You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
<?php
$doc = new DOMDocument();
$doc->load('file.xml'); // I expect this to match, it doesn't
$doc->load($doc); // I expect this to match, it does
$something->load($doc); // This doesn't match, as expected.
I try to match calls to DOMDocument::load, with taint mode to track whether $DOMDOCUMENT is the result of a call to new DOMDocument(), in $DOMDOCUMENT->load($FILENAME, ...). However, this doesn't seem to work properly. $doc->load('file.xml') doesn't match, even though $doc should be tainted here.
The text was updated successfully, but these errors were encountered:
If the LHS of `->foo` was a sink, and we encountered `x->foo` where `x`
was a variable, we did not report a finding even if `x` was tainted. We
were not checking whether `x` was in a sink position.
Although they are not represented as such in the IL, variables are
themselves subexpressions, so we must check whether they are sinks or
sanitized.
Closes#4320
test plan:
make test # test included
If the LHS of `->foo` was a sink, and we encountered `x->foo` where `x`
was a variable, we did not report a finding even if `x` was tainted. We
were not checking whether `x` was in a sink position.
Although they are not represented as such in the IL, variables are
themselves subexpressions, so we must check whether they are sinks or
sanitized.
Closes#4320
test plan:
make test # test included
If the LHS of `->foo` was a sink, and we encountered `x->foo` where `x`
was a variable, we did not report a finding even if `x` was tainted. We
were not checking whether `x` was in a sink position.
Although they are not represented as such in the IL, variables are
themselves subexpressions, so we must check whether they are sinks or
sanitized.
Closes#4320
test plan:
make test # test included
https://semgrep.dev/s/sjord:domdocument_load
I try to match calls to
DOMDocument::load
, with taint mode to track whether$DOMDOCUMENT
is the result of a call tonew DOMDocument()
, in$DOMDOCUMENT->load($FILENAME, ...)
. However, this doesn't seem to work properly.$doc->load('file.xml')
doesn't match, even though$doc
should be tainted here.The text was updated successfully, but these errors were encountered: