-
Notifications
You must be signed in to change notification settings - Fork 4
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
This batch of improvements include: - Remove a pointless PRESERVE_TAINT flag. That was probably a leftover from some experiment, and it has no effect because non-Nodes cannot have PRESERVE_TAINT; - Improve namings a bit for visitEcho - Rewrite the visitNew part: the previous one was pretty flaky, and failed e.g. for 'parent' and 'static', plus it was unnecessarily long. This new version is a bit clearer, although it still doesn't work properly with 'new static'. I suspect this is an upstream problem, phan/phan#2718. Depends-On: I2a17ad292c61c5712a68729bc085a73de4ddb31d Change-Id: Id814de479e165261b867d652fad9870cf8c90403
- Loading branch information
1 parent
ef1dcea
commit 4281d0a
Showing
5 changed files
with
117 additions
and
47 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
integration/constructors/test.php:50 SecurityCheck-XSS Calling method \Bad::printArg() in [no method] that outputs using tainted argument $unsafe. (Caused by: integration/constructors/test.php +27) (Caused by: integration/constructors/test.php +43) | ||
integration/constructors/test.php:62 SecurityCheck-XSS Echoing expression that was not html escaped (Caused by: integration/constructors/test.php +35) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,63 @@ | ||
<?php | ||
|
||
class Good { | ||
public static function getMyInstance() { | ||
return new self; | ||
} | ||
public static function getStaticInstance() { | ||
return new static; | ||
} | ||
|
||
public function printArg( $arg ) { | ||
echo htmlspecialchars( $arg ); | ||
} | ||
public function __toString() : string { | ||
return 'safe'; | ||
} | ||
} | ||
class Bad extends Good { | ||
public static function getMyInstance() { | ||
return new self; | ||
} | ||
public static function getParent() { | ||
return new parent; | ||
} | ||
|
||
public function printArg( $arg ) { | ||
echo $arg; | ||
} | ||
public function __toString() : string { | ||
return $_GET['unsafe']; | ||
} | ||
} | ||
|
||
$a1 = Good::getMyInstance(); | ||
$b1 = Bad::getMyInstance(); | ||
|
||
$a2 = Good::getStaticInstance(); | ||
$b2 = Bad::getStaticInstance(); | ||
|
||
$a3 = Bad::getParent(); | ||
|
||
$safe = 'foobar'; | ||
$unsafe = $_GET['foobar']; | ||
|
||
// phpcs:disable Generic.Files.LineLength | ||
// Calls on $a* are always safe, calls on $b* depend on the param | ||
$a1->printArg( $safe ); | ||
$a1->printArg( $unsafe ); | ||
$b1->printArg( $safe ); | ||
$b1->printArg( $unsafe ); // Unsafe | ||
$a2->printArg( $safe ); | ||
$a2->printArg( $unsafe ); | ||
$b2->printArg( $safe ); | ||
$b2->printArg( $unsafe ); // NOTE This is unsafe but isn't reported due to wrong type being inferred for $b2, https://github.com/phan/phan/issues/2718 | ||
$a3->printArg( $safe ); | ||
$a3->printArg( $unsafe ); | ||
|
||
// The __toString method is only safe for $a* | ||
echo $a1; | ||
echo $a2; | ||
echo $a3; | ||
echo $b1; | ||
echo $b2; // NOTE This is unsafe but isn't reported due to wrong type being inferred for $b2, https://github.com/phan/phan/issues/2718 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
integration/listassign/test.php:13 SecurityCheck-XSS Calling method \foo() in [no method] that outputs using tainted argument $unsafe. (Caused by: integration/listassign/test.php +5) (Caused by: integration/listassign/test.php +9) | ||
integration/listassign/test.php:14 SecurityCheck-XSS Calling method \foo() in [no method] that outputs using tainted argument $mixed. (Caused by: integration/listassign/test.php +5) (Caused by: integration/listassign/test.php +10) | ||
integration/listassign/test.php:19 SecurityCheck-XSS Echoing expression that was not html escaped (Caused by: integration/listassign/test.php +16; integration/listassign/test.php +10) | ||
integration/listassign/test.php:20 SecurityCheck-XSS Echoing expression that was not html escaped (Caused by: integration/listassign/test.php +16; integration/listassign/test.php +10) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
<?php | ||
|
||
function foo( array $arr ) { | ||
list( $a, $b ) = $arr; | ||
echo "$a and $b"; | ||
} | ||
|
||
$safe = [ 'foo', 'bar' ]; | ||
$unsafe = [ $_GET['Good'], $_GET['b'] ]; | ||
$mixed = [ 'foo', $_GET['Good'] ]; | ||
|
||
foo( $safe ); | ||
foo( $unsafe ); | ||
foo( $mixed ); | ||
|
||
list( $safe, $unsafe ) = $mixed; | ||
|
||
// This is safe, but is not reported as such because array elements share taintedness | ||
echo $safe; | ||
echo $unsafe; |