Taint flows through preg_replace_callback

vimeo · Jun 23, 2020 · f46236a · f46236a
1 parent f72b609
commit f46236a
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 0 deletions.
diff --git a/src/Psalm/Internal/Stubs/CoreGenericFunctions.phpstub b/src/Psalm/Internal/Stubs/CoreGenericFunctions.phpstub
@@ -612,6 +612,17 @@ function str_replace($search, $replace, $subject, &$count = null) {}
  */
 function preg_replace($search, $replace, $subject, int $limit = -1, &$count = null) {}
 
+/**
+ * @param string|string[] $search
+ * @param callable(array<int, string>):string $replace
+ * @param string|array<string|int|float> $subject
+ * @param int $count
+ * @return ($subject is array ? array<string> : string)
+ *
+ * @psalm-flow ($subject) -> return
+ */
+function preg_replace_callback($search, $replace, $subject, int $limit = -1, &$count = null) {}
+
 /**
  * @psalm-pure
  *

diff --git a/tests/TaintTest.php b/tests/TaintTest.php
@@ -1749,4 +1749,30 @@ public static function slugify(string $url) : string {
 
         $this->analyzeFile('somefile.php', new Context());
     }
+
+    public function testTaintThroughPregReplaceCallback() : void
+    {
+        $this->expectException(\Psalm\Exception\CodeException::class);
+        $this->expectExceptionMessage('TaintedInput');
+
+        $this->project_analyzer->trackTaintedInputs();
+
+        $this->addFile(
+            'somefile.php',
+            '<?php
+                $a = $_GET["bad"];
+
+                $b = preg_replace_callback(
+                    \'/foo/\',
+                    function (array $matches) : string {
+                        return $matches[1];
+                    },
+                    $a
+                );
+
+                echo $b;'
+        );
+
+        $this->analyzeFile('somefile.php', new Context());
+    }
 }