filter_var() should return non empty string only when it will not be sanitized

src/Type/Php/FilterVarDynamicReturnTypeExtension.php

@@ -28,6 +28,11 @@
 class FilterVarDynamicReturnTypeExtension implements DynamicFunctionReturnTypeExtension
 {
 
+	/**
+	 * All validation filters match 0x100.
+	 */
+	private const VALIDATION_FILTER_BITMASK = 0x100;
+
 	private ReflectionProvider $reflectionProvider;
 
 	private ConstantStringType $flagsString;
@@ -66,6 +71,7 @@ private function getFilterTypeMap(): array
 			$this->getConstant('FILTER_SANITIZE_STRING') => $stringType,
 			$this->getConstant('FILTER_SANITIZE_URL') => $stringType,
 			$this->getConstant('FILTER_VALIDATE_BOOLEAN') => $booleanType,
+			$this->getConstant('FILTER_VALIDATE_DOMAIN') => $stringType,
 			$this->getConstant('FILTER_VALIDATE_EMAIL') => $stringType,
 			$this->getConstant('FILTER_VALIDATE_FLOAT') => $floatType,
 			$this->getConstant('FILTER_VALIDATE_INT') => $intType,
@@ -130,7 +136,9 @@ public function getTypeFromFunctionCall(
 			$type = $this->getFilterTypeMap()[$filterValue] ?? $mixedType;
 			$otherType = $this->getOtherType($flagsArg, $scope);
 
-			if ($inputType->isNonEmptyString()->yes()) {
+			if ($inputType->isNonEmptyString()->yes()
+				&& $type instanceof StringType
+				&& !$this->canStringBeSanitized($filterValue, $flagsArg, $scope)) {
 				$type = new IntersectionType([$type, new AccessoryNonEmptyStringType()]);
 			}
 
@@ -222,4 +230,22 @@ private function getFlagsValue(Type $exprType): Type
 		return $exprType->getOffsetValueType($this->flagsString);
 	}
 
+	private function canStringBeSanitized(int $filterValue, ?Node\Arg $flagsArg, Scope $scope): bool
+	{
+		// If it is a validation filter, the string will not be changed
+		if (($filterValue & self::VALIDATION_FILTER_BITMASK) !== 0) {
+			return false;
+		}
+
+		// FILTER_DEFAULT will not sanitize, unless it has FILTER_FLAG_STRIP_LOW,
+		// FILTER_FLAG_STRIP_HIGH, or FILTER_FLAG_STRIP_BACKTICK
+		if ($filterValue === $this->getConstant('FILTER_DEFAULT')) {
+			return $this->hasFlag($this->getConstant('FILTER_FLAG_STRIP_LOW'), $flagsArg, $scope)
+				|| $this->hasFlag($this->getConstant('FILTER_FLAG_STRIP_HIGH'), $flagsArg, $scope)
+				|| $this->hasFlag($this->getConstant('FILTER_FLAG_STRIP_BACKTICK'), $flagsArg, $scope);
+		}
+
+		return true;
+	}
+
 }

tests/PHPStan/Analyser/data/filter-var-returns-non-empty-string.php

@@ -14,11 +14,51 @@ public function run(string $str): void
 		$return = filter_var($str, FILTER_DEFAULT);
 		assertType('non-empty-string|false', $return);
 
-		$return = filter_var($str, FILTER_SANITIZE_STRING);
+		$return = filter_var($str, FILTER_DEFAULT, FILTER_FLAG_STRIP_LOW);
+		assertType('string|false', $return);
+
+		$return = filter_var($str, FILTER_DEFAULT, FILTER_FLAG_STRIP_HIGH);
+		assertType('string|false', $return);
+
+		$return = filter_var($str, FILTER_DEFAULT, FILTER_FLAG_STRIP_BACKTICK);
+		assertType('string|false', $return);
+
+		$return = filter_var($str, FILTER_VALIDATE_EMAIL);
 		assertType('non-empty-string|false', $return);
 
+		$return = filter_var($str, FILTER_VALIDATE_REGEXP);
+		assertType('non-empty-string|false', $return);
+
+		$return = filter_var($str, FILTER_VALIDATE_URL);
+		assertType('non-empty-string|false', $return);
+
+		$return = filter_var($str, FILTER_VALIDATE_URL, FILTER_NULL_ON_FAILURE);
+		assertType('non-empty-string|null', $return);
+
+		$return = filter_var($str, FILTER_VALIDATE_IP);
+		assertType('non-empty-string|false', $return);
+
+		$return = filter_var($str, FILTER_VALIDATE_MAC);
+		assertType('non-empty-string|false', $return);
+
+		$return = filter_var($str, FILTER_VALIDATE_DOMAIN);
+		assertType('non-empty-string|false', $return);
+
+		$return = filter_var($str, FILTER_SANITIZE_STRING);
+		assertType('string|false', $return);
+
+		$return = filter_var($str, FILTER_VALIDATE_INT);
+		assertType('int|false', $return);
+
 		$str2 = '';
 		$return = filter_var($str2, FILTER_DEFAULT);
 		assertType('string|false', $return);
+
+		$return = filter_var($str2, FILTER_VALIDATE_URL);
+		assertType('string|false', $return);
+
+		$str2 = 'foo';
+		$return = filter_var($str2, FILTER_VALIDATE_INT);
+		assertType('int|false', $return);
 	}
 }