handleTaints( string $cased_method_id, Union $inferred_type, FunctionLikeStorage $storage, + Context $context ): void { if (!$statements_analyzer->data_flow_graph instanceof TaintFlowGraph || !$stmt->expr @@ -595,6 +598,24 @@ private static function handleTaints( $statements_analyzer->data_flow_graph->addNode($method_node); + $codebase = $statements_analyzer->getCodebase(); + + $event = new AddRemoveTaintsEvent($stmt->expr, $context, $statements_analyzer, $codebase); + + $added_taints = $codebase->config->eventDispatcher->dispatchAddTaints($event); + $storage->added_taints = array_unique( + array_merge( + $storage->added_taints, + $added_taints + ) + ); + $storage->removed_taints = array_unique( + array_merge( + $storage->removed_taints, + $codebase->config->eventDispatcher->dispatchRemoveTaints($event), + ) + ); + if ($inferred_type->parent_nodes) { foreach ($inferred_type->parent_nodes as $parent_node) { $statements_analyzer->data_flow_graph->addPath( diff --git a/tests/Config/Plugin/EventHandler/AddTaints/AddTaintsInterfaceTest.php b/tests/Config/Plugin/EventHandler/AddTaints/AddTaintsInterfaceTest.php index 2fd9f389282..0c8ff8e8a26 100644 --- a/tests/Config/Plugin/EventHandler/AddTaints/AddTaintsInterfaceTest.php +++ b/tests/Config/Plugin/EventHandler/AddTaints/AddTaintsInterfaceTest.php @@ -179,6 +179,99 @@ public function testTaintsAreOverriddenByRawAssignments(): void $this->analyzeFile($file_path, new Context()); } + public function testTaintsArePassedByTaintedFuncReturns(): void + { + $this->project_analyzer = $this->getProjectAnalyzerWithConfig( + TestConfig::loadFromXML( + dirname(__DIR__, 5) . DIRECTORY_SEPARATOR, + ' + + + + + + + + ', + ), + ); + + $this->project_analyzer->getCodebase()->config->initializePlugins($this->project_analyzer); + + $file_path = getcwd() . '/src/somefile.php'; + + $this->addFile( + $file_path, + 'project_analyzer->trackTaintedInputs(); + + $this->expectException(CodeException::class); + $this->expectExceptionMessageMatches('/TaintedHtml/'); + + $this->analyzeFile($file_path, new Context()); + } + + public function testTaintsArePassedByTaintedFuncMultipleReturns(): void + { + $this->project_analyzer = $this->getProjectAnalyzerWithConfig( + TestConfig::loadFromXML( + dirname(__DIR__, 5) . DIRECTORY_SEPARATOR, + ' + + + + + + + + ', + ), + ); + + $this->project_analyzer->getCodebase()->config->initializePlugins($this->project_analyzer); + + $file_path = getcwd() . '/src/somefile.php'; + + // Test that taints are merged and not replaced by later return stmts + $this->addFile( + $file_path, + 'project_analyzer->trackTaintedInputs(); + + // Find TaintedHtml here, not TaintedSql, as this is not a sink for echo + $this->expectException(CodeException::class); + $this->expectExceptionMessageMatches('/TaintedHtml/'); + + $this->analyzeFile($file_path, new Context()); + } + public function testAddTaintsActiveRecord(): void { $this->project_analyzer = $this->getProjectAnalyzerWithConfig( diff --git a/tests/Config/Plugin/EventHandler/AddTaints/TaintBadDataPlugin.php b/tests/Config/Plugin/EventHandler/AddTaints/TaintBadDataPlugin.php index 437eb6fd4c6..98d075189d6 100644 --- a/tests/Config/Plugin/EventHandler/AddTaints/TaintBadDataPlugin.php +++ b/tests/Config/Plugin/EventHandler/AddTaints/TaintBadDataPlugin.php @@ -5,6 +5,7 @@ use PhpParser\Node\Expr\Variable; use Psalm\Plugin\EventHandler\AddTaintsInterface; use Psalm\Plugin\EventHandler\Event\AddRemoveTaintsEvent; +use Psalm\Type\TaintKind; use Psalm\Type\TaintKindGroup; /** @@ -21,8 +22,21 @@ public static function addTaints(AddRemoveTaintsEvent $event): array { $expr = $event->getExpr(); - if ($expr instanceof Variable && $expr->name === 'bad_data') { - return TaintKindGroup::ALL_INPUT; + if (!$expr instanceof Variable) { + return []; + } + + switch ($expr->name) { + case 'bad_data': + return TaintKindGroup::ALL_INPUT; + case 'bad_sql': + return [TaintKind::INPUT_SQL]; + case 'bad_html': + return [TaintKind::INPUT_HTML]; + case 'bad_eval': + return [TaintKind::INPUT_EVAL]; + case 'bad_file': + return [TaintKind::INPUT_FILE]; } return []; From 7355c893724ad8eeb5fef7386ce854d14b57ccc8 Mon Sep 17 00:00:00 2001 From: Patrick Remy Date: Sun, 19 Jan 2025 14:50:07 +0100 Subject: [PATCH 12/29] fix: generate taint sources for methods --- .../Analyzer/FunctionLikeAnalyzer.php | 19 ++++++ .../Call/FunctionCallReturnTypeFetcher.php | 59 +++++++++++-------- .../Method/MethodCallReturnTypeFetcher.php | 18 ++---- .../AddTaints/AddTaintsInterfaceTest.php | 47 +++++++++++++++ 4 files changed, 108 insertions(+), 35 deletions(-) diff --git a/src/Psalm/Internal/Analyzer/FunctionLikeAnalyzer.php b/src/Psalm/Internal/Analyzer/FunctionLikeAnalyzer.php index 502b9504ec7..6ebc1c65830 100644 --- a/src/Psalm/Internal/Analyzer/FunctionLikeAnalyzer.php +++ b/src/Psalm/Internal/Analyzer/FunctionLikeAnalyzer.php @@ -17,6 +17,7 @@ use Psalm\FileManipulation; use Psalm\Internal\Analyzer\FunctionLike\ReturnTypeAnalyzer; use Psalm\Internal\Analyzer\FunctionLike\ReturnTypeCollector; +use Psalm\Internal\Analyzer\Statements\Expression\Call\FunctionCallReturnTypeFetcher; use Psalm\Internal\Analyzer\Statements\ExpressionAnalyzer; use Psalm\Internal\Codebase\TaintFlowGraph; use Psalm\Internal\Codebase\VariableUseGraph; @@ -830,6 +831,24 @@ public function analyze( } } + // Class methods are analyzed deferred, therefor it's required to + // add taint sources additionally on analyze not only on call + if ($codebase->taint_flow_graph + && $this->function instanceof ClassMethod + && $cased_method_id) { + $method_source = DataFlowNode::getForMethodReturn( + (string) $method_id, + $cased_method_id, + $storage->location, + ); + + FunctionCallReturnTypeFetcher::taintUsingStorage( + $storage, + $codebase->taint_flow_graph, + $method_source + ); + } + if ($add_mutations) { if ($this->return_vars_in_scope !== null) { $context->vars_in_scope = TypeAnalyzer::combineKeyedTypes( diff --git a/src/Psalm/Internal/Analyzer/Statements/Expression/Call/FunctionCallReturnTypeFetcher.php b/src/Psalm/Internal/Analyzer/Statements/Expression/Call/FunctionCallReturnTypeFetcher.php index 460ab919dd1..3a119710665 100644 --- a/src/Psalm/Internal/Analyzer/Statements/Expression/Call/FunctionCallReturnTypeFetcher.php +++ b/src/Psalm/Internal/Analyzer/Statements/Expression/Call/FunctionCallReturnTypeFetcher.php @@ -618,9 +618,11 @@ private static function taintReturnType( $stmt_type = $stmt_type->addParentNodes([$function_call_node->id => $function_call_node]); } - if ($function_storage->return_source_params - && $statements_analyzer->data_flow_graph instanceof TaintFlowGraph - ) { + if (!$statements_analyzer->data_flow_graph instanceof TaintFlowGraph) { + return $function_call_node; + } + + if ($function_storage->return_source_params) { $removed_taints = $function_storage->removed_taints; if ($function_id === 'preg_replace' && count($stmt->getArgs()) > 2) { @@ -674,26 +676,7 @@ private static function taintReturnType( ); } - if ($statements_analyzer->data_flow_graph instanceof TaintFlowGraph) { - // Docblock-defined taints should override inherited - $added_taints = []; - if ($function_storage->taint_source_types !== []) { - $added_taints = $function_storage->taint_source_types; - } else if ($function_storage->added_taints !== []) { - $added_taints = $function_storage->added_taints; - } - - $added_taints = array_diff( - $added_taints, - $function_storage->removed_taints - ); - if ($added_taints !== []) { - $taint_source = TaintSource::fromNode($function_call_node); - $taint_source->taints = $added_taints; - - $statements_analyzer->data_flow_graph->addSource($taint_source); - } - } + self::taintUsingStorage($function_storage, $statements_analyzer->data_flow_graph, $function_call_node); return $function_call_node; } @@ -756,6 +739,36 @@ public static function taintUsingFlows( } } + /** + * @param array $args + * @param array $removed_taints + * @param array $added_taints + */ + public static function taintUsingStorage( + FunctionLikeStorage $function_storage, + TaintFlowGraph $graph, + DataFlowNode $function_call_node + ): void { + // Docblock-defined taints should override inherited + $added_taints = []; + if ($function_storage->taint_source_types !== []) { + $added_taints = $function_storage->taint_source_types; + } else if ($function_storage->added_taints !== []) { + $added_taints = $function_storage->added_taints; + } + + $added_taints = array_diff( + $added_taints, + $function_storage->removed_taints + ); + if ($added_taints !== []) { + $taint_source = TaintSource::fromNode($function_call_node); + $taint_source->taints = $added_taints; + + $graph->addSource($taint_source); + } + } + /** * @psalm-pure */ diff --git a/src/Psalm/Internal/Analyzer/Statements/Expression/Call/Method/MethodCallReturnTypeFetcher.php b/src/Psalm/Internal/Analyzer/Statements/Expression/Call/Method/MethodCallReturnTypeFetcher.php index 3d3b39e5b37..e950aab9739 100644 --- a/src/Psalm/Internal/Analyzer/Statements/Expression/Call/Method/MethodCallReturnTypeFetcher.php +++ b/src/Psalm/Internal/Analyzer/Statements/Expression/Call/Method/MethodCallReturnTypeFetcher.php @@ -533,18 +533,6 @@ public static function taintMethodCallResult( return; } - if ($method_storage->taint_source_types) { - $method_node = TaintSource::getForMethodReturn( - (string) $method_id, - $cased_method_id, - $method_storage->signature_return_type_location ?: $method_storage->location, - ); - - $method_node->taints = $method_storage->taint_source_types; - - $statements_analyzer->data_flow_graph->addSource($method_node); - } - FunctionCallReturnTypeFetcher::taintUsingFlows( $statements_analyzer, $method_storage, @@ -555,6 +543,12 @@ public static function taintMethodCallResult( $method_call_node, $method_storage->removed_taints, ); + + FunctionCallReturnTypeFetcher::taintUsingStorage( + $method_storage, + $statements_analyzer->data_flow_graph, + $method_call_node + ); } public static function replaceTemplateTypes( diff --git a/tests/Config/Plugin/EventHandler/AddTaints/AddTaintsInterfaceTest.php b/tests/Config/Plugin/EventHandler/AddTaints/AddTaintsInterfaceTest.php index 0c8ff8e8a26..2c1d45a32ba 100644 --- a/tests/Config/Plugin/EventHandler/AddTaints/AddTaintsInterfaceTest.php +++ b/tests/Config/Plugin/EventHandler/AddTaints/AddTaintsInterfaceTest.php @@ -272,6 +272,53 @@ function genBadData(bool $html) { $this->analyzeFile($file_path, new Context()); } + public function testTaintsArePassedByTaintedMethodReturns(): void + { + $this->project_analyzer = $this->getProjectAnalyzerWithConfig( + TestConfig::loadFromXML( + dirname(__DIR__, 5) . DIRECTORY_SEPARATOR, + ' + + + + + + + + ', + ), + ); + + $this->project_analyzer->getCodebase()->config->initializePlugins($this->project_analyzer); + + $file_path = getcwd() . '/src/somefile.php'; + + $this->addFile( + $file_path, + 'genBadData(); + ', + ); + + $this->project_analyzer->trackTaintedInputs(); + + $this->expectException(CodeException::class); + $this->expectExceptionMessageMatches('/TaintedHtml/'); + + $this->analyzeFile($file_path, new Context()); + } + public function testAddTaintsActiveRecord(): void { $this->project_analyzer = $this->getProjectAnalyzerWithConfig( From 91b6a701a6691d7b541130c6c180758335bef23f Mon Sep 17 00:00:00 2001 From: Patrick Remy Date: Sun, 19 Jan 2025 15:07:22 +0100 Subject: [PATCH 13/29] test: refactor AddTaintsInterfaceTest Extract duplicate code to methods. --- .../AddTaints/AddTaintsInterfaceTest.php | 219 +++++------------- 1 file changed, 53 insertions(+), 166 deletions(-) diff --git a/tests/Config/Plugin/EventHandler/AddTaints/AddTaintsInterfaceTest.php b/tests/Config/Plugin/EventHandler/AddTaints/AddTaintsInterfaceTest.php index 2c1d45a32ba..57cf9a37b6e 100644 --- a/tests/Config/Plugin/EventHandler/AddTaints/AddTaintsInterfaceTest.php +++ b/tests/Config/Plugin/EventHandler/AddTaints/AddTaintsInterfaceTest.php @@ -52,13 +52,7 @@ private function getProjectAnalyzerWithConfig(Config $config): ProjectAnalyzer ); } - public function setUp(): void - { - RuntimeCaches::clearAll(); - $this->file_provider = new FakeFileProvider(); - } - - public function testTaintBadDataVariables(): void + private function setupProjectAnalyzerWithTaintBadDataPlugin(): void { $this->project_analyzer = $this->getProjectAnalyzerWithConfig( TestConfig::loadFromXML( @@ -77,28 +71,10 @@ public function testTaintBadDataVariables(): void ', ), ); - $this->project_analyzer->getCodebase()->config->initializePlugins($this->project_analyzer); - - $file_path = getcwd() . '/src/somefile.php'; - - $this->addFile( - $file_path, - 'project_analyzer->trackTaintedInputs(); - - $this->expectException(CodeException::class); - $this->expectExceptionMessageMatches('/TaintedHtml/'); - - $this->analyzeFile($file_path, new Context()); } - public function testTaintsArePassedByTaintedAssignments(): void + private function setupProjectAnalyzerWithActiveRecordPlugin(): void { $this->project_analyzer = $this->getProjectAnalyzerWithConfig( TestConfig::loadFromXML( @@ -112,13 +88,50 @@ public function testTaintsArePassedByTaintedAssignments(): void - + ', ), ); - $this->project_analyzer->getCodebase()->config->initializePlugins($this->project_analyzer); + } + + private function expectTaintedHtml(): void + { + $this->project_analyzer->trackTaintedInputs(); + + $this->expectException(CodeException::class); + $this->expectExceptionMessageMatches('/TaintedHtml/'); + } + + public function setUp(): void + { + RuntimeCaches::clearAll(); + $this->file_provider = new FakeFileProvider(); + } + + public function testTaintBadDataVariables(): void + { + $this->setupProjectAnalyzerWithTaintBadDataPlugin(); + + $file_path = getcwd() . '/src/somefile.php'; + + $this->addFile( + $file_path, + 'expectTaintedHtml(); + + $this->analyzeFile($file_path, new Context()); + } + + public function testTaintsArePassedByTaintedAssignments(): void + { + $this->setupProjectAnalyzerWithTaintBadDataPlugin(); $file_path = getcwd() . '/src/somefile.php'; @@ -131,35 +144,14 @@ public function testTaintsArePassedByTaintedAssignments(): void ', ); - $this->project_analyzer->trackTaintedInputs(); - - $this->expectException(CodeException::class); - $this->expectExceptionMessageMatches('/TaintedHtml/'); + $this->expectTaintedHtml(); $this->analyzeFile($file_path, new Context()); } public function testTaintsAreOverriddenByRawAssignments(): void { - $this->project_analyzer = $this->getProjectAnalyzerWithConfig( - TestConfig::loadFromXML( - dirname(__DIR__, 5) . DIRECTORY_SEPARATOR, - ' - - - - - - - - ', - ), - ); - - $this->project_analyzer->getCodebase()->config->initializePlugins($this->project_analyzer); + $this->setupProjectAnalyzerWithTaintBadDataPlugin(); $file_path = getcwd() . '/src/somefile.php'; @@ -181,25 +173,7 @@ public function testTaintsAreOverriddenByRawAssignments(): void public function testTaintsArePassedByTaintedFuncReturns(): void { - $this->project_analyzer = $this->getProjectAnalyzerWithConfig( - TestConfig::loadFromXML( - dirname(__DIR__, 5) . DIRECTORY_SEPARATOR, - ' - - - - - - - - ', - ), - ); - - $this->project_analyzer->getCodebase()->config->initializePlugins($this->project_analyzer); + $this->setupProjectAnalyzerWithTaintBadDataPlugin(); $file_path = getcwd() . '/src/somefile.php'; @@ -215,35 +189,14 @@ function genBadData() { ', ); - $this->project_analyzer->trackTaintedInputs(); - - $this->expectException(CodeException::class); - $this->expectExceptionMessageMatches('/TaintedHtml/'); + $this->expectTaintedHtml(); $this->analyzeFile($file_path, new Context()); } public function testTaintsArePassedByTaintedFuncMultipleReturns(): void { - $this->project_analyzer = $this->getProjectAnalyzerWithConfig( - TestConfig::loadFromXML( - dirname(__DIR__, 5) . DIRECTORY_SEPARATOR, - ' - - - - - - - - ', - ), - ); - - $this->project_analyzer->getCodebase()->config->initializePlugins($this->project_analyzer); + $this->setupProjectAnalyzerWithTaintBadDataPlugin(); $file_path = getcwd() . '/src/somefile.php'; @@ -263,36 +216,15 @@ function genBadData(bool $html) { ', ); - $this->project_analyzer->trackTaintedInputs(); - // Find TaintedHtml here, not TaintedSql, as this is not a sink for echo - $this->expectException(CodeException::class); - $this->expectExceptionMessageMatches('/TaintedHtml/'); + $this->expectTaintedHtml(); $this->analyzeFile($file_path, new Context()); } public function testTaintsArePassedByTaintedMethodReturns(): void { - $this->project_analyzer = $this->getProjectAnalyzerWithConfig( - TestConfig::loadFromXML( - dirname(__DIR__, 5) . DIRECTORY_SEPARATOR, - ' - - - - - - - - ', - ), - ); - - $this->project_analyzer->getCodebase()->config->initializePlugins($this->project_analyzer); + $this->setupProjectAnalyzerWithTaintBadDataPlugin(); $file_path = getcwd() . '/src/somefile.php'; @@ -311,35 +243,14 @@ public function genBadData() { ', ); - $this->project_analyzer->trackTaintedInputs(); - - $this->expectException(CodeException::class); - $this->expectExceptionMessageMatches('/TaintedHtml/'); + $this->expectTaintedHtml(); $this->analyzeFile($file_path, new Context()); } public function testAddTaintsActiveRecord(): void { - $this->project_analyzer = $this->getProjectAnalyzerWithConfig( - TestConfig::loadFromXML( - dirname(__DIR__, 5) . DIRECTORY_SEPARATOR, - ' - - - - - - - - ', - ), - ); - - $this->project_analyzer->getCodebase()->config->initializePlugins($this->project_analyzer); + $this->setupProjectAnalyzerWithActiveRecordPlugin(); $file_path = getcwd() . '/src/somefile.php'; @@ -358,35 +269,14 @@ class User { ', ); - $this->project_analyzer->trackTaintedInputs(); - - $this->expectException(CodeException::class); - $this->expectExceptionMessageMatches('/TaintedHtml/'); + $this->expectTaintedHtml(); $this->analyzeFile($file_path, new Context()); } public function testAddTaintsActiveRecordList(): void { - $this->project_analyzer = $this->getProjectAnalyzerWithConfig( - TestConfig::loadFromXML( - dirname(__DIR__, 5) . DIRECTORY_SEPARATOR, - ' - - - - - - - - ', - ), - ); - - $this->project_analyzer->getCodebase()->config->initializePlugins($this->project_analyzer); + $this->setupProjectAnalyzerWithActiveRecordPlugin(); $file_path = getcwd() . '/src/somefile.php'; @@ -416,10 +306,7 @@ public static function findAll(): array { ', ); - $this->project_analyzer->trackTaintedInputs(); - - $this->expectException(CodeException::class); - $this->expectExceptionMessageMatches('/TaintedHtml/'); + $this->expectTaintedHtml(); $this->analyzeFile($file_path, new Context()); } From 828587c914bcbc8ea6c7d8984e964fd9223a93bd Mon Sep 17 00:00:00 2001 From: Patrick Remy Date: Sun, 19 Jan 2025 15:10:00 +0100 Subject: [PATCH 14/29] test: add taint test for static method and proxy calls --- .../AddTaints/AddTaintsInterfaceTest.php | 58 ++++++++++++++++++- 1 file changed, 57 insertions(+), 1 deletion(-) diff --git a/tests/Config/Plugin/EventHandler/AddTaints/AddTaintsInterfaceTest.php b/tests/Config/Plugin/EventHandler/AddTaints/AddTaintsInterfaceTest.php index 57cf9a37b6e..3fc28f74725 100644 --- a/tests/Config/Plugin/EventHandler/AddTaints/AddTaintsInterfaceTest.php +++ b/tests/Config/Plugin/EventHandler/AddTaints/AddTaintsInterfaceTest.php @@ -101,7 +101,7 @@ private function expectTaintedHtml(): void $this->project_analyzer->trackTaintedInputs(); $this->expectException(CodeException::class); - $this->expectExceptionMessageMatches('/TaintedHtml/'); + $this->expectExceptionMessage('TaintedHtml'); } public function setUp(): void @@ -248,6 +248,62 @@ public function genBadData() { $this->analyzeFile($file_path, new Context()); } + public function testTaintsArePassedByTaintedStaticMethodReturns(): void + { + $this->setupProjectAnalyzerWithTaintBadDataPlugin(); + + $file_path = getcwd() . '/src/somefile.php'; + + $this->addFile( + $file_path, + 'expectTaintedHtml(); + + $this->analyzeFile($file_path, new Context()); + } + + public function testTaintsArePassedByProxyCalls(): void + { + $this->setupProjectAnalyzerWithTaintBadDataPlugin(); + + $file_path = getcwd() . '/src/somefile.php'; + + $this->addFile( + $file_path, + 'expectTaintedHtml(); + + $this->analyzeFile($file_path, new Context()); + } + public function testAddTaintsActiveRecord(): void { $this->setupProjectAnalyzerWithActiveRecordPlugin(); From 3647204c570b19beb4f8c6105fae4a0046957f7e Mon Sep 17 00:00:00 2001 From: Patrick Remy Date: Sun, 19 Jan 2025 15:37:00 +0100 Subject: [PATCH 15/29] style: fix code style to match project requirements --- src/Psalm/Internal/Analyzer/FunctionLikeAnalyzer.php | 2 +- .../Expression/Call/FunctionCallReturnTypeFetcher.php | 5 +++-- .../Call/Method/MethodCallReturnTypeFetcher.php | 3 +-- .../Statements/Expression/ExpressionIdentifier.php | 9 ++++++--- .../Internal/Analyzer/Statements/ReturnAnalyzer.php | 10 ++++++---- 5 files changed, 17 insertions(+), 12 deletions(-) diff --git a/src/Psalm/Internal/Analyzer/FunctionLikeAnalyzer.php b/src/Psalm/Internal/Analyzer/FunctionLikeAnalyzer.php index 6ebc1c65830..cd53e13a313 100644 --- a/src/Psalm/Internal/Analyzer/FunctionLikeAnalyzer.php +++ b/src/Psalm/Internal/Analyzer/FunctionLikeAnalyzer.php @@ -845,7 +845,7 @@ public function analyze( FunctionCallReturnTypeFetcher::taintUsingStorage( $storage, $codebase->taint_flow_graph, - $method_source + $method_source, ); } diff --git a/src/Psalm/Internal/Analyzer/Statements/Expression/Call/FunctionCallReturnTypeFetcher.php b/src/Psalm/Internal/Analyzer/Statements/Expression/Call/FunctionCallReturnTypeFetcher.php index 3a119710665..afcc4fae879 100644 --- a/src/Psalm/Internal/Analyzer/Statements/Expression/Call/FunctionCallReturnTypeFetcher.php +++ b/src/Psalm/Internal/Analyzer/Statements/Expression/Call/FunctionCallReturnTypeFetcher.php @@ -43,6 +43,7 @@ use Psalm\Type\Union; use UnexpectedValueException; +use function array_diff; use function array_merge; use function array_values; use function count; @@ -753,13 +754,13 @@ public static function taintUsingStorage( $added_taints = []; if ($function_storage->taint_source_types !== []) { $added_taints = $function_storage->taint_source_types; - } else if ($function_storage->added_taints !== []) { + } elseif ($function_storage->added_taints !== []) { $added_taints = $function_storage->added_taints; } $added_taints = array_diff( $added_taints, - $function_storage->removed_taints + $function_storage->removed_taints, ); if ($added_taints !