Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

handle psalm false-positives #4062

Merged
merged 31 commits into from
Nov 20, 2020
Merged

handle psalm false-positives #4062

merged 31 commits into from
Nov 20, 2020

Conversation

staabm
Copy link
Member

@staabm staabm commented Nov 19, 2020
edited

@staabm staabm marked this pull request as ready for review November 19, 2020 07:59
@staabm staabm changed the title make psalm recognize that $filename is escaped for shell use make psalm recognize that $filename is escaped for shell use Nov 19, 2020
@staabm staabm changed the title make psalm recognize that $filename is escaped for shell use handle psalm false-positives Nov 19, 2020
@staabm staabm mentioned this pull request Nov 19, 2020
Merged
@staabm staabm mentioned this pull request Nov 19, 2020
Merged
@staabm @gharlan
Apply suggestions from code review
37626bf 
Co-authored-by: Gregor Harlan <mail@gh01.de>
@staabm staabm mentioned this pull request Nov 19, 2020
Merged
@staabm
Copy link
Member Author

staabm commented Nov 19, 2020

hier gehts weiter sobald die ganzen PRs die heute enstanden sind gemerged sind, da sich diese auf die psalm errors auswirken

LukasReschke
LukasReschke reviewed Nov 19, 2020
View reviewed changes
redaxo/src/addons/backup/pages/import.upload.php Outdated
} elseif (('delete' == $function || 'download' == $function) && '.sql' != substr($impname, -4, 4) && '.tar.gz' != substr($impname, -7, 7)) {
$impname = '';
}
/** @psalm-taint-escape text */
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@staabm - mind putting up a PR to psalm to move the text sinks into a file one? A generic one for read/write/delete is fine. - I can submit the documentation if that convinces you ;-)

Example on how to do so: vimeo/psalm#4604

Reason: This will break once I change it myself otherwise ;-)
Ref vimeo/psalm#4596

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@LukasReschke I had a quick look around the codebase regarding your suggestion.

I am not sure, I could deliver a solution right now, with the knowledge I have of the psalm codebase

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@staabm np :-) - It's just a bit of boilerplate shifting around, but it could indeed be significantly better documented :)

Did so at vimeo/psalm#4630

@staabm staabm mentioned this pull request Nov 19, 2020
Closed
gharlan
gharlan reviewed Nov 20, 2020
View reviewed changes
redaxo/src/addons/backup/pages/export.php
@@ -43,6 +43,7 @@
// ------------------------------ FUNC EXPORT

$exportfilename = strtolower($exportfilename);
/** @psalm-taint-escape shell */
$filename = preg_replace('@[^\.a-z0-9_\-]@', '', $exportfilename);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

wirklich nur shell? Ich meine, ich hätte gestern gestern in den Fehlern gesehen, dass die Variable am Ende auch in fopen landet. Und das sollte hierdurch ja eigentlich auch sicher sein, oder?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ich hab hier das "escaped" markiert, was psalm gemeckert hat.
ggf. hat sich das auch mit dem neuen release geändert

gharlan
gharlan reviewed Nov 20, 2020
View reviewed changes
redaxo/src/addons/metainfo/lib/handler/handler.php
@@ -686,8 +686,9 @@ protected function fireCallbacks(rex_sql $sqlFields)
$fieldType = $field->getValue('type_id');
$fieldAttributes = $field->getValue('attributes');
$fieldValue = self::getSaveValue($fieldName, $fieldType, $fieldAttributes);
$fieldId = (int) $field->getValue('id');
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ich bin am überlegen, ob wir in rex_sql eine getIntValue-Methode aufnehmen sollten, da man ja sehr oft ints abfragt.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

oder in getValue nen 2. parameter um den typ zu übergeben (analog rex_get() etc)

@staabm
Copy link
Member Author

staabm commented Nov 20, 2020

da wir jetzt eine taint baseline haben, würde ich hier mergen wollen - gezielt einzelne issues beheben kann man dann in separaten PRs weiter angehen.

@gharlan gharlan added the automerge Automatisch PR rebasen und mergen label Nov 20, 2020
@kodiakhq kodiakhq bot merged commit 84fbdd4 into master Nov 20, 2020
@kodiakhq kodiakhq bot deleted the fix-taints branch November 20, 2020 15:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gharlan gharlan gharlan left review comments

@LukasReschke LukasReschke LukasReschke left review comments

Assignees
No one assigned
Labels
automerge Automatisch PR rebasen und mergen
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@staabm @gharlan @LukasReschke