Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add more Psalm flows for string functions #4576

Merged
merged 1 commit into from Nov 16, 2020
Merged

Add more Psalm flows for string functions #4576

merged 1 commit into from Nov 16, 2020

Conversation

LukasReschke
Copy link
Contributor

This adds string functions from https://www.php.net/manual/en/ref.strings.php

This commit adds the flows for functions from "addcslashes" to "sprintf".

More are to follow in later commits, if that is deemed useful :)

Ref #3636

@LukasReschke
Add more Psalm flows for string functions
7ab577f 
This adds string functions from
https://www.php.net/manual/en/ref.strings.php

This commit adds the flows for functions from "addcslashes" to "sprintf".
More are to follow in later commits.

Ref vimeo#3636
@muglug muglug merged commit 6780b01 into vimeo:master Nov 16, 2020
@muglug
Copy link
Collaborator

muglug commented Nov 16, 2020

This is great, thanks!

@LukasReschke LukasReschke deleted the decoding-functions branch November 16, 2020 20:54
LukasReschke added a commit to LukasReschke/psalm that referenced this pull request Nov 17, 2020
@LukasReschke
Add more Psalm flows for string functions (vimeo#4576)
e238947 
This adds string functions from
https://www.php.net/manual/en/ref.strings.php

This commit adds the flows for functions from "addcslashes" to "sprintf".
More are to follow in later commits.

Ref vimeo#3636
LukasReschke added a commit to LukasReschke/psalm that referenced this pull request Nov 17, 2020
@LukasReschke
Add string functions from sscanf to wordwrap
ad93170 
This should conclude all string functions from https://www.php.net/manual/en/book.strings.php

Continuation of vimeo#4576

Ref vimeo#3636
@LukasReschke LukasReschke mentioned this pull request Nov 17, 2020
Merged
3 tasks
LukasReschke added a commit to LukasReschke/psalm that referenced this pull request Nov 17, 2020
@LukasReschke
Add string functions from sscanf to wordwrap
a564b67 
This should conclude all string functions from https://www.php.net/manual/en/book.strings.php

Continuation of vimeo#4576

Ref vimeo#3636
@thbley
Copy link
Contributor

thbley commented Nov 20, 2020

Using the new release 4.2, I get "Detected tainted header" using https://psalm.dev/r/21c22b8fb6

What is the best way to handle this?

@psalm-github-bot
Copy link

I found these snippets:

https://psalm.dev/r/21c22b8fb6 
<?php // --taint-analysis

$test = (string) ($_POST['test'] ?? '');

header('Content-Disposition: attachment; filename="' . addslashes($test) . '"');
Psalm output (using commit ccf6e28):

ERROR: TaintedHeader - 5:8 - Detected tainted header

@LukasReschke
Copy link
Contributor Author

LukasReschke commented Nov 20, 2020
edited

@thomasbley You could create a new function that is marked as sanitizer.

https://psalm.dev/r/5fb5ba744f

<?php // --taint-analysis

$test = (string) ($_POST['test'] ?? '');


/**
 * @psalm-taint-escape header
 */
function addFileNameToContentDisposition(string $fileName) : string {
    return addslashes($fileName);
}

header('Content-Disposition: attachment; filename="' . addFileNameToContentDisposition($test) . '"');

@psalm-github-bot
Copy link

I found these snippets:

https://psalm.dev/r/5fb5ba744f 
<?php // --taint-analysis

$test = (string) ($_POST['test'] ?? '');


/**
 * @psalm-taint-escape header
 */
function addFileNameToContentDisposition(string $fileName) : string {
    return addslashes($fileName);
}

header('Content-Disposition: attachment; filename="' . addFileNameToContentDisposition($test) . '"');
Psalm output (using commit ccf6e28):

No issues!

LukasReschke added a commit to LukasReschke/psalm that referenced this pull request Nov 21, 2020
@LukasReschke
Add string functions from sscanf to wordwrap
4629a7d 
This should conclude all string functions from https://www.php.net/manual/en/book.strings.php

Continuation of vimeo#4576

Ref vimeo#3636
muglug added a commit that referenced this pull request Nov 21, 2020
@LukasReschke @muglug
Add psalm-flow for string functions from sscanf to wordwrap (#4591)
3943b55 
* Add string functions from sscanf to wordwrap

This should conclude all string functions from https://www.php.net/manual/en/book.strings.php

Continuation of #4576

Ref #3636

* Add StrTrReturnTypeProvider

* Fix psalm error

* phpcs

* Line length

* Ignore false return on vsprintf

Co-authored-by: Matthew Brown <github@muglug.com>
danog pushed a commit to danog/psalm that referenced this pull request Jan 29, 2021
@LukasReschke @danog
Add more Psalm flows for string functions (vimeo#4576)
a1fd92d 
This adds string functions from
https://www.php.net/manual/en/ref.strings.php

This commit adds the flows for functions from "addcslashes" to "sprintf".
More are to follow in later commits.

Ref vimeo#3636
danog pushed a commit to danog/psalm that referenced this pull request Jan 29, 2021
@LukasReschke @muglug @danog
Add psalm-flow for string functions from sscanf to wordwrap (vimeo#4591)
4de2bf8 
* Add string functions from sscanf to wordwrap

This should conclude all string functions from https://www.php.net/manual/en/book.strings.php

Continuation of vimeo#4576

Ref vimeo#3636

* Add StrTrReturnTypeProvider

* Fix psalm error

* phpcs

* Line length

* Ignore false return on vsprintf

Co-authored-by: Matthew Brown <github@muglug.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@LukasReschke @muglug @thbley