== []) { $taint_source = TaintSource::fromNode($function_call_node); diff --git a/src/Psalm/Internal/Analyzer/Statements/Expression/Call/Method/MethodCallReturnTypeFetcher.php b/src/Psalm/Internal/Analyzer/Statements/Expression/Call/Method/MethodCallReturnTypeFetcher.php index e950aab9739..b9d2fbcf9ce 100644 --- a/src/Psalm/Internal/Analyzer/Statements/Expression/Call/Method/MethodCallReturnTypeFetcher.php +++ b/src/Psalm/Internal/Analyzer/Statements/Expression/Call/Method/MethodCallReturnTypeFetcher.php @@ -17,7 +17,6 @@ use Psalm\Internal\Codebase\InternalCallMapHandler; use Psalm\Internal\Codebase\TaintFlowGraph; use Psalm\Internal\DataFlow\DataFlowNode; -use Psalm\Internal\DataFlow\TaintSource; use Psalm\Internal\MethodIdentifier; use Psalm\Internal\Type\TemplateBound; use Psalm\Internal\Type\TemplateInferredTypeReplacer; @@ -547,7 +546,7 @@ public static function taintMethodCallResult( FunctionCallReturnTypeFetcher::taintUsingStorage( $method_storage, $statements_analyzer->data_flow_graph, - $method_call_node + $method_call_node, ); } diff --git a/src/Psalm/Internal/Analyzer/Statements/Expression/ExpressionIdentifier.php b/src/Psalm/Internal/Analyzer/Statements/Expression/ExpressionIdentifier.php index b7624dd8690..dbc2300c07c 100644 --- a/src/Psalm/Internal/Analyzer/Statements/Expression/ExpressionIdentifier.php +++ b/src/Psalm/Internal/Analyzer/Statements/Expression/ExpressionIdentifier.php @@ -10,9 +10,12 @@ use Psalm\Internal\Analyzer\ClassLikeAnalyzer; use Psalm\Internal\Analyzer\StatementsAnalyzer; +use function array_keys; +use function array_map; use function count; use function implode; use function in_array; +use function is_int; use function is_string; use function strtolower; @@ -220,10 +223,10 @@ public static function getExtendedVarId( } $argsPlaceholder = array_map( - fn ($index): string => is_int($index) ? '#' . ($index + 1) : $index, - array_keys($stmt->args) + fn($index): string => is_int($index) ? '#' . ($index + 1) : $index, + array_keys($stmt->args), ); - $argsPlaceholder = join(', ', $argsPlaceholder); + $argsPlaceholder = implode(', ', $argsPlaceholder); return $resolved_name . '(' . $argsPlaceholder . ')'; } diff --git a/src/Psalm/Internal/Analyzer/Statements/ReturnAnalyzer.php b/src/Psalm/Internal/Analyzer/Statements/ReturnAnalyzer.php index 5798b419fc4..fa9921ace02 100644 --- a/src/Psalm/Internal/Analyzer/Statements/ReturnAnalyzer.php +++ b/src/Psalm/Internal/Analyzer/Statements/ReturnAnalyzer.php @@ -47,6 +47,8 @@ use Psalm\Type\Atomic\TClosure; use Psalm\Type\Union; +use function array_merge; +use function array_unique; use function count; use function explode; use function implode; @@ -266,7 +268,7 @@ public static function analyze( $cased_method_id, $inferred_type, $storage, - $context + $context, ); } @@ -606,14 +608,14 @@ private static function handleTaints( $storage->added_taints = array_unique( array_merge( $storage->added_taints, - $added_taints - ) + $added_taints, + ), ); $storage->removed_taints = array_unique( array_merge( $storage->removed_taints, $codebase->config->eventDispatcher->dispatchRemoveTaints($event), - ) + ), ); if ($inferred_type->parent_nodes) { From f654e725a815570306ffa89fef8f50424993529b Mon Sep 17 00:00:00 2001 From: Patrick Remy Date: Sun, 19 Jan 2025 15:48:46 +0100 Subject: [PATCH 16/29] fix: revert adding expr-identifier for func-calls --- .../Expression/ExpressionIdentifier.php | 22 ------------------- 1 file changed, 22 deletions(-) diff --git a/src/Psalm/Internal/Analyzer/Statements/Expression/ExpressionIdentifier.php b/src/Psalm/Internal/Analyzer/Statements/Expression/ExpressionIdentifier.php index dbc2300c07c..67f22a0a73a 100644 --- a/src/Psalm/Internal/Analyzer/Statements/Expression/ExpressionIdentifier.php +++ b/src/Psalm/Internal/Analyzer/Statements/Expression/ExpressionIdentifier.php @@ -10,12 +10,9 @@ use Psalm\Internal\Analyzer\ClassLikeAnalyzer; use Psalm\Internal\Analyzer\StatementsAnalyzer; -use function array_keys; -use function array_map; use function count; use function implode; use function in_array; -use function is_int; use function is_string; use function strtolower; @@ -212,25 +209,6 @@ public static function getExtendedVarId( } } - if ($stmt instanceof PhpParser\Node\Expr\FuncCall) { - if ($stmt->name instanceof PhpParser\Node\Name) { - $resolved_name = $stmt->name->toCodeString(); - } else { - $resolved_name = self::getExtendedVarId($stmt->name, $this_class_name, $source); - } - if ($resolved_name === null) { - return null; - } - - $argsPlaceholder = array_map( - fn($index): string => is_int($index) ? '#' . ($index + 1) : $index, - array_keys($stmt->args), - ); - $argsPlaceholder = implode(', ', $argsPlaceholder); - - return $resolved_name . '(' . $argsPlaceholder . ')'; - } - if ($stmt instanceof PhpParser\Node\Expr\MethodCall && $stmt->name instanceof PhpParser\Node\Identifier && !$stmt->isFirstClassCallable() From ec66b678402823d90ce4acafe01c60a66ec5d49a Mon Sep 17 00:00:00 2001 From: Patrick Remy Date: Sun, 19 Jan 2025 17:28:32 +0100 Subject: [PATCH 17/29] style: fix psalm e2e test findings --- .../Analyzer/FunctionLikeAnalyzer.php | 2 +- .../Expression/AssignmentAnalyzer.php | 192 +++++++++++------- .../Call/FunctionCallReturnTypeFetcher.php | 5 - .../AddTaints/TaintBadDataPlugin.php | 2 + .../RemoveTaints/RemoveAllTaintsPlugin.php | 3 + 5 files changed, 121 insertions(+), 83 deletions(-) diff --git a/src/Psalm/Internal/Analyzer/FunctionLikeAnalyzer.php b/src/Psalm/Internal/Analyzer/FunctionLikeAnalyzer.php index cd53e13a313..7ff370f00c5 100644 --- a/src/Psalm/Internal/Analyzer/FunctionLikeAnalyzer.php +++ b/src/Psalm/Internal/Analyzer/FunctionLikeAnalyzer.php @@ -1086,7 +1086,7 @@ private function processParams( $statements_analyzer->data_flow_graph->addNode($param_assignment); - if ($cased_method_id) { + if ($cased_method_id !== null) { $type_source = DataFlowNode::getForMethodArgument( $cased_method_id, $cased_method_id, diff --git a/src/Psalm/Internal/Analyzer/Statements/Expression/AssignmentAnalyzer.php b/src/Psalm/Internal/Analyzer/Statements/Expression/AssignmentAnalyzer.php index e8e2ecd97ca..c92074916d4 100644 --- a/src/Psalm/Internal/Analyzer/Statements/Expression/AssignmentAnalyzer.php +++ b/src/Psalm/Internal/Analyzer/Statements/Expression/AssignmentAnalyzer.php @@ -315,32 +315,18 @@ public static function analyze( if ($statements_analyzer->data_flow_graph instanceof VariableUseGraph && !$assign_value_type->parent_nodes ) { - if ($extended_var_id) { - $assignment_node = DataFlowNode::getForAssignment( - $extended_var_id, - new CodeLocation($statements_analyzer->getSource(), $assign_var), - ); - } else { - $assignment_node = new DataFlowNode('unknown-origin', 'unknown origin', null); - } - - $parent_nodes = [ - $assignment_node->id => $assignment_node, - ]; - - if ($context->inside_try) { - // Copy previous assignment's parent nodes inside a try. Since an exception could be thrown at any - // point this is a workaround to ensure that use of a variable also uses all previous assignments. - if (isset($context->vars_in_scope[$extended_var_id])) { - $parent_nodes += $context->vars_in_scope[$extended_var_id]->parent_nodes; - } - } - - $assign_value_type = $assign_value_type->setParentNodes($parent_nodes); + $assign_value_type = self::analyzeVariableUse( + $statements_analyzer, + $assign_var, + $extended_var_id, + $assign_value_type, + $context, + ); } if ($statements_analyzer->data_flow_graph instanceof TaintFlowGraph - && !in_array('TaintedInput', $statements_analyzer->getSuppressedIssues())) { + && !in_array('TaintedInput', $statements_analyzer->getSuppressedIssues()) + && $assign_value) { $assign_value_location = new CodeLocation($statements_analyzer->getSource(), $assign_value); $event = new AddRemoveTaintsEvent($assign_value, $context, $statements_analyzer, $codebase); @@ -409,8 +395,6 @@ public static function analyze( } } - $codebase = $statements_analyzer->getCodebase(); - if ($assign_value_type->hasMixed()) { $root_var_id = ExpressionIdentifier::getRootVarId( $assign_var, @@ -578,57 +562,16 @@ public static function analyze( } } - if ($statements_analyzer->data_flow_graph) { - $data_flow_graph = $statements_analyzer->data_flow_graph; - - if ($context->vars_in_scope[$var_id]->parent_nodes) { - if ($data_flow_graph instanceof TaintFlowGraph - && in_array('TaintedInput', $statements_analyzer->getSuppressedIssues()) - ) { - $context->vars_in_scope[$var_id] = $context->vars_in_scope[$var_id]->setParentNodes([]); - } else { - $var_location = new CodeLocation($statements_analyzer->getSource(), $assign_var); - - $event = new AddRemoveTaintsEvent($assign_var, $context, $statements_analyzer, $codebase); - - $added_taints = $codebase->config->eventDispatcher->dispatchAddTaints($event); - $removed_taints = [ - ...$removed_taints, - ...$codebase->config->eventDispatcher->dispatchRemoveTaints($event), - ]; - - self::taintAssignment( - $context->vars_in_scope[$var_id], - $data_flow_graph, - $var_id, - $var_location, - $removed_taints, - $added_taints, - ); - } - - if ($assign_expr) { - $new_parent_node = DataFlowNode::getForAssignment( - 'assignment_expr', - new CodeLocation($statements_analyzer->getSource(), $assign_expr), - ); - - $data_flow_graph->addNode($new_parent_node); - - foreach ($context->vars_in_scope[$var_id]->parent_nodes as $old_parent_node) { - $data_flow_graph->addPath( - $old_parent_node, - $new_parent_node, - '=', - ); - } - - $assign_value_type = $assign_value_type->setParentNodes( - [$new_parent_node->id => $new_parent_node], - ); - } - } - } + self::analyzeAssignValueDataFlow( + $statements_analyzer, + $codebase, + $assign_var, + $assign_expr, + $assign_value_type, + $var_id, + $context, + $removed_taints, + ); } $context->inside_assignment = $was_in_assignment; @@ -1818,7 +1761,8 @@ private static function analyzeAssignmentToVariable( } } - if ($statements_analyzer->data_flow_graph instanceof TaintFlowGraph + if ($assign_value + && $statements_analyzer->data_flow_graph instanceof TaintFlowGraph && !in_array('TaintedInput', $statements_analyzer->getSuppressedIssues()) ) { $assign_location = new CodeLocation($statements_analyzer->getSource(), $assign_var); @@ -1909,4 +1853,98 @@ private static function analyzeAssignmentToVariable( } } } + + private static function analyzeVariableUse( + StatementsAnalyzer $statements_analyzer, + PhpParser\Node\Expr $assign_var, + ?string $extended_var_id, + Union $assign_value_type, + Context $context + ): Union { + if ($extended_var_id) { + $assignment_node = DataFlowNode::getForAssignment( + $extended_var_id, + new CodeLocation($statements_analyzer->getSource(), $assign_var), + ); + } else { + $assignment_node = new DataFlowNode('unknown-origin', 'unknown origin', null); + } + + $parent_nodes = [ + $assignment_node->id => $assignment_node, + ]; + + if ($context->inside_try) { + // Copy previous assignment's parent nodes inside a try. Since an exception could be thrown at any + // point this is a workaround to ensure that use of a variable also uses all previous assignments. + if (isset($context->vars_in_scope[$extended_var_id])) { + $parent_nodes += $context->vars_in_scope[$extended_var_id]->parent_nodes; + } + } + + return $assign_value_type->setParentNodes($parent_nodes); + } + + private static function analyzeAssignValueDataFlow( + StatementsAnalyzer $statements_analyzer, + Codebase $codebase, + PhpParser\Node\Expr $assign_var, + ?PhpParser\Node\Expr $assign_expr, + Union &$assign_value_type, + ?string $var_id, + Context $context, + array $removed_taints + ): void { + if (!$statements_analyzer->data_flow_graph + || !$context->vars_in_scope[$var_id]->parent_nodes) { + return; + } + + $data_flow_graph = $statements_analyzer->data_flow_graph; + if ($data_flow_graph instanceof TaintFlowGraph + && in_array('TaintedInput', $statements_analyzer->getSuppressedIssues()) + ) { + $context->vars_in_scope[$var_id] = $context->vars_in_scope[$var_id]->setParentNodes([]); + } else { + $var_location = new CodeLocation($statements_analyzer->getSource(), $assign_var); + + $event = new AddRemoveTaintsEvent($assign_var, $context, $statements_analyzer, $codebase); + + $added_taints = $codebase->config->eventDispatcher->dispatchAddTaints($event); + $removed_taints = [ + ...$removed_taints, + ...$codebase->config->eventDispatcher->dispatchRemoveTaints($event), + ]; + + self::taintAssignment( + $context->vars_in_scope[$var_id], + $data_flow_graph, + $var_id, + $var_location, + $removed_taints, + $added_taints, + ); + } + + if ($assign_expr) { + $new_parent_node = DataFlowNode::getForAssignment( + 'assignment_expr', + new CodeLocation($statements_analyzer->getSource(), $assign_expr), + ); + + $data_flow_graph->addNode($new_parent_node); + + foreach ($context->vars_in_scope[$var_id]->parent_nodes as $old_parent_node) { + $data_flow_graph->addPath( + $old_parent_node, + $new_parent_node, + '=', + ); + } + + $assign_value_type = $assign_value_type->setParentNodes( + [$new_parent_node->id => $new_parent_node], + ); + } + } } diff --git a/src/Psalm/Internal/Analyzer/Statements/Expression/Call/FunctionCallReturnTypeFetcher.php b/src/Psalm/Internal/Analyzer/Statements/Expression/Call/FunctionCallReturnTypeFetcher.php index afcc4fae879..8510c87ba22 100644 --- a/src/Psalm/Internal/Analyzer/Statements/Expression/Call/FunctionCallReturnTypeFetcher.php +++ b/src/Psalm/Internal/Analyzer/Statements/Expression/Call/FunctionCallReturnTypeFetcher.php @@ -740,11 +740,6 @@ public static function taintUsingFlows( } } - /** - * @param array $args - * @param array $removed_taints - * @param array $added_taints - */ public static function taintUsingStorage( FunctionLikeStorage $function_storage, TaintFlowGraph $graph, diff --git a/tests/Config/Plugin/EventHandler/AddTaints/TaintBadDataPlugin.php b/tests/Config/Plugin/EventHandler/AddTaints/TaintBadDataPlugin.php index 98d075189d6..a08853b84d1 100644 --- a/tests/Config/Plugin/EventHandler/AddTaints/TaintBadDataPlugin.php +++ b/tests/Config/Plugin/EventHandler/AddTaints/TaintBadDataPlugin.php @@ -10,6 +10,8 @@ /** * Add input taints to all variables named 'bad_data' + * + * @psalm-suppress UnusedClass */ class TaintBadDataPlugin implements AddTaintsInterface { diff --git a/tests/Config/Plugin/EventHandler/RemoveTaints/RemoveAllTaintsPlugin.php b/tests/Config/Plugin/EventHandler/RemoveTaints/RemoveAllTaintsPlugin.php index bbc38f14f32..7b8e6038e27 100644 --- a/tests/Config/Plugin/EventHandler/RemoveTaints/RemoveAllTaintsPlugin.php +++ b/tests/Config/Plugin/EventHandler/RemoveTaints/RemoveAllTaintsPlugin.php @@ -6,6 +6,9 @@ use Psalm\Plugin\EventHandler\RemoveTaintsInterface; use Psalm\Type\TaintKindGroup; +/** + * @psalm-suppress UnusedClass + */ class RemoveAllTaintsPlugin implements RemoveTaintsInterface { /** From e41c81ea7656baf41e758d5937e61f9e17c152df Mon Sep 17 00:00:00 2001 From: Patrick Remy Date: Sun, 19 Jan 2025 17:56:11 +0100 Subject: [PATCH 18/29] test: fix added taint-flow path in var-assignment --- tests/ReportOutputTest.php | 48 +++++++++++++++++++++++++++++++++++++- 1 file changed, 47 insertions(+), 1 deletion(-) diff --git a/tests/ReportOutputTest.php b/tests/ReportOutputTest.php index 5c4292f573e..7d6300de054 100644 --- a/tests/ReportOutputTest.php +++ b/tests/ReportOutputTest.php @@ -288,6 +288,21 @@ public function testSarifReport(): void ], ], ], + [ + 'location' => [ + 'physicalLocation' => [ + 'artifactLocation' => [ + 'uri' => 'taintflow-test/vulnerable.php', + ], + 'region' => [ + 'startLine' => 7, + 'endLine' => 7, + 'startColumn' => 17, + 'endColumn' => 60, + ], + ], + ], + ], [ 'location' => [ 'physicalLocation' => [ @@ -443,6 +458,21 @@ public function testSarifReport(): void ], ], ], + [ + 'location' => [ + 'physicalLocation' => [ + 'artifactLocation' => [ + 'uri' => 'taintflow-test/vulnerable.php', + ], + 'region' => [ + 'startLine' => 7, + 'endLine' => 7, + 'startColumn' => 17, + 'endColumn' => 60, + ], + ], + ], + ], [ 'location' => [ 'physicalLocation' => [ @@ -613,6 +643,21 @@ public function testSarifReport(): void ], ], ], + [ + 'location' => [ + 'physicalLocation' => [ + 'artifactLocation' => [ + 'uri' => 'taintflow-test/vulnerable.php', + ], + 'region' => [ + 'startLine' => 7, + 'endLine' => 7, + 'startColumn' => 17, + 'endColumn' => 60, + ], + ], + ], + ], [ 'location' => [ 'physicalLocation' => [ @@ -671,9 +716,10 @@ public function testSarifReport(): void $sarif_report_options = ProjectAnalyzer::getFileReportOptions([__DIR__ . '/test-report.sarif'])[0]; + $issue_result = IssueBuffer::getOutput(IssueBuffer::getIssuesData(), $sarif_report_options); $this->assertSame( $issue_data, - json_decode(IssueBuffer::getOutput(IssueBuffer::getIssuesData(), $sarif_report_options), true, 512, JSON_THROW_ON_ERROR), + json_decode($issue_result, true, 512, JSON_THROW_ON_ERROR), ); } From a539c9bc24d8a2adbd4f5d5642292e02bbcf60ab Mon Sep 17 00:00:00 2001 From: Patrick Remy Date: Sun, 19 Jan 2025 19:20:29 +0100 Subject: [PATCH 19/29] refactor: extract code from assignment analyzer into methods --- .../Expression/AssignmentAnalyzer.php | 146 +++++++++++------- 1 file changed, 91 insertions(+), 55 deletions(-) diff --git a/src/Psalm/Internal/Analyzer/Statements/Expression/AssignmentAnalyzer.php b/src/Psalm/Internal/Analyzer/Statements/Expression/AssignmentAnalyzer.php index c92074916d4..d99627ffdc7 100644 --- a/src/Psalm/Internal/Analyzer/Statements/Expression/AssignmentAnalyzer.php +++ b/src/Psalm/Internal/Analyzer/Statements/Expression/AssignmentAnalyzer.php @@ -153,60 +153,19 @@ public static function analyze( $removed_taints = []; - if ($doc_comment) { - $file_path = $statements_analyzer->getRootFilePath(); - - $file_storage_provider = $codebase->file_storage_provider; - - $file_storage = $file_storage_provider->get($file_path); - - $template_type_map = $statements_analyzer->getTemplateTypeMap(); - - try { - $var_comments = $codebase->config->disable_var_parsing - ? [] - : CommentAnalyzer::getTypeFromComment( - $doc_comment, - $statements_analyzer->getSource(), - $statements_analyzer->getAliases(), - $template_type_map, - $file_storage->type_aliases, - ); - } catch (IncorrectDocblockException $e) { - IssueBuffer::maybeAdd( - new MissingDocblockType( - $e->getMessage(), - new CodeLocation($statements_analyzer->getSource(), $assign_var), - ), - ); - } catch (DocblockParseException $e) { - IssueBuffer::maybeAdd( - new InvalidDocblock( - $e->getMessage(), - new CodeLocation($statements_analyzer->getSource(), $assign_var), - ), - ); - } - - foreach ($var_comments as $var_comment) { - if ($var_comment->removed_taints) { - $removed_taints = $var_comment->removed_taints; - } - - self::assignTypeFromVarDocblock( - $statements_analyzer, - $assign_var, - $var_comment, - $context, - $var_id, - $comment_type, - $comment_type_location, - $not_ignored_docblock_var_ids, - $var_id === $var_comment->var_id - && $assign_value_type && $comment_type && $assign_value_type->by_ref, - ); - } - } + self::analyzeDocComment( + $statements_analyzer, + $codebase, + $context, + $assign_var, + $var_id, + $assign_value_type, + $doc_comment, + $comment_type, + $comment_type_location, + $not_ignored_docblock_var_ids, + $removed_taints, + ); if ($extended_var_id) { unset($context->cond_referenced_var_ids[$extended_var_id]); @@ -665,6 +624,80 @@ private static function analyzeAssignment( return null; } + /** + * @param array $removed_taints + */ + private static function analyzeDocComment( + StatementsAnalyzer $statements_analyzer, + Codebase $codebase, + Context $context, + PhpParser\Node $assign_var, + ?string $var_id, + Union $assign_value_type, + ?Doc $doc_comment, + ?Union &$comment_type, + ?DocblockTypeLocation &$comment_type_location, + array $not_ignored_docblock_var_ids, + array &$removed_taints + ): void { + if (!$doc_comment) { + return; + } + + $file_path = $statements_analyzer->getRootFilePath(); + + $file_storage_provider = $codebase->file_storage_provider; + + $file_storage = $file_storage_provider->get($file_path); + + $template_type_map = $statements_analyzer->getTemplateTypeMap(); + + try { + $var_comments = $codebase->config->disable_var_parsing + ? [] + : CommentAnalyzer::getTypeFromComment( + $doc_comment, + $statements_analyzer->getSource(), + $statements_analyzer->getAliases(), + $template_type_map, + $file_storage->type_aliases, + ); + } catch (IncorrectDocblockException $e) { + IssueBuffer::maybeAdd( + new MissingDocblockType( + $e->getMessage(), + new CodeLocation($statements_analyzer->getSource(), $assign_var), + ), + ); + } catch (DocblockParseException $e) { + IssueBuffer::maybeAdd( + new InvalidDocblock( + $e->getMessage(), + new CodeLocation($statements_analyzer->getSource(), $assign_var), + ), + ); + } + + foreach ($var_comments as $var_comment) { + if ($var_comment->removed_taints) { + $removed_taints = $var_comment->removed_taints; + } + + self::assignTypeFromVarDocblock( + $statements_analyzer, + $assign_var, + $var_comment, + $context, + $var_id, + $comment_type, + $comment_type_location, + $not_ignored_docblock_var_ids, + $var_id === $var_comment->var_id + && $assign_value_type && $comment_type && $assign_value_type->by_ref, + ); + } + } + public static function assignTypeFromVarDocblock( StatementsAnalyzer $statements_analyzer, PhpParser\Node $stmt, @@ -1885,13 +1918,16 @@ private static function analyzeVariableUse( return $assign_value_type->setParentNodes($parent_nodes); } + /** + * @var array $removed_taints + */ private static function analyzeAssignValueDataFlow( StatementsAnalyzer $statements_analyzer, Codebase $codebase, PhpParser\Node\Expr $assign_var, ?PhpParser\Node\Expr $assign_expr, Union &$assign_value_type, - ?string $var_id, + string $var_id, Context $context, array $removed_taints ): void { From b41a8f52733edd037a184e441fbf9ac2767e12ae Mon Sep 17 00:00:00 2001 From: Patrick Remy Date: Sun, 19 Jan 2025 20:11:22 +0100 Subject: [PATCH 20/29] refactor: remove change of assignment data flow graph Change wasn't necessary, instead a taint source can be created if taints get added during assignment. --- .../Expression/AssignmentAnalyzer.php | 38 +++------------ tests/ReportOutputTest.php | 48 +------------------ 2 files changed, 8 insertions(+), 78 deletions(-) diff --git a/src/Psalm/Internal/Analyzer/Statements/Expression/AssignmentAnalyzer.php b/src/Psalm/Internal/Analyzer/Statements/Expression/AssignmentAnalyzer.php index d99627ffdc7..6c386afd78b 100644 --- a/src/Psalm/Internal/Analyzer/Statements/Expression/AssignmentAnalyzer.php +++ b/src/Psalm/Internal/Analyzer/Statements/Expression/AssignmentAnalyzer.php @@ -88,6 +88,7 @@ use Psalm\Type\Union; use UnexpectedValueException; +use function array_diff; use function count; use function in_array; use function is_string; @@ -283,35 +284,6 @@ public static function analyze( ); } - if ($statements_analyzer->data_flow_graph instanceof TaintFlowGraph - && !in_array('TaintedInput', $statements_analyzer->getSuppressedIssues()) - && $assign_value) { - $assign_value_location = new CodeLocation($statements_analyzer->getSource(), $assign_value); - - $event = new AddRemoveTaintsEvent($assign_value, $context, $statements_analyzer, $codebase); - - $added_taints = $codebase->config->eventDispatcher->dispatchAddTaints($event); - $removed_taints = [ - ...$removed_taints, - ...$codebase->config->eventDispatcher->dispatchRemoveTaints($event), - ]; - - $rhs_var_id = ExpressionIdentifier::getExtendedVarId( - $assign_value, - $statements_analyzer->getFQCLN(), - $statements_analyzer, - ) ?? 'assignment_expr'; - - self::taintAssignment( - $assign_value_type, - $statements_analyzer->data_flow_graph, - $rhs_var_id, - $assign_value_location, - $removed_taints, - $added_taints, - ); - } - if ($extended_var_id && isset($context->vars_in_scope[$extended_var_id])) { if ($context->vars_in_scope[$extended_var_id]->by_ref) { if ($context->mutation_free) { @@ -633,7 +605,7 @@ private static function analyzeDocComment( Context $context, PhpParser\Node $assign_var, ?string $var_id, - Union $assign_value_type, + ?Union $assign_value_type, ?Doc $doc_comment, ?Union &$comment_type, ?DocblockTypeLocation &$comment_type_location, @@ -829,8 +801,12 @@ private static function taintAssignment( $data_flow_graph->addNode($new_parent_node); $new_parent_nodes = [$new_parent_node->id => $new_parent_node]; - if ($added_taints !== [] && $data_flow_graph instanceof TaintFlowGraph) { + // If taints get added (e.g. due to plugin) this assignment needs to + // become a new taint source + $taints = array_diff($added_taints, $removed_taints); + if ($taints !