Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Taint detection does not work for encapsulated strings (echo "$unsafe";) #3655

Closed
TysonAndre opened this issue Jun 23, 2020 · 4 comments
Closed

Taint detection does not work for encapsulated strings (echo "$unsafe";) #3655

TysonAndre opened this issue Jun 23, 2020 · 4 comments
Labels
bug

Comments

@TysonAndre
Copy link
Contributor

TysonAndre commented Jun 23, 2020
edited

Observed: No TaintedInput is emitted, but it would be emitted if the quotes are removed
Expected: TaintedInput is emitted

$pdo->exec("select * from users where name='" . $name . "'") in https://psalm.dev/docs/security_analysis/ suggests taint detection already works for concatenation but not encapsulation

<?php

$unsafe = $_GET['unsafe'];
echo "$unsafe";
@TysonAndre
Copy link
Contributor Author

src/Psalm/Internal/Analyzer/Statements/Expression/BinaryOpAnalyzer.php analyze() seems relevant for the concat implementation.

src/Psalm/Internal/Analyzer/Statements/Expression/EncapsulatedStringAnalyzer.php is a candidate of where to add this taint tracking for encapsulated strings?

@muglug
Copy link
Collaborator

muglug commented Jun 23, 2020

just FYI you can reproduce in psalm.dev by having <?php // --taint-analysis at the top

@muglug muglug added the bug label Jun 23, 2020
TysonAndre added a commit to TysonAndre/psalm that referenced this issue Jun 23, 2020
@TysonAndre
Fix taint checking for encapsulated strings
6525240 
For vimeo#3655
@TysonAndre TysonAndre mentioned this issue Jun 23, 2020
Closed
@muglug muglug closed this as completed in 6a746b6 Jun 23, 2020
@weirdan
Copy link
Collaborator

weirdan commented Jun 23, 2020

just FYI you can reproduce in psalm.dev by having <?php // --taint-analysis at the top

Does it work for other switches / settings?

@muglug
Copy link
Collaborator

muglug commented Jun 23, 2020

That’s a negative (but feel free to add support for individual ones over at psalm.dev’s repo)

TysonAndre pushed a commit to TysonAndre/psalm that referenced this issue Jun 24, 2020
@muglug @TysonAndre
Fix vimeo#3655 - taint encapsulated strings
481adbf
TysonAndre pushed a commit to TysonAndre/psalm that referenced this issue Jun 29, 2020
@muglug @TysonAndre
Fix vimeo#3655 - taint encapsulated strings
741f3c4
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@weirdan @TysonAndre @muglug