Possibility to detect taint in array keys

[ohader]

https://psalm.dev/r/e6853c1780

doTheMagic([(string)$_GET['injected'] => 'value']);

Array keys being composed by user-submitted content are not considered tainted.

[psalm-github-bot]

I found these snippets:

https://psalm.dev/r/e6853c1780

<?php // --taint-analysis
/**
 * @param array<string, string> $values
 * @psalm-taint-sink html $values
 */
function doTheMagic(array $values) {}

// detected
doTheMagic(['value' => (string)$_GET['injected']]);
// not detected
doTheMagic([(string)$_GET['injected'] => 'value']);

Psalm output (using commit efa9b13):

ERROR: TaintedHtml - 6:27 - Detected tainted HTML

[ohader]

I've spotted a bunch of array-related PRs (e.g. #5444), Sam @mortenson did you accidentally stumble over similar scenarios as well?

[mortenson]

@ohader No - I haven't seen this before, and didn't think of it when tweaking ArrayAnalyzer.

[ohader]

❤️ awesome, thx @muglug