== [] && $data_flow_graph instanceof TaintFlowGraph) { $taint_source = TaintSource::fromNode($new_parent_node); + $taint_source->taints = $taints; $data_flow_graph->addSource($taint_source); } diff --git a/tests/ReportOutputTest.php b/tests/ReportOutputTest.php index 7d6300de054..5c4292f573e 100644 --- a/tests/ReportOutputTest.php +++ b/tests/ReportOutputTest.php @@ -288,21 +288,6 @@ public function testSarifReport(): void ], ], ], - [ - 'location' => [ - 'physicalLocation' => [ - 'artifactLocation' => [ - 'uri' => 'taintflow-test/vulnerable.php', - ], - 'region' => [ - 'startLine' => 7, - 'endLine' => 7, - 'startColumn' => 17, - 'endColumn' => 60, - ], - ], - ], - ], [ 'location' => [ 'physicalLocation' => [ @@ -458,21 +443,6 @@ public function testSarifReport(): void ], ], ], - [ - 'location' => [ - 'physicalLocation' => [ - 'artifactLocation' => [ - 'uri' => 'taintflow-test/vulnerable.php', - ], - 'region' => [ - 'startLine' => 7, - 'endLine' => 7, - 'startColumn' => 17, - 'endColumn' => 60, - ], - ], - ], - ], [ 'location' => [ 'physicalLocation' => [ @@ -643,21 +613,6 @@ public function testSarifReport(): void ], ], ], - [ - 'location' => [ - 'physicalLocation' => [ - 'artifactLocation' => [ - 'uri' => 'taintflow-test/vulnerable.php', - ], - 'region' => [ - 'startLine' => 7, - 'endLine' => 7, - 'startColumn' => 17, - 'endColumn' => 60, - ], - ], - ], - ], [ 'location' => [ 'physicalLocation' => [ @@ -716,10 +671,9 @@ public function testSarifReport(): void $sarif_report_options = ProjectAnalyzer::getFileReportOptions([__DIR__ . '/test-report.sarif'])[0]; - $issue_result = IssueBuffer::getOutput(IssueBuffer::getIssuesData(), $sarif_report_options); $this->assertSame( $issue_data, - json_decode($issue_result, true, 512, JSON_THROW_ON_ERROR), + json_decode(IssueBuffer::getOutput(IssueBuffer::getIssuesData(), $sarif_report_options), true, 512, JSON_THROW_ON_ERROR), ); } From 5f3f0126f2eb3d981ce5d9fa955281158e812329 Mon Sep 17 00:00:00 2001 From: Patrick Remy Date: Mon, 20 Jan 2025 17:25:37 +0100 Subject: [PATCH 21/29] fix: taint variable fetches in every case Trigger AddRemoveTaintEvent and check if it results in added taints. Also allow now removing taints from superglobals. --- .../Expression/AssignmentAnalyzer.php | 23 ---- .../Fetch/VariableFetchAnalyzer.php | 102 +++++++++++------- 2 files changed, 64 insertions(+), 61 deletions(-) diff --git a/src/Psalm/Internal/Analyzer/Statements/Expression/AssignmentAnalyzer.php b/src/Psalm/Internal/Analyzer/Statements/Expression/AssignmentAnalyzer.php index 6c386afd78b..44bb1ca5108 100644 --- a/src/Psalm/Internal/Analyzer/Statements/Expression/AssignmentAnalyzer.php +++ b/src/Psalm/Internal/Analyzer/Statements/Expression/AssignmentAnalyzer.php @@ -1770,29 +1770,6 @@ private static function analyzeAssignmentToVariable( } } - if ($assign_value - && $statements_analyzer->data_flow_graph instanceof TaintFlowGraph - && !in_array('TaintedInput', $statements_analyzer->getSuppressedIssues()) - ) { - $assign_location = new CodeLocation($statements_analyzer->getSource(), $assign_var); - - $event = new AddRemoveTaintsEvent($assign_value, $context, $statements_analyzer, $codebase); - - $added_taints = $codebase->config->eventDispatcher->dispatchAddTaints($event); - $removed_taints = [ - ...$removed_taints, - ...$codebase->config->eventDispatcher->dispatchRemoveTaints($event), - ]; - - self::taintAssignment( - $context->vars_in_scope[$var_id], - $statements_analyzer->data_flow_graph, - $var_id, - $assign_location, - $removed_taints, - $added_taints, - ); - } if (isset($context->references_possibly_from_confusing_scope[$var_id])) { IssueBuffer::maybeAdd( diff --git a/src/Psalm/Internal/Analyzer/Statements/Expression/Fetch/VariableFetchAnalyzer.php b/src/Psalm/Internal/Analyzer/Statements/Expression/Fetch/VariableFetchAnalyzer.php index b7766aa2617..53a6b6542e9 100644 --- a/src/Psalm/Internal/Analyzer/Statements/Expression/Fetch/VariableFetchAnalyzer.php +++ b/src/Psalm/Internal/Analyzer/Statements/Expression/Fetch/VariableFetchAnalyzer.php @@ -22,6 +22,7 @@ use Psalm\Issue\UndefinedGlobalVariable; use Psalm\Issue\UndefinedVariable; use Psalm\IssueBuffer; +use Psalm\Plugin\EventHandler\Event\AddRemoveTaintsEvent; use Psalm\Type; use Psalm\Type\Atomic\TArray; use Psalm\Type\Atomic\TBool; @@ -36,6 +37,9 @@ use Psalm\Type\TaintKindGroup; use Psalm\Type\Union; +use function array_diff; +use function array_merge; +use function array_unique; use function in_array; use function is_string; use function time; @@ -166,7 +170,7 @@ public static function analyze( if (isset($context->vars_in_scope[$var_name])) { $type = $context->vars_in_scope[$var_name]; - self::taintVariable($statements_analyzer, $var_name, $type, $stmt); + self::taintVariable($statements_analyzer, $context, $var_name, $type, $stmt); $context->vars_in_scope[$var_name] = $type; $statements_analyzer->node_data->setType($stmt, $type); @@ -176,7 +180,7 @@ public static function analyze( $type = self::getGlobalType($var_name, $codebase->analysis_php_version_id); - self::taintVariable($statements_analyzer, $var_name, $type, $stmt); + self::taintVariable($statements_analyzer, $context, $var_name, $type, $stmt); $statements_analyzer->node_data->setType($stmt, $type); $context->vars_in_scope[$var_name] = $type; @@ -252,6 +256,8 @@ public static function analyze( $context->branch_point, ); } + + self::taintVariable($statements_analyzer, $context, $var_name, $stmt_type, $stmt); $statements_analyzer->node_data->setType($stmt, $stmt_type); if ($assigned_to_reference) { @@ -266,29 +272,27 @@ public static function analyze( || $statements_analyzer->getSource() instanceof FunctionLikeAnalyzer ) { if ($context->is_global || $from_global) { - IssueBuffer::maybeAdd( - new UndefinedGlobalVariable( - 'Cannot find referenced variable ' . $var_name . ' in global scope', - new CodeLocation($statements_analyzer->getSource(), $stmt), - $var_name, - ), - $statements_analyzer->getSuppressedIssues(), + $exception = new UndefinedGlobalVariable( + 'Cannot find referenced variable ' . $var_name . ' in global scope', + new CodeLocation($statements_analyzer->getSource(), $stmt), + $var_name, + ); + } else { + $exception = new UndefinedVariable( + 'Cannot find referenced variable ' . $var_name, + new CodeLocation($statements_analyzer->getSource(), $stmt), ); - - $statements_analyzer->node_data->setType($stmt, Type::getMixed()); - - return true; } IssueBuffer::maybeAdd( - new UndefinedVariable( - 'Cannot find referenced variable ' . $var_name, - new CodeLocation($statements_analyzer->getSource(), $stmt), - ), + $exception, $statements_analyzer->getSuppressedIssues(), ); - $statements_analyzer->node_data->setType($stmt, Type::getMixed()); + $type = Type::getMixed(); + self::taintVariable($statements_analyzer, $context, $var_name, $type, $stmt); + + $statements_analyzer->node_data->setType($stmt, $type); return true; } @@ -370,6 +374,8 @@ public static function analyze( } else { $stmt_type = $context->vars_in_scope[$var_name]; + self::taintVariable($statements_analyzer, $context, $var_name, $stmt_type, $stmt); + self::addDataFlowToVariable($statements_analyzer, $stmt, $var_name, $stmt_type, $context); $context->vars_in_scope[$var_name] = $stmt_type; @@ -505,35 +511,55 @@ private static function addDataFlowToVariable( private static function taintVariable( StatementsAnalyzer $statements_analyzer, + Context $context, string $var_name, Union &$type, PhpParser\Node\Expr\Variable $stmt, ): void { - if ($statements_analyzer->data_flow_graph instanceof TaintFlowGraph - && !in_array('TaintedInput', $statements_analyzer->getSuppressedIssues()) + if (!$statements_analyzer->data_flow_graph instanceof TaintFlowGraph + || in_array('TaintedInput', $statements_analyzer->getSuppressedIssues()) ) { - if ($var_name === '$_GET' - || $var_name === '$_POST' - || $var_name === '$_COOKIE' - || $var_name === '$_REQUEST' - ) { - $taint_location = new CodeLocation($statements_analyzer->getSource(), $stmt); + return; + } - $server_taint_source = new TaintSource( - $var_name . ':' . $taint_location->file_name . ':' . $taint_location->raw_file_start, - $var_name, - null, - null, - TaintKindGroup::ALL_INPUT, - ); + // Add superglobal server taint sources + if ($var_name === '$_GET' + || $var_name === '$_POST' + || $var_name === '$_COOKIE' + || $var_name === '$_REQUEST' + ) { + $taints = TaintKindGroup::ALL_INPUT; + } else { + $taints = []; + } - $statements_analyzer->data_flow_graph->addSource($server_taint_source); + // Trigger event to possibly get more/less taints + $codebase = $statements_analyzer->getCodebase(); + $event = new AddRemoveTaintsEvent($stmt, $context, $statements_analyzer, $codebase); - $type = $type->setParentNodes([ - $server_taint_source->id => $server_taint_source, - ]); - } + $added_taints = $codebase->config->eventDispatcher->dispatchAddTaints($event); + $removed_taints = $codebase->config->eventDispatcher->dispatchRemoveTaints($event); + $taints = array_unique(array_merge($taints, $added_taints)); + $taints = array_diff($taints, $removed_taints); + + if ($taints === []) { + return; } + + $taint_location = new CodeLocation($statements_analyzer->getSource(), $stmt); + + $taint_source = new TaintSource( + $var_name . ':' . $taint_location->file_name . ':' . $taint_location->raw_file_start, + $var_name, + null, + null, + $taints, + ); + $statements_analyzer->data_flow_graph->addSource($taint_source); + + $type = $type->setParentNodes([ + $taint_source->id => $taint_source, + ]); } /** From 44e6aa888a01552db3077da76adfa693e1f589f5 Mon Sep 17 00:00:00 2001 From: Patrick Remy Date: Mon, 20 Jan 2025 19:55:09 +0100 Subject: [PATCH 22/29] fix: set taints for taint sources added by plugin --- .../Statements/Expression/ArrayAnalyzer.php | 8 ++++-- .../InstancePropertyAssignmentAnalyzer.php | 9 +++++-- .../Expression/BinaryOpAnalyzer.php | 5 +++- .../Expression/Call/ArgumentAnalyzer.php | 5 +++- .../Expression/Call/FunctionCallAnalyzer.php | 13 +++++---- .../Call/FunctionCallReturnTypeFetcher.php | 7 +++-- .../Expression/Call/NewAnalyzer.php | 3 +++ .../Expression/EncapsulatedStringAnalyzer.php | 5 +++- .../Statements/Expression/EvalAnalyzer.php | 5 +++- .../Expression/Fetch/ArrayFetchAnalyzer.php | 27 ++++++++++--------- .../Fetch/AtomicPropertyFetchAnalyzer.php | 9 +++++-- .../Statements/Expression/IncludeAnalyzer.php | 5 +++- 12 files changed, 69 insertions(+), 32 deletions(-) diff --git a/src/Psalm/Internal/Analyzer/Statements/Expression/ArrayAnalyzer.php b/src/Psalm/Internal/Analyzer/Statements/Expression/ArrayAnalyzer.php index 402ada1245c..0afd08d1eab 100644 --- a/src/Psalm/Internal/Analyzer/Statements/Expression/ArrayAnalyzer.php +++ b/src/Psalm/Internal/Analyzer/Statements/Expression/ArrayAnalyzer.php @@ -43,6 +43,7 @@ use Psalm\Type\Atomic\TTrue; use Psalm\Type\Union; +use function array_diff; use function array_merge; use function array_values; use function count; @@ -442,7 +443,8 @@ private static function analyzeArrayItem( $added_taints = $codebase->config->eventDispatcher->dispatchAddTaints($event); $removed_taints = $codebase->config->eventDispatcher->dispatchRemoveTaints($event); - if ($added_taints !== [] && $statements_analyzer->data_flow_graph instanceof TaintFlowGraph) { + $taints = array_diff($added_taints, $removed_taints); + if ($taints !== [] && $statements_analyzer->data_flow_graph instanceof TaintFlowGraph) { $taint_source = TaintSource::fromNode($new_parent_node); $statements_analyzer->data_flow_graph->addSource($taint_source); } @@ -482,8 +484,10 @@ private static function analyzeArrayItem( $added_taints = $codebase->config->eventDispatcher->dispatchAddTaints($event); $removed_taints = $codebase->config->eventDispatcher->dispatchRemoveTaints($event); - if ($added_taints !== [] && $statements_analyzer->data_flow_graph instanceof TaintFlowGraph) { + $taints = array_diff($added_taints, $removed_taints); + if ($taints !