From 3bc06a8eabb667c8468b201b5aed434296e896b7 Mon Sep 17 00:00:00 2001 From: orklah Date: Thu, 25 Nov 2021 22:40:01 +0100 Subject: [PATCH 1/2] Taint can't transmit through numerics nor bool --- .../Analyzer/FunctionLikeAnalyzer.php | 63 ++++++++++--------- .../Expression/Call/ArgumentAnalyzer.php | 4 +- tests/TaintTest.php | 30 +++++++++ 3 files changed, 67 insertions(+), 30 deletions(-) diff --git a/src/Psalm/Internal/Analyzer/FunctionLikeAnalyzer.php b/src/Psalm/Internal/Analyzer/FunctionLikeAnalyzer.php index 322d931889f..5cb60c249fa 100644 --- a/src/Psalm/Internal/Analyzer/FunctionLikeAnalyzer.php +++ b/src/Psalm/Internal/Analyzer/FunctionLikeAnalyzer.php @@ -1032,40 +1032,47 @@ private function processParams( if ($statements_analyzer->data_flow_graph && $function_param->location ) { - $param_assignment = DataFlowNode::getForAssignment( - '$' . $function_param->name, - $function_param->location - ); + if ($function_param->type === null + || !$function_param->type->isSingle() + || (!$function_param->type->isInt() + && !$function_param->type->isFloat() + && !$function_param->type->isBool()) + ) { + $param_assignment = DataFlowNode::getForAssignment( + '$' . $function_param->name, + $function_param->location + ); - $statements_analyzer->data_flow_graph->addNode($param_assignment); + $statements_analyzer->data_flow_graph->addNode($param_assignment); - if ($cased_method_id) { - $type_source = DataFlowNode::getForMethodArgument( - $cased_method_id, - $cased_method_id, - $offset, - $function_param->location, - null - ); + if ($cased_method_id) { + $type_source = DataFlowNode::getForMethodArgument( + $cased_method_id, + $cased_method_id, + $offset, + $function_param->location, + null + ); - $statements_analyzer->data_flow_graph->addPath($type_source, $param_assignment, 'param'); - } + $statements_analyzer->data_flow_graph->addPath($type_source, $param_assignment, 'param'); + } - if ($function_param->by_ref - && $codebase->find_unused_variables - ) { - $statements_analyzer->data_flow_graph->addPath( - $param_assignment, - new DataFlowNode('variable-use', 'variable use', null), - 'variable-use' - ); - } + if ($function_param->by_ref + && $codebase->find_unused_variables + ) { + $statements_analyzer->data_flow_graph->addPath( + $param_assignment, + new DataFlowNode('variable-use', 'variable use', null), + 'variable-use' + ); + } - if ($storage->variadic) { - $this->param_nodes += [$param_assignment->id => $param_assignment]; - } + if ($storage->variadic) { + $this->param_nodes += [$param_assignment->id => $param_assignment]; + } - $var_type->parent_nodes += [$param_assignment->id => $param_assignment]; + $var_type->parent_nodes += [$param_assignment->id => $param_assignment]; + } } $context->vars_in_scope['$' . $function_param->name] = $var_type; diff --git a/src/Psalm/Internal/Analyzer/Statements/Expression/Call/ArgumentAnalyzer.php b/src/Psalm/Internal/Analyzer/Statements/Expression/Call/ArgumentAnalyzer.php index 3018183c3ec..078371ecc1a 100644 --- a/src/Psalm/Internal/Analyzer/Statements/Expression/Call/ArgumentAnalyzer.php +++ b/src/Psalm/Internal/Analyzer/Statements/Expression/Call/ArgumentAnalyzer.php @@ -1505,10 +1505,10 @@ private static function processTaintedness( return $input_type; } - // numeric types can't be tainted + // numeric types can't be tainted, neither can bool if ($statements_analyzer->data_flow_graph instanceof TaintFlowGraph && $input_type->isSingle() - && ($input_type->isInt() || $input_type->isFloat()) + && ($input_type->isInt() || $input_type->isFloat() || $input_type->isBool()) ) { return $input_type; } diff --git a/tests/TaintTest.php b/tests/TaintTest.php index 97cb6084479..d78ac743da2 100644 --- a/tests/TaintTest.php +++ b/tests/TaintTest.php @@ -671,6 +671,36 @@ function takesArray(array $arr): void { $var = $input + 1; var_dump($var);' ], + 'NoTaintForIntTypeHintUsingAnnotatedSink' => [ + ' [ + ' Date: Thu, 25 Nov 2021 22:51:35 +0100 Subject: [PATCH 2/2] Taint can't transmit through numerics nor bool --- src/Psalm/Internal/Analyzer/FunctionLikeAnalyzer.php | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/Psalm/Internal/Analyzer/FunctionLikeAnalyzer.php b/src/Psalm/Internal/Analyzer/FunctionLikeAnalyzer.php index 5cb60c249fa..9e7bea61d38 100644 --- a/src/Psalm/Internal/Analyzer/FunctionLikeAnalyzer.php +++ b/src/Psalm/Internal/Analyzer/FunctionLikeAnalyzer.php @@ -12,6 +12,7 @@ use Psalm\Internal\Analyzer\FunctionLike\ReturnTypeAnalyzer; use Psalm\Internal\Analyzer\FunctionLike\ReturnTypeCollector; use Psalm\Internal\Analyzer\Statements\ExpressionAnalyzer; +use Psalm\Internal\Codebase\TaintFlowGraph; use Psalm\Internal\DataFlow\DataFlowNode; use Psalm\Internal\FileManipulation\FunctionDocblockManipulator; use Psalm\Internal\Type\Comparator\TypeComparisonResult; @@ -1032,7 +1033,9 @@ private function processParams( if ($statements_analyzer->data_flow_graph && $function_param->location ) { - if ($function_param->type === null + //don't add to taint flow graph if the type can't transmit taints + if (!$statements_analyzer->data_flow_graph instanceof TaintFlowGraph + || $function_param->type === null || !$function_param->type->isSingle() || (!$function_param->type->isInt() && !$function_param->type->isFloat()