Skip to content
Permalink
Browse files

Follow taint to source when reporting

  • Loading branch information...
muglug committed Aug 20, 2019
1 parent 86e5e50 commit 9696fb8dceb4b87258cdde54e35644e1b3ab8fa4
Showing with 27 additions and 5 deletions.
  1. +24 −2 src/Psalm/Internal/Codebase/Taint.php
  2. +3 −3 tests/TaintTest.php
@@ -133,11 +133,22 @@ public function addSources(
}
if (($existing_sink = $this->hasExistingSink($source)) && $source->code_location) {
$root_source = $source;
while ($root_source->parents) {
$first_parent = reset($root_source->parents);
if (!$first_parent->code_location) {
break;
}
$root_source = $first_parent;
}
if (IssueBuffer::accepts(
new TaintedInput(
'in path ' . $this->getPredecessorPath($source)
. ' out path ' . $this->getSuccessorPath($existing_sink),
$source->code_location
$root_source->code_location ?: $source->code_location
),
$statements_analyzer->getSuppressedIssues()
)) {
@@ -162,11 +173,22 @@ public function addSinks(
}
if (($existing_source = $this->hasExistingSource($sink)) && $sink->code_location) {
$root_source = $existing_source;
while ($root_source->parents) {
$first_parent = reset($root_source->parents);
if (!$first_parent->code_location) {
break;
}
$root_source = $first_parent;
}
if (IssueBuffer::accepts(
new TaintedInput(
'in path ' . $this->getPredecessorPath($existing_source)
. ' out path ' . $this->getSuccessorPath($sink),
$sink->code_location
$root_source->code_location ?: $sink->code_location
),
$statements_analyzer->getSuppressedIssues()
)) {
@@ -239,7 +239,7 @@ public function exec(string $sql) : void {}
public function testTaintedInputFromParam()
{
$this->expectException(\Psalm\Exception\CodeException::class);
$this->expectExceptionMessage('TaintedInput - somefile.php:8:48 - in path $_GET (somefile.php:4) -> a::getuserid (somefile.php:3) out path a::getuserid (somefile.php:8) -> a::getappendeduserid (somefile.php:12) -> a::deleteuser#2 (somefile.php:16) -> pdo::exec#1 (somefile.php:17)');
$this->expectExceptionMessage('TaintedInput - somefile.php:4:41 - in path $_GET (somefile.php:4) -> a::getuserid (somefile.php:3) out path a::getuserid (somefile.php:8) -> a::getappendeduserid (somefile.php:12) -> a::deleteuser#2 (somefile.php:16) -> pdo::exec#1 (somefile.php:17)');
$this->project_analyzer->trackTaintedInputs();
@@ -376,7 +376,7 @@ public function deleteUser(PDO $pdo, string $userId) : void {
public function testTaintedInputToParamAlternatePath()
{
$this->expectException(\Psalm\Exception\CodeException::class);
$this->expectExceptionMessage('TaintedInput - somefile.php:7:29 - in path $_GET (somefile.php:7) -> a::getappendeduserid#1 (somefile.php:7) -> a::getappendeduserid (somefile.php:11) -> a::deleteuser#3 (somefile.php:7) out path a::deleteuser#3 (somefile.php:19) -> pdo::exec#1 (somefile.php:23)');
$this->expectExceptionMessage('TaintedInput - somefile.php:7:63 - in path $_GET (somefile.php:7) -> a::getappendeduserid#1 (somefile.php:7) -> a::getappendeduserid (somefile.php:11) -> a::deleteuser#3 (somefile.php:7) out path a::deleteuser#3 (somefile.php:19) -> pdo::exec#1 (somefile.php:23)');
$this->project_analyzer->trackTaintedInputs();
@@ -419,7 +419,7 @@ public function deleteUser(PDO $pdo, string $userId, string $userId2) : void {
public function testTaintedInParentLoader()
{
$this->expectException(\Psalm\Exception\CodeException::class);
$this->expectExceptionMessage('TaintedInput - somefile.php:23:48 - in path $_GET (somefile.php:28) -> c::foo#1 (somefile.php:28) out path c::foo#1 (somefile.php:23) -> agrandchild::loadfull#1 (somefile.php:6) -> a::loadpartial#1 (somefile.php:16) -> pdo::exec#1 (somefile.php:16)');
$this->expectExceptionMessage('TaintedInput - somefile.php:28:39 - in path $_GET (somefile.php:28) -> c::foo#1 (somefile.php:28) out path c::foo#1 (somefile.php:23) -> agrandchild::loadfull#1 (somefile.php:6) -> a::loadpartial#1 (somefile.php:16) -> pdo::exec#1 (somefile.php:16)');
$this->project_analyzer->trackTaintedInputs();

0 comments on commit 9696fb8

Please sign in to comment.
You can’t perform that action at this time.