== [] && $statements_analyzer->data_flow_graph instanceof TaintFlowGraph) { $taint_source = TaintSource::fromNode($new_parent_node); + $taint_source->taints = $taints; $statements_analyzer->data_flow_graph->addSource($taint_source); } diff --git a/src/Psalm/Internal/Analyzer/Statements/Expression/Assignment/InstancePropertyAssignmentAnalyzer.php b/src/Psalm/Internal/Analyzer/Statements/Expression/Assignment/InstancePropertyAssignmentAnalyzer.php index 3be6612e59c..0c48e9146d9 100644 --- a/src/Psalm/Internal/Analyzer/Statements/Expression/Assignment/InstancePropertyAssignmentAnalyzer.php +++ b/src/Psalm/Internal/Analyzer/Statements/Expression/Assignment/InstancePropertyAssignmentAnalyzer.php @@ -79,6 +79,7 @@ use Psalm\Type\Union; use UnexpectedValueException; +use function array_diff; use function array_merge; use function array_pop; use function count; @@ -506,8 +507,10 @@ private static function taintProperty( $added_taints = $codebase->config->eventDispatcher->dispatchAddTaints($event); $removed_taints = $codebase->config->eventDispatcher->dispatchRemoveTaints($event); - if ($added_taints !== [] && $statements_analyzer->data_flow_graph instanceof TaintFlowGraph) { + $taints = array_diff($added_taints, $removed_taints); + if ($taints !== [] && $statements_analyzer->data_flow_graph instanceof TaintFlowGraph) { $taint_source = TaintSource::fromNode($property_node); + $taint_source->taints = $taints; $statements_analyzer->data_flow_graph->addSource($taint_source); } @@ -606,8 +609,10 @@ public static function taintUnspecializedProperty( $added_taints = $codebase->config->eventDispatcher->dispatchAddTaints($event); $removed_taints = $codebase->config->eventDispatcher->dispatchRemoveTaints($event); - if ($added_taints !== [] && $statements_analyzer->data_flow_graph instanceof TaintFlowGraph) { + $taints = array_diff($added_taints, $removed_taints); + if ($taints !== [] && $statements_analyzer->data_flow_graph instanceof TaintFlowGraph) { $taint_source = TaintSource::fromNode($property_node); + $taint_source->taints = $taints; $statements_analyzer->data_flow_graph->addSource($taint_source); } diff --git a/src/Psalm/Internal/Analyzer/Statements/Expression/BinaryOpAnalyzer.php b/src/Psalm/Internal/Analyzer/Statements/Expression/BinaryOpAnalyzer.php index 316b193902b..abbdd8fff52 100644 --- a/src/Psalm/Internal/Analyzer/Statements/Expression/BinaryOpAnalyzer.php +++ b/src/Psalm/Internal/Analyzer/Statements/Expression/BinaryOpAnalyzer.php @@ -35,6 +35,7 @@ use Psalm\Type\Union; use UnexpectedValueException; +use function array_diff; use function in_array; use function strlen; @@ -172,8 +173,10 @@ public static function analyze( $added_taints = $codebase->config->eventDispatcher->dispatchAddTaints($event); $removed_taints = $codebase->config->eventDispatcher->dispatchRemoveTaints($event); - if ($added_taints !== [] && $statements_analyzer->data_flow_graph instanceof TaintFlowGraph) { + $taints = array_diff($added_taints, $removed_taints); + if ($taints !== [] && $statements_analyzer->data_flow_graph instanceof TaintFlowGraph) { $taint_source = TaintSource::fromNode($new_parent_node); + $taint_source->taints = $taints; $statements_analyzer->data_flow_graph->addSource($taint_source); } diff --git a/src/Psalm/Internal/Analyzer/Statements/Expression/Call/ArgumentAnalyzer.php b/src/Psalm/Internal/Analyzer/Statements/Expression/Call/ArgumentAnalyzer.php index 1e98499acd2..c051cc6f26e 100644 --- a/src/Psalm/Internal/Analyzer/Statements/Expression/Call/ArgumentAnalyzer.php +++ b/src/Psalm/Internal/Analyzer/Statements/Expression/Call/ArgumentAnalyzer.php @@ -65,6 +65,7 @@ use Psalm\Type\Union; use UnexpectedValueException; +use function array_diff; use function array_filter; use function count; use function explode; @@ -1894,8 +1895,10 @@ private static function processTaintedness( ); } - if ($added_taints !== [] && $statements_analyzer->data_flow_graph instanceof TaintFlowGraph) { + $taints = array_diff($added_taints, $removed_taints); + if ($taints !== [] && $statements_analyzer->data_flow_graph instanceof TaintFlowGraph) { $taint_source = TaintSource::fromNode($argument_value_node); + $taint_source->taints = $taints; $statements_analyzer->data_flow_graph->addSource($taint_source); } } diff --git a/src/Psalm/Internal/Analyzer/Statements/Expression/Call/FunctionCallAnalyzer.php b/src/Psalm/Internal/Analyzer/Statements/Expression/Call/FunctionCallAnalyzer.php index 0c734d6143a..18db16871fc 100644 --- a/src/Psalm/Internal/Analyzer/Statements/Expression/Call/FunctionCallAnalyzer.php +++ b/src/Psalm/Internal/Analyzer/Statements/Expression/Call/FunctionCallAnalyzer.php @@ -63,6 +63,7 @@ use Psalm\Type\Union; use UnexpectedValueException; +use function array_diff; use function array_map; use function array_merge; use function array_shift; @@ -854,6 +855,13 @@ private static function getAnalyzeNamedExpression( $added_taints = $codebase->config->eventDispatcher->dispatchAddTaints($event); $removed_taints = $codebase->config->eventDispatcher->dispatchRemoveTaints($event); + $taints = array_diff($added_taints, $removed_taints); + if ($taints !== []) { + $taint_source = TaintSource::fromNode($custom_call_sink); + $taint_source->taints = $taints; + $statements_analyzer->data_flow_graph->addSource($taint_source); + } + foreach ($stmt_name_type->parent_nodes as $parent_node) { $statements_analyzer->data_flow_graph->addPath( $parent_node, @@ -863,11 +871,6 @@ private static function getAnalyzeNamedExpression( $removed_taints, ); } - - if ($added_taints !== []) { - $taint_source = TaintSource::fromNode($custom_call_sink); - $statements_analyzer->data_flow_graph->addSource($taint_source); - } } } diff --git a/src/Psalm/Internal/Analyzer/Statements/Expression/Call/FunctionCallReturnTypeFetcher.php b/src/Psalm/Internal/Analyzer/Statements/Expression/Call/FunctionCallReturnTypeFetcher.php index 8510c87ba22..0cfdfd22e24 100644 --- a/src/Psalm/Internal/Analyzer/Statements/Expression/Call/FunctionCallReturnTypeFetcher.php +++ b/src/Psalm/Internal/Analyzer/Statements/Expression/Call/FunctionCallReturnTypeFetcher.php @@ -753,14 +753,13 @@ public static function taintUsingStorage( $added_taints = $function_storage->added_taints; } - $added_taints = array_diff( + $taints = array_diff( $added_taints, $function_storage->removed_taints, ); - if ($added_taints !== []) { + if ($taints !== []) { $taint_source = TaintSource::fromNode($function_call_node); - $taint_source->taints = $added_taints; - + $taint_source->taints = $taints; $graph->addSource($taint_source); } } diff --git a/src/Psalm/Internal/Analyzer/Statements/Expression/Call/NewAnalyzer.php b/src/Psalm/Internal/Analyzer/Statements/Expression/Call/NewAnalyzer.php index d18697ea019..92edae0c543 100644 --- a/src/Psalm/Internal/Analyzer/Statements/Expression/Call/NewAnalyzer.php +++ b/src/Psalm/Internal/Analyzer/Statements/Expression/Call/NewAnalyzer.php @@ -61,6 +61,7 @@ use Psalm\Type\TaintKind; use Psalm\Type\Union; +use function array_diff; use function array_map; use function array_values; use function count; @@ -741,8 +742,10 @@ private static function analyzeConstructorExpression( $added_taints = $codebase->config->eventDispatcher->dispatchAddTaints($event); $removed_taints = $codebase->config->eventDispatcher->dispatchRemoveTaints($event); + $taints = array_diff($added_taints, $removed_taints); if ($added_taints !== []) { $taint_source = TaintSource::fromNode($custom_call_sink); + $taint_source->taints = $taints; $statements_analyzer->data_flow_graph->addSource($taint_source); } diff --git a/src/Psalm/Internal/Analyzer/Statements/Expression/EncapsulatedStringAnalyzer.php b/src/Psalm/Internal/Analyzer/Statements/Expression/EncapsulatedStringAnalyzer.php index 0b557915418..ba5a41f0f44 100644 --- a/src/Psalm/Internal/Analyzer/Statements/Expression/EncapsulatedStringAnalyzer.php +++ b/src/Psalm/Internal/Analyzer/Statements/Expression/EncapsulatedStringAnalyzer.php @@ -26,6 +26,7 @@ use Psalm\Type\Atomic\TString; use Psalm\Type\Union; +use function array_diff; use function in_array; /** @@ -108,8 +109,10 @@ public static function analyze( $added_taints = $codebase->config->eventDispatcher->dispatchAddTaints($event); $removed_taints = $codebase->config->eventDispatcher->dispatchRemoveTaints($event); - if ($added_taints !== [] && $statements_analyzer->data_flow_graph instanceof TaintFlowGraph) { + $taints = array_diff($added_taints, $removed_taints); + if ($taints !== [] && $statements_analyzer->data_flow_graph instanceof TaintFlowGraph) { $taint_source = TaintSource::fromNode($new_parent_node); + $taint_source->taints = $taints; $statements_analyzer->data_flow_graph->addSource($taint_source); } diff --git a/src/Psalm/Internal/Analyzer/Statements/Expression/EvalAnalyzer.php b/src/Psalm/Internal/Analyzer/Statements/Expression/EvalAnalyzer.php index 939119e44aa..421545eec60 100644 --- a/src/Psalm/Internal/Analyzer/Statements/Expression/EvalAnalyzer.php +++ b/src/Psalm/Internal/Analyzer/Statements/Expression/EvalAnalyzer.php @@ -17,6 +17,7 @@ use Psalm\Plugin\EventHandler\Event\AddRemoveTaintsEvent; use Psalm\Type\TaintKind; +use function array_diff; use function in_array; /** @@ -63,8 +64,10 @@ public static function analyze( $added_taints = $codebase->config->eventDispatcher->dispatchAddTaints($event); $removed_taints = $codebase->config->eventDispatcher->dispatchRemoveTaints($event); - if ($added_taints !== []) { + $taints = array_diff($added_taints, $removed_taints); + if ($taints !== []) { $taint_source = TaintSource::fromNode($eval_param_sink); + $taint_source->taints = $taints; $statements_analyzer->data_flow_graph->addSource($taint_source); } diff --git a/src/Psalm/Internal/Analyzer/Statements/Expression/Fetch/ArrayFetchAnalyzer.php b/src/Psalm/Internal/Analyzer/Statements/Expression/Fetch/ArrayFetchAnalyzer.php index 4287472e066..4186103eecd 100644 --- a/src/Psalm/Internal/Analyzer/Statements/Expression/Fetch/ArrayFetchAnalyzer.php +++ b/src/Psalm/Internal/Analyzer/Statements/Expression/Fetch/ArrayFetchAnalyzer.php @@ -89,6 +89,7 @@ use Psalm\Type\Union; use UnexpectedValueException; +use function array_diff; use function array_keys; use function array_map; use function array_pop; @@ -395,6 +396,13 @@ public static function taintArrayFetch( return; } + $var_location = new CodeLocation($statements_analyzer->getSource(), $var); + + $new_parent_node = DataFlowNode::getForAssignment( + $keyed_array_var_id ?: 'arrayvalue-fetch', + $var_location, + ); + $added_taints = []; $removed_taints = []; @@ -404,14 +412,14 @@ public static function taintArrayFetch( $added_taints = $codebase->config->eventDispatcher->dispatchAddTaints($event); $removed_taints = $codebase->config->eventDispatcher->dispatchRemoveTaints($event); - } - - $var_location = new CodeLocation($statements_analyzer->getSource(), $var); - $new_parent_node = DataFlowNode::getForAssignment( - $keyed_array_var_id ?: 'arrayvalue-fetch', - $var_location, - ); + $taints = array_diff($added_taints, $removed_taints); + if ($taints !== [] && $statements_analyzer->data_flow_graph instanceof TaintFlowGraph) { + $taint_source = TaintSource::fromNode($new_parent_node); + $taint_source->taints = $taints; + $statements_analyzer->data_flow_graph->addSource($taint_source); + } + } $array_key_node = null; @@ -464,11 +472,6 @@ public static function taintArrayFetch( $stmt_type = $stmt_type->setParentNodes([$new_parent_node->id => $new_parent_node]); - if ($added_taints !== [] && $statements_analyzer->data_flow_graph instanceof TaintFlowGraph) { - $taint_source = TaintSource::fromNode($new_parent_node); - $statements_analyzer->data_flow_graph->addSource($taint_source); - } - if ($array_key_node) { $offset_type = $offset_type->setParentNodes([$array_key_node->id => $array_key_node]); } diff --git a/src/Psalm/Internal/Analyzer/Statements/Expression/Fetch/AtomicPropertyFetchAnalyzer.php b/src/Psalm/Internal/Analyzer/Statements/Expression/Fetch/AtomicPropertyFetchAnalyzer.php index 14b743b1069..e03cb6fa7a5 100644 --- a/src/Psalm/Internal/Analyzer/Statements/Expression/Fetch/AtomicPropertyFetchAnalyzer.php +++ b/src/Psalm/Internal/Analyzer/Statements/Expression/Fetch/AtomicPropertyFetchAnalyzer.php @@ -63,6 +63,7 @@ use Psalm\Type\Atomic\TTemplateParam; use Psalm\Type\Union; +use function array_diff; use function array_filter; use function array_keys; use function array_map; @@ -900,8 +901,10 @@ public static function processTaints( $type = $type->setParentNodes([$property_node->id => $property_node], true); - if ($added_taints !