Skip to content
Permalink
Browse files

Fix taint analysis of binary operations

  • Loading branch information
muglug committed Jan 7, 2020
1 parent 8f3d325 commit 90d6b73fd8062432030ef39b7b6694b3902daa31
Showing with 24 additions and 26 deletions.
  1. +24 −26 src/Psalm/Internal/Analyzer/Statements/Expression/BinaryOpAnalyzer.php
@@ -582,32 +582,6 @@ function ($c) {
}

$statements_analyzer->node_data->setType($stmt, $stmt_type);

$stmt_left_type = $statements_analyzer->node_data->getType($stmt->left);
$stmt_right_type = $statements_analyzer->node_data->getType($stmt->right);

if ($codebase->taint) {
$sources = [];
$either_tainted = 0;

if ($stmt_left_type) {
$sources = $stmt_left_type->sources ?: [];
$either_tainted = $stmt_left_type->tainted;
}

if ($stmt_right_type) {
$sources = array_merge($sources, $stmt_right_type->sources ?: []);
$either_tainted = $either_tainted | $stmt_right_type->tainted;
}

if ($sources) {
$stmt_type->sources = $sources;
}

if ($either_tainted) {
$stmt_type->tainted = $either_tainted;
}
}
} elseif ($stmt instanceof PhpParser\Node\Expr\BinaryOp\Coalesce) {
$t_if_context = clone $context;

@@ -1889,6 +1863,7 @@ public static function analyzeConcatOp(
}
}
}

// When concatenating two known string literals (with only one possibility),
// put the concatenated string into $result_type
if ($left_type && $right_type && $left_type->isSingleStringLiteral() && $right_type->isSingleStringLiteral()) {
@@ -1910,5 +1885,28 @@ public static function analyzeConcatOp(
$result_type = new Type\Union([new Type\Atomic\TNonEmptyString()]);
}
}

if ($codebase->taint && $result_type) {
$sources = [];
$either_tainted = 0;

if ($left_type) {
$sources = $left_type->sources ?: [];
$either_tainted = $left_type->tainted;
}

if ($right_type) {
$sources = array_merge($sources, $right_type->sources ?: []);
$either_tainted = $either_tainted | $right_type->tainted;
}

if ($sources) {
$result_type->sources = $sources;
}

if ($either_tainted) {
$result_type->tainted = $either_tainted;
}
}
}
}

0 comments on commit 90d6b73

Please sign in to comment.
You can’t perform that action at this time.