-
Notifications
You must be signed in to change notification settings - Fork 651
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added event to prevent tainting. #5398
Conversation
src/Psalm/Internal/Analyzer/Statements/Expression/ArrayAnalyzer.php
Outdated
Show resolved
Hide resolved
Ok, extra complication: I think this plugin should instead inform these two arguments: psalm/src/Psalm/Internal/Codebase/DataFlowGraph.php Lines 30 to 31 in dd4d970
It may be the case that you want to remove the So instead of being a boolean I think it wants to provide two separate arrays of added and removed taints at every node it's used on. If both those arrays are empty there's no net effect |
I've updated the PR along those lines! The main benefit is it allows people to institute their own custom taints in a smarter fashion. |
@muglug That looks good to me - the test I added still works as expected so I think this would give me a path forward on the render array problem. Would you like me to rename the new test method and add this event dispatch to other analyzers? (If you have time to do this don't wait on me though) |
That would be great! |
@muglug StaticCallAnalyzer, AtomicPropertyFetchAnalyzer, and ArrayFetchAnalyzer didn't have access to Context which is needed for this event, should I add $context as an optional parameter to the relevant public static methods on those classes? All other analyzers that used that |
I did the above, feel free to clean up the new event invocations/calls as needed. |
Thanks, this is a great effort |
Thank you @muglug ! |
Per #5382 this PR adds a new event that allows plugins to prevent tainting in specific scenarios. I've also added an example plugin/test that shows how you can inspect the structure of an array to determine if it should be considered a taint source.
This is a WIP, so let me know if you want the event name or test changed - once that's decided I can dispatch the event from more analyzers if you'd like.