You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
When trying to reduce duplicate matches of #3742, by adding functions such as isset(...) as sanitizer, I noticed that some code was not detected as tainted
For example: sink((isset($source) ? $source : 'b')); is detected, but the below is not
Ha, I did not even pay attention to that one as it is not really an issue for me here ;D. In my everyday cases, having sink(sanitizer($source)); or sanitizer(sink($source)); is the same thing and safe, but I definitely understand that in some cases, such behaviour may not be desirable.
We probably need to support different kinds of sanitizers.
Regarding this issue, it seems related to a bug in the Generic-to-IL translation. Some colleagues wanted to get familiar with the taint-mode code so I'll give them some time to look into this issue. If they don't find time then I'll fix this myself next week.
I would love to have different kind of sanitisers, as in the example above sanitizer(sink($source)); is not detected and that's a wanted behaviour in the case I was dealing with, but when the sink/source is a multi lines pattern, then semgrep reports it even though the sink goes through a sanitiser (however that's the correct behaviour from what you mentioned)
Describe the bug
When trying to reduce duplicate matches of #3742, by adding functions such as
isset(...)
as sanitizer, I noticed that some code was not detected as taintedFor example:
sink((isset($source) ? $source : 'b'));
is detected, but the below is notTo Reproduce
https://semgrep.dev/s/z9zZ
Expected behavior
The match should be detected
What is the priority of the bug to you?
P1: important to fix or quite annoying
Environment
Semgrep.dev & CLI 0.63.0 (installed on MacOSX via Homebrew)
The text was updated successfully, but these errors were encountered: