Numeric type hints and casts not considered in taint analysis

[ohader]

https://psalm.dev/r/8fa14c18fc

Related aspects:

• taint analysis: auto escape for int type hints #4872
• don't register taints for numeric variables #6813

[psalm-github-bot]

I found these snippets:

https://psalm.dev/r/8fa14c18fc

<?php // --taint-analysis
function main()
{
    $value = $_GET['value'];
    // using `(int)$_GET['value']` works, avoids "tainted SQL"
    $result = fetch($value);
}
// `int` type not considered, still "tainted SQL"
function fetch(int $id): string
{
    // `(int)` cast not considered, still "tainted SQL"
    return query('SELECT ... FROM ... WHERE id=' . (int)$id);
}
/**
 * @return string
 * @psalm-taint-sink sql $sql
 * @psalm-taint-specialize
 */
function query(string $sql) {}

Psalm output (using commit 55b2b6b):

ERROR: TaintedSql - 19:23 - Detected tainted SQL

[ohader]

I've just added some tests to reproduce this behavior in #6992:

• function fetch(int $id): string { return query("SELECT * FROM table WHERE id=" . $id); } fails
• function fetch($id): string { return query("SELECT * FROM table WHERE id=" . (int)$id); } works