-
Notifications
You must be signed in to change notification settings - Fork 653
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Psalm's taint analysis does not work for magic properties with no phpdoc declaration #3668
Comments
I found these snippets: https://psalm.dev/r/22857fa662<?php // --taint-analysis
// Adding an (at)property string $taint would make psalm properly warn about this.
class Magic {
private $_params = [];
public function __set(string $a, $value) {
$this->_params[$a] = $value;
}
public function __get(string $a) {
return $this->_params[$a];
}
}
$m = new Magic();
$m->taint = $_GET['input'];
echo $m->taint;
// There is no edge from Magic::$taint to echo. There's an edge from magic::__get to echo, though
|
<?php
class X {
private $params = [];
/** @return mixed */
public function __get(string $name) {
return $this->params[$name];
}
public function __set(string $name, $value): void {
$this->params[$name] = $value;
}
}
function test(X $a, X $b) {
$a->x = $_GET['unsafe'];
echo $b->y;
} I'd been hoping for a way to track taintedness of individual magic properties, even with an annotation or a stub class - here, it seems like $this->params is marked as tainted, so tainting a single property marks other properties as tainted. Would automatically creating entries for dynamic properties be possible through a plugin/config setting/annotation at runtime before the taintedness is added? Would that conflict with psalm's threading(multiprocessing) support? |
That might be what I want |
It's possible to do this in a plugin, basing it on tests/Config/Plugin/Hook/FooPropertyProvider.php, if the __get and __set are deliberately no-op stubs in a stub class /**
* @return ?bool
* @override
*/
public static function doesPropertyExist(
string $fq_classlike_name,
string $property_name,
bool $read_mode,
StatementsSource $source = null,
Context $context = null,
CodeLocation $code_location = null
) {
// Pretending all magic properties exist and are declared so that individual property names taintedness will be checked separately.
return true;
}
/**
* @return ?bool
* @override
*/
public static function isPropertyVisible(
StatementsSource $source,
string $fq_classlike_name,
string $property_name,
bool $read_mode,
Context $context = null,
CodeLocation $code_location = null
) {
return true;
}
/**
* @return ?Type\Union
* @override
*/
public static function getPropertyType(
string $fq_classlike_name,
string $property_name,
bool $read_mode,
StatementsSource $source = null,
Context $context = null
) {
return Type::getMixed();
} |
https://psalm.dev/r/22857fa662
Expected: If a property with name
foo
is set to an unsafe value, then psalm should warn about reads fromfoo
being tainted, but not properties with other names such asother
, whether or not there is an@property
tagObserved: No TaintedInput warning is emitted if the
@property
tag is absent. The example would also properly emit a warning if__get
/__set
are removedThe text was updated successfully, but these errors were encountered: