psalm taint errors gelöst (#5991)

redaxo · Mar 5, 2024 · 5eb009b · 5eb009b
1 parent 9c23ca5
commit 5eb009b
Show file tree

Hide file tree

Showing 5 changed files with 20 additions and 31 deletions.
diff --git a/.tools/psalm/baseline-taint.xml b/.tools/psalm/baseline-taint.xml
@@ -1,21 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <files psalm-version="5.22.2@d768d914152dbbf3486c36398802f74e80cfde48">
-  <file src="redaxo/src/addons/backup/lib/backup.php">
-    <TaintedFile>
-      <code><![CDATA[$filename]]></code>
-      <code><![CDATA[$filename]]></code>
-    </TaintedFile>
-  </file>
-  <file src="redaxo/src/addons/backup/lib/compressor.php">
-    <TaintedFile>
-      <code><![CDATA[$source]]></code>
-    </TaintedFile>
-  </file>
-  <file src="redaxo/src/addons/cronjob/lib/cronjob.php">
-    <TaintedCallable>
-      <code><![CDATA[$class]]></code>
-    </TaintedCallable>
-  </file>
   <file src="redaxo/src/addons/structure/plugins/content/lib/article_action.php">
     <TaintedInclude>
       <code><![CDATA[rex_stream::factory('action/' . $articleId . '/' . $type, $action)]]></code>
@@ -104,14 +88,6 @@
       <code><![CDATA[$query]]></code>
     </TaintedSql>
   </file>
-  <file src="redaxo/src/core/lib/util/file.php">
-    <TaintedFile>
-      <code><![CDATA[$file]]></code>
-      <code><![CDATA[$file]]></code>
-      <code><![CDATA[$file]]></code>
-      <code><![CDATA[$file]]></code>
-    </TaintedFile>
-  </file>
   <file src="redaxo/src/core/lib/util/socket/socket.php">
     <TaintedCallable>
       <code><![CDATA[$data]]></code>

diff --git a/.tools/psalm/baseline.xml b/.tools/psalm/baseline.xml
@@ -226,9 +226,9 @@
       <code><![CDATA[$job['id']]]></code>
       <code><![CDATA[$job['interval']]]></code>
       <code><![CDATA[$job['name']]]></code>
-      <code><![CDATA[$job['type']]]></code>
       <code><![CDATA[$jobs[0]]]></code>
       <code><![CDATA[$jobs[0]['name']]]></code>
+      <code><![CDATA[$type]]></code>
     </ArgumentTypeCoercion>
     <InvalidArgument>
       <code><![CDATA[$job]]></code>
@@ -258,8 +258,8 @@
       <code><![CDATA[$job['id']]]></code>
       <code><![CDATA[$job['interval']]]></code>
       <code><![CDATA[$job['name']]]></code>
-      <code><![CDATA[$job['type']]]></code>
       <code><![CDATA[$jobs[0]['name']]]></code>
+      <code><![CDATA[$type]]></code>
     </PossiblyNullArgument>
   </file>
   <file src="redaxo/src/addons/cronjob/lib/types/phpcallback.php">

diff --git a/redaxo/src/addons/cronjob/lib/manager_sql.php b/redaxo/src/addons/cronjob/lib/manager_sql.php
@@ -198,8 +198,11 @@ public function check(?callable $callback = null)
                     continue;
                 }
 
+                /** @psalm-taint-escape callable */ // It is intended that the class name is coming from database
+                $type = $job['type'];
+
                 $manager = $this->getManager();
-                $manager->setCronjob(rex_cronjob::factory($job['type']));
+                $manager->setCronjob(rex_cronjob::factory($type));
                 $manager->log(false, 0 != connection_status() ? 'Timeout' : 'Unknown error');
                 $this->setNextTime($job['id'], $job['interval'], true);
             }

diff --git a/redaxo/src/core/lib/rex.php b/redaxo/src/core/lib/rex.php
@@ -122,6 +122,12 @@ public static function setProperty($key, $value)
                 if (null !== $value && !$value instanceof rex_console_application) {
                     throw new InvalidArgumentException(sprintf('"%s" property: expecting $value to be an instance of rex_console_application, "%s" found!', $key, get_debug_type($value)));
                 }
+                break;
+            case 'version':
+                if (!is_string($value) || !preg_match('/^\d+(?:\.\d+)*(?:-\w+)?$/', $value)) {
+                    throw new InvalidArgumentException('"' . $key . '" property: expecting $value to be a valid version string');
+                }
+                break;
         }
         $exists = isset(self::$properties[$key]);
         self::$properties[$key] = $value;
@@ -345,6 +351,9 @@ public static function getTable($table)
      * Returns the temp prefix.
      *
      * @return non-empty-string
+     *
+     * @phpstandba-inference-placeholder 'tmp_'
+     * @psalm-taint-escape sql
      */
     public static function getTempPrefix()
     {
@@ -473,6 +482,7 @@ public static function getErrorEmail()
      */
     public static function getVersion($format = null)
     {
+        /** @psalm-taint-escape file */
         $version = self::getProperty('version');
 
         if ($format) {

diff --git a/redaxo/src/core/lib/util/i18n.php b/redaxo/src/core/lib/util/i18n.php
@@ -29,7 +29,7 @@ class rex_i18n
     public static function setLocale($locale, $phpSetLocale = true)
     {
         $saveLocale = self::getLocale();
-        self::$locale = $locale;
+        self::$locale = self::validateLocale($locale);
 
         if (empty(self::$loaded[$locale])) {
             self::loadAll($locale);
@@ -66,7 +66,7 @@ public static function setLocale($locale, $phpSetLocale = true)
     public static function getLocale()
     {
         if (!self::$locale) {
-            self::$locale = rex::getProperty('lang');
+            self::$locale = self::validateLocale(rex::getProperty('lang'));
         }
 
         return self::$locale;
@@ -453,13 +453,13 @@ private static function loadAll($locale)
     /**
      * @param string $locale Locale
      *
-     * @return string the validated locale
+     * @return non-empty-string the validated locale
      *
      * @psalm-taint-escape file
      */
     private static function validateLocale(string $locale): string
     {
-        if (!preg_match('/^[a-z]{2}_[a-z]{2}$/', $locale)) {
+        if (!$locale || !preg_match('/^[a-z]{2}_[a-z]{2}$/', $locale)) {
             throw new rex_exception('Invalid locale "' . $locale . '"');
         }
         return $locale;