From f46236ad712a9d3275e7e9bf36dde09e9125a928 Mon Sep 17 00:00:00 2001 From: Brown Date: Tue, 23 Jun 2020 15:28:31 -0400 Subject: [PATCH] Taint flows through preg_replace_callback --- .../Stubs/CoreGenericFunctions.phpstub | 11 ++++++++ tests/TaintTest.php | 26 +++++++++++++++++++ 2 files changed, 37 insertions(+) diff --git a/src/Psalm/Internal/Stubs/CoreGenericFunctions.phpstub b/src/Psalm/Internal/Stubs/CoreGenericFunctions.phpstub index 96927d31751..673e5967e46 100644 --- a/src/Psalm/Internal/Stubs/CoreGenericFunctions.phpstub +++ b/src/Psalm/Internal/Stubs/CoreGenericFunctions.phpstub @@ -612,6 +612,17 @@ function str_replace($search, $replace, $subject, &$count = null) {} */ function preg_replace($search, $replace, $subject, int $limit = -1, &$count = null) {} +/** + * @param string|string[] $search + * @param callable(array):string $replace + * @param string|array $subject + * @param int $count + * @return ($subject is array ? array : string) + * + * @psalm-flow ($subject) -> return + */ +function preg_replace_callback($search, $replace, $subject, int $limit = -1, &$count = null) {} + /** * @psalm-pure * diff --git a/tests/TaintTest.php b/tests/TaintTest.php index d3b0581568b..1015e1b29b8 100644 --- a/tests/TaintTest.php +++ b/tests/TaintTest.php @@ -1749,4 +1749,30 @@ public static function slugify(string $url) : string { $this->analyzeFile('somefile.php', new Context()); } + + public function testTaintThroughPregReplaceCallback() : void + { + $this->expectException(\Psalm\Exception\CodeException::class); + $this->expectExceptionMessage('TaintedInput'); + + $this->project_analyzer->trackTaintedInputs(); + + $this->addFile( + 'somefile.php', + 'analyzeFile('somefile.php', new Context()); + } }