Support taint detection on Throwable::getTraceAsString() #3731

TysonAndre · 2020-07-01T18:43:18Z

And __toString(), which uses getTraceAsString().

function login($username, $password, $secret) {
    throw new RuntimeException('login failure');
}
try {
    login('user', $_GET['pass'], SECRET);
} catch (Exception $e) {
    // This output includes unescaped 'pass' and SECRET
    echo $e, "\n";
    echo $e->getTraceAsString();
}

muglug · 2020-07-01T22:11:46Z

src/Psalm/Internal/Stubs/CoreImmutableClasses.phpstub

     */
    public final function getTraceAsString() : string {}
+
+    /**
+     * @psalm-mutation-free


Mind removing this? It breaks some downstream packages

And `__toString()`, which uses getTraceAsString(). Fixes vimeo#3696 ```php function login($username, $password, $secret) { throw new RuntimeException('login failure'); } try { login('user', $_GET['pass'], SECRET); } catch (Exception $e) { // This output includes unescaped 'pass' and SECRET echo $e, "\n"; echo $e->getTraceAsString(); } ```

muglug · 2020-07-02T01:27:45Z

Thanks!

muglug reviewed Jul 1, 2020

View reviewed changes

TysonAndre force-pushed the taint-exception branch from 337eb8a to 9a40dc7 Compare July 1, 2020 22:24

TysonAndre force-pushed the taint-exception branch from 9a40dc7 to 11748ad Compare July 1, 2020 23:58

muglug merged commit e3d59bf into vimeo:master Jul 2, 2020

TysonAndre deleted the taint-exception branch September 6, 2021 17:32

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Support taint detection on Throwable::getTraceAsString() #3731

Support taint detection on Throwable::getTraceAsString() #3731

TysonAndre commented Jul 1, 2020

muglug Jul 1, 2020

muglug commented Jul 2, 2020

Support taint detection on Throwable::getTraceAsString() #3731

Support taint detection on Throwable::getTraceAsString() #3731

Conversation

TysonAndre commented Jul 1, 2020

muglug Jul 1, 2020

Choose a reason for hiding this comment

muglug commented Jul 2, 2020