== [] && $statements_analyzer->data_flow_graph instanceof TaintFlowGraph) { + $taints = array_diff($added_taints, $removed_taints); + if ($taints !== [] && $statements_analyzer->data_flow_graph instanceof TaintFlowGraph) { $taint_source = TaintSource::fromNode($var_node); + $taint_source->taints = $taints; $statements_analyzer->data_flow_graph->addSource($taint_source); } } @@ -981,8 +984,10 @@ public static function processUnspecialTaints( $type = $type->setParentNodes([$localized_property_node->id => $localized_property_node], true); - if ($added_taints !== [] && $statements_analyzer->data_flow_graph instanceof TaintFlowGraph) { + $taints = array_diff($added_taints, $removed_taints); + if ($taints !== [] && $statements_analyzer->data_flow_graph instanceof TaintFlowGraph) { $taint_source = TaintSource::fromNode($localized_property_node); + $taint_source->taints = $taints; $statements_analyzer->data_flow_graph->addSource($taint_source); } } diff --git a/src/Psalm/Internal/Analyzer/Statements/Expression/IncludeAnalyzer.php b/src/Psalm/Internal/Analyzer/Statements/Expression/IncludeAnalyzer.php index 54f16aad757..32d46362a6b 100644 --- a/src/Psalm/Internal/Analyzer/Statements/Expression/IncludeAnalyzer.php +++ b/src/Psalm/Internal/Analyzer/Statements/Expression/IncludeAnalyzer.php @@ -25,6 +25,7 @@ use Psalm\Type\TaintKind; use Symfony\Component\Filesystem\Path; +use function array_diff; use function constant; use function defined; use function dirname; @@ -135,8 +136,10 @@ public static function analyze( $added_taints = $codebase->config->eventDispatcher->dispatchAddTaints($event); $removed_taints = $codebase->config->eventDispatcher->dispatchRemoveTaints($event); - if ($added_taints !== []) { + $taints = array_diff($added_taints, $removed_taints); + if ($taints !== []) { $taint_source = TaintSource::fromNode($include_param_sink); + $taint_source->taints = $taints; $statements_analyzer->data_flow_graph->addSource($taint_source); } From 7cb975ab2af0e9221a6de078c38b7452786fd08e Mon Sep 17 00:00:00 2001 From: Patrick Remy Date: Sun, 9 Feb 2025 16:21:43 +0100 Subject: [PATCH 23/29] style: fix code style for 6.x --- .../Analyzer/Statements/Expression/AssignmentAnalyzer.php | 8 ++++---- .../Expression/Call/FunctionCallReturnTypeFetcher.php | 2 +- src/Psalm/Internal/Analyzer/Statements/ReturnAnalyzer.php | 2 +- .../EventHandler/AddTaints/AddTaintsInterfaceTest.php | 2 ++ .../Plugin/EventHandler/AddTaints/TaintBadDataPlugin.php | 2 ++ .../EventHandler/RemoveTaints/RemoveAllTaintsPlugin.php | 2 ++ .../RemoveTaints/RemoveTaintsInterfaceTest.php | 2 ++ 7 files changed, 14 insertions(+), 6 deletions(-) diff --git a/src/Psalm/Internal/Analyzer/Statements/Expression/AssignmentAnalyzer.php b/src/Psalm/Internal/Analyzer/Statements/Expression/AssignmentAnalyzer.php index 44bb1ca5108..fdefbec7618 100644 --- a/src/Psalm/Internal/Analyzer/Statements/Expression/AssignmentAnalyzer.php +++ b/src/Psalm/Internal/Analyzer/Statements/Expression/AssignmentAnalyzer.php @@ -610,7 +610,7 @@ private static function analyzeDocComment( ?Union &$comment_type, ?DocblockTypeLocation &$comment_type_location, array $not_ignored_docblock_var_ids, - array &$removed_taints + array &$removed_taints, ): void { if (!$doc_comment) { return; @@ -1697,7 +1697,7 @@ private static function analyzeAssignmentToVariable( Union $assign_value_type, ?string $var_id, Context $context, - array $removed_taints + array $removed_taints, ): void { if (is_string($assign_var->name)) { if ($var_id) { @@ -1845,7 +1845,7 @@ private static function analyzeVariableUse( PhpParser\Node\Expr $assign_var, ?string $extended_var_id, Union $assign_value_type, - Context $context + Context $context, ): Union { if ($extended_var_id) { $assignment_node = DataFlowNode::getForAssignment( @@ -1882,7 +1882,7 @@ private static function analyzeAssignValueDataFlow( Union &$assign_value_type, string $var_id, Context $context, - array $removed_taints + array $removed_taints, ): void { if (!$statements_analyzer->data_flow_graph || !$context->vars_in_scope[$var_id]->parent_nodes) { diff --git a/src/Psalm/Internal/Analyzer/Statements/Expression/Call/FunctionCallReturnTypeFetcher.php b/src/Psalm/Internal/Analyzer/Statements/Expression/Call/FunctionCallReturnTypeFetcher.php index 0cfdfd22e24..9aec38e44a9 100644 --- a/src/Psalm/Internal/Analyzer/Statements/Expression/Call/FunctionCallReturnTypeFetcher.php +++ b/src/Psalm/Internal/Analyzer/Statements/Expression/Call/FunctionCallReturnTypeFetcher.php @@ -743,7 +743,7 @@ public static function taintUsingFlows( public static function taintUsingStorage( FunctionLikeStorage $function_storage, TaintFlowGraph $graph, - DataFlowNode $function_call_node + DataFlowNode $function_call_node, ): void { // Docblock-defined taints should override inherited $added_taints = []; diff --git a/src/Psalm/Internal/Analyzer/Statements/ReturnAnalyzer.php b/src/Psalm/Internal/Analyzer/Statements/ReturnAnalyzer.php index fa9921ace02..7d70252fc3b 100644 --- a/src/Psalm/Internal/Analyzer/Statements/ReturnAnalyzer.php +++ b/src/Psalm/Internal/Analyzer/Statements/ReturnAnalyzer.php @@ -583,7 +583,7 @@ private static function handleTaints( string $cased_method_id, Union $inferred_type, FunctionLikeStorage $storage, - Context $context + Context $context, ): void { if (!$statements_analyzer->data_flow_graph instanceof TaintFlowGraph || !$stmt->expr diff --git a/tests/Config/Plugin/EventHandler/AddTaints/AddTaintsInterfaceTest.php b/tests/Config/Plugin/EventHandler/AddTaints/AddTaintsInterfaceTest.php index 3fc28f74725..9f38d7101a4 100644 --- a/tests/Config/Plugin/EventHandler/AddTaints/AddTaintsInterfaceTest.php +++ b/tests/Config/Plugin/EventHandler/AddTaints/AddTaintsInterfaceTest.php @@ -1,5 +1,7 @@ Date: Sun, 9 Feb 2025 16:27:53 +0100 Subject: [PATCH 24/29] fix: remove .history files --- ...moveTaintsInterfaceTest_20250209161134.php | 173 ------------------ ...moveTaintsInterfaceTest_20250209161257.php | 173 ------------------ 2 files changed, 346 deletions(-) delete mode 100644 .history/tests/Config/Plugin/EventHandler/RemoveTaints/RemoveTaintsInterfaceTest_20250209161134.php delete mode 100644 .history/tests/Config/Plugin/EventHandler/RemoveTaints/RemoveTaintsInterfaceTest_20250209161257.php diff --git a/.history/tests/Config/Plugin/EventHandler/RemoveTaints/RemoveTaintsInterfaceTest_20250209161134.php b/.history/tests/Config/Plugin/EventHandler/RemoveTaints/RemoveTaintsInterfaceTest_20250209161134.php deleted file mode 100644 index 0740cee4f6e..00000000000 --- a/.history/tests/Config/Plugin/EventHandler/RemoveTaints/RemoveTaintsInterfaceTest_20250209161134.php +++ /dev/null @@ -1,173 +0,0 @@ -setIncludeCollector(new IncludeCollector()); - return new ProjectAnalyzer( - $config, - new Providers( - $this->file_provider, - new FakeParserCacheProvider(), - ), - new ReportOptions(), - ); - } - - public function setUp(): void - { - RuntimeCaches::clearAll(); - $this->file_provider = new FakeFileProvider(); - } - - - public function testRemoveAllTaints(): void - { - $this->project_analyzer = $this->getProjectAnalyzerWithConfig( - TestConfig::loadFromXML( - dirname(__DIR__, 5) . DIRECTORY_SEPARATOR, - ' - - - - - - - - ', - ), - ); - - $this->project_analyzer->getCodebase()->config->initializePlugins($this->project_analyzer); - - $file_path = getcwd() . '/src/somefile.php'; - - $this->addFile( - $file_path, - 'project_analyzer->trackTaintedInputs(); - - $this->analyzeFile($file_path, new Context()); - } - - public function testRemoveTaintsSafeArrayKeyChecker(): void - { - $this->project_analyzer = $this->getProjectAnalyzerWithConfig( - TestConfig::loadFromXML( - dirname(__DIR__, 5) . DIRECTORY_SEPARATOR, - ' - - - - - - - - ', - ), - ); - - $this->project_analyzer->getCodebase()->config->initializePlugins($this->project_analyzer); - - $file_path = getcwd() . '/src/somefile.php'; - - $this->addFile( - $file_path, - ' [ - "safe_key" => $_GET["input"], - ], - ]; - output($build);', - ); - - $this->project_analyzer->trackTaintedInputs(); - - $this->analyzeFile($file_path, new Context()); - - $this->addFile( - $file_path, - ' [ - "safe_key" => $_GET["input"], - "a" => $_GET["input"], - ], - ]; - output($build);', - ); - - $this->project_analyzer->trackTaintedInputs(); - - $this->expectException(CodeException::class); - $this->expectExceptionMessageMatches('/TaintedHtml/'); - - $this->analyzeFile($file_path, new Context()); - } -} diff --git a/.history/tests/Config/Plugin/EventHandler/RemoveTaints/RemoveTaintsInterfaceTest_20250209161257.php b/.history/tests/Config/Plugin/EventHandler/RemoveTaints/RemoveTaintsInterfaceTest_20250209161257.php deleted file mode 100644 index 383e0211346..00000000000 --- a/.history/tests/Config/Plugin/EventHandler/RemoveTaints/RemoveTaintsInterfaceTest_20250209161257.php +++ /dev/null @@ -1,173 +0,0 @@ -setIncludeCollector(new IncludeCollector()); - return new ProjectAnalyzer( - $config, - new Providers( - $this->file_provider, - new FakeParserCacheProvider(), - ), - new ReportOptions(), - ); - } - - public function setUp(): void - { - RuntimeCaches::clearAll(); - $this->file_provider = new FakeFileProvider(); - } - - - public function testRemoveAllTaints(): void - { - $this->project_analyzer = $this->getProjectAnalyzerWithConfig( - TestConfig::loadFromXML( - dirname(__DIR__, 5) . DIRECTORY_SEPARATOR, - ' - - - - - - - - ', - ), - ); - - $this->project_analyzer->getCodebase()->config->initializePlugins($this->project_analyzer); - - $file_path = (string) getcwd() . '/src/somefile.php'; - - $this->addFile( - $file_path, - 'project_analyzer->trackTaintedInputs(); - - $this->analyzeFile($file_path, new Context()); - } - - public function testRemoveTaintsSafeArrayKeyChecker(): void - { - $this->project_analyzer = $this->getProjectAnalyzerWithConfig( - TestConfig::loadFromXML( - dirname(__DIR__, 5) . DIRECTORY_SEPARATOR, - ' - - - - - - - - ', - ), - ); - - $this->project_analyzer->getCodebase()->config->initializePlugins($this->project_analyzer); - - $file_path = (string) getcwd() . '/src/somefile.php'; - - $this->addFile( - $file_path, - ' [ - "safe_key" => $_GET["input"], - ], - ]; - output($build);', - ); - - $this->project_analyzer->trackTaintedInputs(); - - $this->analyzeFile($file_path, new Context()); - - $this->addFile( - $file_path, - ' [ - "safe_key" => $_GET["input"], - "a" => $_GET["input"], - ], - ]; - output($build);', - ); - - $this->project_analyzer->trackTaintedInputs(); - - $this->expectException(CodeException::class); - $this->expectExceptionMessageMatches('/TaintedHtml/'); - - $this->analyzeFile($file_path, new Context()); - } -} From 2263fcaea904685fe02a69b603f8feb79d2248c9 Mon Sep 17 00:00:00 2001 From: Patrick Remy Date: Sun, 9 Feb 2025 16:29:35 +0100 Subject: [PATCH 25/29] fix: convert to string for getcwd() --- .../AddTaints/AddTaintsInterfaceTest.php | 20 +++++++++---------- tests/Config/PluginTest.php | 4 ++-- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/tests/Config/Plugin/EventHandler/AddTaints/AddTaintsInterfaceTest.php b/tests/Config/Plugin/EventHandler/AddTaints/AddTaintsInterfaceTest.php index 9f38d7101a4..90832a8a3d4 100644 --- a/tests/Config/Plugin/EventHandler/AddTaints/AddTaintsInterfaceTest.php +++ b/tests/Config/Plugin/EventHandler/AddTaints/AddTaintsInterfaceTest.php @@ -116,7 +116,7 @@ public function testTaintBadDataVariables(): void { $this->setupProjectAnalyzerWithTaintBadDataPlugin(); - $file_path = getcwd() . '/src/somefile.php'; + $file_path = (string) getcwd() . '/src/somefile.php'; $this->addFile( $file_path, @@ -135,7 +135,7 @@ public function testTaintsArePassedByTaintedAssignments(): void { $this->setupProjectAnalyzerWithTaintBadDataPlugin(); - $file_path = getcwd() . '/src/somefile.php'; + $file_path = (string) getcwd() . '/src/somefile.php'; $this->addFile( $file_path, @@ -155,7 +155,7 @@ public function testTaintsAreOverriddenByRawAssignments(): void { $this->setupProjectAnalyzerWithTaintBadDataPlugin(); - $file_path = getcwd() . '/src/somefile.php'; + $file_path = (string) getcwd() . '/src/somefile.php'; $this->addFile( $file_path, @@ -177,7 +177,7 @@ public function testTaintsArePassedByTaintedFuncReturns(): void { $this->setupProjectAnalyzerWithTaintBadDataPlugin(); - $file_path = getcwd() . '/src/somefile.php'; + $file_path = (string) getcwd() . '/src/somefile.php'; $this->addFile( $file_path, @@ -200,7 +200,7 @@ public function testTaintsArePassedByTaintedFuncMultipleReturns(): void { $this->setupProjectAnalyzerWithTaintBadDataPlugin(); - $file_path = getcwd() . '/src/somefile.php'; + $file_path = (string) getcwd() . '/src/somefile.php'; // Test that taints are merged and not replaced by later return stmts $this->addFile( @@ -228,7 +228,7 @@ public function testTaintsArePassedByTaintedMethodReturns(): void { $this->setupProjectAnalyzerWithTaintBadDataPlugin(); - $file_path = getcwd() . '/src/somefile.php'; + $file_path = (string) getcwd() . '/src/somefile.php'; $this->addFile( $file_path, @@ -254,7 +254,7 @@ public function testTaintsArePassedByTaintedStaticMethodReturns(): void { $this->setupProjectAnalyzerWithTaintBadDataPlugin(); - $file_path = getcwd() . '/src/somefile.php'; + $file_path = (string) getcwd() . '/src/somefile.php'; $this->addFile( $file_path, @@ -279,7 +279,7 @@ public function testTaintsArePassedByProxyCalls(): void { $this->setupProjectAnalyzerWithTaintBadDataPlugin(); - $file_path = getcwd() . '/src/somefile.php'; + $file_path = (string) getcwd() . '/src/somefile.php'; $this->addFile( $file_path, @@ -310,7 +310,7 @@ public function testAddTaintsActiveRecord(): void { $this->setupProjectAnalyzerWithActiveRecordPlugin(); - $file_path = getcwd() . '/src/somefile.php'; + $file_path = (string) getcwd() . '/src/somefile.php'; $this->addFile( $file_path, @@ -336,7 +336,7 @@ public function testAddTaintsActiveRecordList(): void { $this->setupProjectAnalyzerWithActiveRecordPlugin(); - $file_path = getcwd() . '/src/somefile.php'; + $file_path = (string) getcwd() . '/src/somefile.php'; $this->addFile( $file_path, diff --git a/tests/Config/PluginTest.php b/tests/Config/PluginTest.php index 1212b67095d..da4a0dc798a 100644 --- a/tests/Config/PluginTest.php +++ b/tests/Config/PluginTest.php @@ -945,7 +945,7 @@ public function testAddTaints(): void $this->project_analyzer->getCodebase()->config->initializePlugins($this->project_analyzer); - $file_path = getcwd() . '/src/somefile.php'; + $file_path = (string) getcwd() . '/src/somefile.php'; $this->addFile( $file_path, @@ -1003,7 +1003,7 @@ public function testRemoveTaints(): void $this->project_analyzer->getCodebase()->config->initializePlugins($this->project_analyzer); - $file_path = getcwd() . '/src/somefile.php'; + $file_path = (string) getcwd() . '/src/somefile.php'; $this->addFile( $file_path, From e1c531931af52d069a8282de92c4b215f8a4d071 Mon Sep 17 00:00:00 2001 From: Patrick Remy Date: Sun, 9 Feb 2025 16:45:08 +0100 Subject: [PATCH 26/29] fix: support ArrayItem type --- examples/plugins/TaintActiveRecords.php | 4 +-- .../AddTaints/AddTaintsInterfaceTest.php | 36 +++++++++++++++++++ 2 files changed, 38 insertions(+), 2 deletions(-) diff --git a/examples/plugins/TaintActiveRecords.php b/examples/plugins/TaintActiveRecords.php index 3214e56525a..9973caa4f6e 100644 --- a/examples/plugins/TaintActiveRecords.php +++ b/examples/plugins/TaintActiveRecords.php @@ -2,6 +2,7 @@ namespace Psalm\Example\Plugin; +use PhpParser\Node\ArrayItem; use PhpParser\Node\Expr\PropertyFetch; use PhpParser\Node\Expr; use Psalm\Plugin\EventHandler\AddTaintsInterface; @@ -68,7 +69,6 @@ private static function isActiveRecord(Atomic $type): bool return false; } - return strpos($type->value, 'app\models\\') === 0; } @@ -76,7 +76,7 @@ private static function isActiveRecord(Atomic $type): bool /** * Return next node that should be followed for active record search */ - private static function getParentNode(Expr $expr): ?Expr + private static function getParentNode(ArrayItem|Expr $expr): ?Expr { // Model properties are always accessed by a property fetch if ($expr instanceof PropertyFetch) { diff --git a/tests/Config/Plugin/EventHandler/AddTaints/AddTaintsInterfaceTest.php b/tests/Config/Plugin/EventHandler/AddTaints/AddTaintsInterfaceTest.php index 90832a8a3d4..b7fca079456 100644 --- a/tests/Config/Plugin/EventHandler/AddTaints/AddTaintsInterfaceTest.php +++ b/tests/Config/Plugin/EventHandler/AddTaints/AddTaintsInterfaceTest.php @@ -368,4 +368,40 @@ public static function findAll(): array { $this->analyzeFile($file_path, new Context()); } + + public function testAddTaintsActiveRecordListItem(): void + { + $this->setupProjectAnalyzerWithActiveRecordPlugin(); + + $file_path = (string) getcwd() . '/src/somefile.php'; + + $this->addFile( + $file_path, + ' + */ + public static function findAll(): array { + $mockUser = new self(); + $mockUser->name = "

Micky Mouse

"; + + return [$mockUser]; + } + } + + $users = User::findAll(); + echo $users[0]->name; + ', + ); + + $this->expectTaintedHtml(); + + $this->analyzeFile($file_path, new Context()); + } } From 58414c1313ebe8a7ba82a4e4cac7a39a9da3697f Mon Sep 17 00:00:00 2001 From: Patrick Remy Date: Sun, 9 Feb 2025 17:05:59 +0100 Subject: [PATCH 27/29] style: fix linting type-issues --- examples/plugins/TaintActiveRecords.php | 6 ++++++ .../Statements/Expression/AssignmentAnalyzer.php | 15 ++++++++------- .../Fetch/AtomicPropertyFetchAnalyzer.php | 2 +- 3 files changed, 15 insertions(+), 8 deletions(-) diff --git a/examples/plugins/TaintActiveRecords.php b/examples/plugins/TaintActiveRecords.php index 9973caa4f6e..c8aa9229cd3 100644 --- a/examples/plugins/TaintActiveRecords.php +++ b/examples/plugins/TaintActiveRecords.php @@ -27,6 +27,12 @@ class TaintActiveRecords implements AddTaintsInterface public static function addTaints(AddRemoveTaintsEvent $event): array { $expr = $event->getExpr(); + + // Model properties are accessed by property fetch, so abort here + if ($expr instanceof ArrayItem) { + return []; + } + $statements_source = $event->getStatementsSource(); // For all property fetch expressions, walk through the full fetch path diff --git a/src/Psalm/Internal/Analyzer/Statements/Expression/AssignmentAnalyzer.php b/src/Psalm/Internal/Analyzer/Statements/Expression/AssignmentAnalyzer.php index fdefbec7618..c2c0210c6ef 100644 --- a/src/Psalm/Internal/Analyzer/Statements/Expression/AssignmentAnalyzer.php +++ b/src/Psalm/Internal/Analyzer/Statements/Expression/AssignmentAnalyzer.php @@ -537,7 +537,6 @@ private static function analyzeAssignment( $assign_value_type, $var_id, $context, - $removed_taints, ); } elseif ($assign_var instanceof PhpParser\Node\Expr\List_ || $assign_var instanceof PhpParser\Node\Expr\Array_ @@ -597,7 +596,7 @@ private static function analyzeAssignment( } /** - * @param array $removed_taints + * @param list $removed_taints */ private static function analyzeDocComment( StatementsAnalyzer $statements_analyzer, @@ -641,6 +640,8 @@ private static function analyzeDocComment( new CodeLocation($statements_analyzer->getSource(), $assign_var), ), ); + + return; } catch (DocblockParseException $e) { IssueBuffer::maybeAdd( new InvalidDocblock( @@ -648,6 +649,8 @@ private static function analyzeDocComment( new CodeLocation($statements_analyzer->getSource(), $assign_var), ), ); + + return; } foreach ($var_comments as $var_comment) { @@ -784,8 +787,8 @@ public static function assignTypeFromVarDocblock( } /** - * @param array $removed_taints - * @param array $added_taints + * @param list $removed_taints + * @param list $added_taints */ private static function taintAssignment( Union &$type, @@ -1697,7 +1700,6 @@ private static function analyzeAssignmentToVariable( Union $assign_value_type, ?string $var_id, Context $context, - array $removed_taints, ): void { if (is_string($assign_var->name)) { if ($var_id) { @@ -1770,7 +1772,6 @@ private static function analyzeAssignmentToVariable( } } - if (isset($context->references_possibly_from_confusing_scope[$var_id])) { IssueBuffer::maybeAdd( new ReferenceReusedFromConfusingScope( @@ -1872,7 +1873,7 @@ private static function analyzeVariableUse( } /** - * @var array $removed_taints + * @param list $removed_taints */ private static function analyzeAssignValueDataFlow( StatementsAnalyzer $statements_analyzer, diff --git a/src/Psalm/Internal/Analyzer/Statements/Expression/Fetch/AtomicPropertyFetchAnalyzer.php b/src/Psalm/Internal/Analyzer/Statements/Expression/Fetch/AtomicPropertyFetchAnalyzer.php index e03cb6fa7a5..ae51eb7fd9e 100644 --- a/src/Psalm/Internal/Analyzer/Statements/Expression/Fetch/AtomicPropertyFetchAnalyzer.php +++ b/src/Psalm/Internal/Analyzer/Statements/Expression/Fetch/AtomicPropertyFetchAnalyzer.php @@ -984,7 +984,7 @@ public static function processUnspecialTaints( $type = $type->setParentNodes([$localized_property_node->id => $localized_property_node], true); - $taints = array_diff($added_taints, $removed_taints); + $taints = array_diff($added_taints ?? [], $removed_taints ?? []); if ($taints !== [] && $statements_analyzer->data_flow_graph instanceof TaintFlowGraph) { $taint_source = TaintSource::fromNode($localized_property_node); $taint_source->taints = $taints; From 9c4891078a69fffaef4000fbfb1cef14db91cae4 Mon Sep 17 00:00:00 2001 From: Patrick Remy Date: Sun, 9 Feb 2025 17:09:30 +0100 Subject: [PATCH 28/29] style: remove unused docblock --- .../Analyzer/Statements/Expression/AssignmentAnalyzer.php | 3 --- 1 file changed, 3 deletions(-) diff --git a/src/Psalm/Internal/Analyzer/Statements/Expression/AssignmentAnalyzer.php b/src/Psalm/Internal/Analyzer/Statements/Expression/AssignmentAnalyzer.php index c2c0210c6ef..390ce77d1a8 100644 --- a/src/Psalm/Internal/Analyzer/Statements/Expression/AssignmentAnalyzer.php +++ b/src/Psalm/Internal/Analyzer/Statements/Expression/AssignmentAnalyzer.php @@ -1689,9 +1689,6 @@ private static function analyzePropertyAssignment( } } - /** - * @param list $removed_taints - */ private static function analyzeAssignmentToVariable( StatementsAnalyzer $statements_analyzer, Codebase $codebase, From 1d6e52506ba4c002b704977fe74eb10d1193b452 Mon Sep 17 00:00:00 2001 From: Patrick Remy Date: Sun, 9 Feb 2025 17:21:10 +0100 Subject: [PATCH 29/29] fix: pass var docblock comments by ref After extracting into seperate method, var_comments weren't overriden. --- .../Analyzer/Statements/Expression/AssignmentAnalyzer.php | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/Psalm/Internal/Analyzer/Statements/Expression/AssignmentAnalyzer.php b/src/Psalm/Internal/Analyzer/Statements/Expression/AssignmentAnalyzer.php index 390ce77d1a8..291d95edea7 100644 --- a/src/Psalm/Internal/Analyzer/Statements/Expression/AssignmentAnalyzer.php +++ b/src/Psalm/Internal/Analyzer/Statements/Expression/AssignmentAnalyzer.php @@ -162,6 +162,7 @@ public static function analyze( $var_id, $assign_value_type, $doc_comment, + $var_comments, $comment_type, $comment_type_location, $not_ignored_docblock_var_ids, @@ -596,6 +597,7 @@ private static function analyzeAssignment( } /** + * @param list $var_comments * @param list $removed_taints */ private static function analyzeDocComment( @@ -606,6 +608,7 @@ private static function analyzeDocComment( ?string $var_id, ?Union $assign_value_type, ?Doc $doc_comment, + array &$var_comments, ?Union &$comment_type, ?DocblockTypeLocation &$comment_type_location, array $not_ignored_docblock_var_ids,