diff --git a/.tools/psalm/baseline-taint.xml b/.tools/psalm/baseline-taint.xml index ea6933aa29..c74bdfef1c 100644 --- a/.tools/psalm/baseline-taint.xml +++ b/.tools/psalm/baseline-taint.xml @@ -1,21 +1,5 @@ - - - - - - - - - - - - - - - - @@ -104,14 +88,6 @@ - - - - - - - - diff --git a/.tools/psalm/baseline.xml b/.tools/psalm/baseline.xml index 925491b8c3..72a67af805 100644 --- a/.tools/psalm/baseline.xml +++ b/.tools/psalm/baseline.xml @@ -226,9 +226,9 @@ - + @@ -258,8 +258,8 @@ - + diff --git a/redaxo/src/addons/cronjob/lib/manager_sql.php b/redaxo/src/addons/cronjob/lib/manager_sql.php index 8dd3c7ef85..9b183eeae0 100644 --- a/redaxo/src/addons/cronjob/lib/manager_sql.php +++ b/redaxo/src/addons/cronjob/lib/manager_sql.php @@ -198,8 +198,11 @@ public function check(?callable $callback = null) continue; } + /** @psalm-taint-escape callable */ // It is intended that the class name is coming from database + $type = $job['type']; + $manager = $this->getManager(); - $manager->setCronjob(rex_cronjob::factory($job['type'])); + $manager->setCronjob(rex_cronjob::factory($type)); $manager->log(false, 0 != connection_status() ? 'Timeout' : 'Unknown error'); $this->setNextTime($job['id'], $job['interval'], true); } diff --git a/redaxo/src/core/lib/rex.php b/redaxo/src/core/lib/rex.php index 62d96a52b6..4eb619a299 100644 --- a/redaxo/src/core/lib/rex.php +++ b/redaxo/src/core/lib/rex.php @@ -122,6 +122,12 @@ public static function setProperty($key, $value) if (null !== $value && !$value instanceof rex_console_application) { throw new InvalidArgumentException(sprintf('"%s" property: expecting $value to be an instance of rex_console_application, "%s" found!', $key, get_debug_type($value))); } + break; + case 'version': + if (!is_string($value) || !preg_match('/^\d+(?:\.\d+)*(?:-\w+)?$/', $value)) { + throw new InvalidArgumentException('"' . $key . '" property: expecting $value to be a valid version string'); + } + break; } $exists = isset(self::$properties[$key]); self::$properties[$key] = $value; @@ -345,6 +351,9 @@ public static function getTable($table) * Returns the temp prefix. * * @return non-empty-string + * + * @phpstandba-inference-placeholder 'tmp_' + * @psalm-taint-escape sql */ public static function getTempPrefix() { @@ -473,6 +482,7 @@ public static function getErrorEmail() */ public static function getVersion($format = null) { + /** @psalm-taint-escape file */ $version = self::getProperty('version'); if ($format) { diff --git a/redaxo/src/core/lib/util/i18n.php b/redaxo/src/core/lib/util/i18n.php index b9531d0dec..87cf3a477a 100644 --- a/redaxo/src/core/lib/util/i18n.php +++ b/redaxo/src/core/lib/util/i18n.php @@ -29,7 +29,7 @@ class rex_i18n public static function setLocale($locale, $phpSetLocale = true) { $saveLocale = self::getLocale(); - self::$locale = $locale; + self::$locale = self::validateLocale($locale); if (empty(self::$loaded[$locale])) { self::loadAll($locale); @@ -66,7 +66,7 @@ public static function setLocale($locale, $phpSetLocale = true) public static function getLocale() { if (!self::$locale) { - self::$locale = rex::getProperty('lang'); + self::$locale = self::validateLocale(rex::getProperty('lang')); } return self::$locale; @@ -453,13 +453,13 @@ private static function loadAll($locale) /** * @param string $locale Locale * - * @return string the validated locale + * @return non-empty-string the validated locale * * @psalm-taint-escape file */ private static function validateLocale(string $locale): string { - if (!preg_match('/^[a-z]{2}_[a-z]{2}$/', $locale)) { + if (!$locale || !preg_match('/^[a-z]{2}_[a-z]{2}$/', $locale)) { throw new rex_exception('Invalid locale "' . $locale . '"'); } return $locale;