Taint analysis: allow marking properties as taint sources?

[Ocramius]

I've snooped around taint analysis, which I found to be useful in very legacy projects that heavily on superglobals like $_GET, $_SESSION, etc.

In more recent / modern projects:

• most DB interactions are hidden behind a DAO / ORM that operates with a Id<T> -> object<T> API (think Doctrine ORM), where record/entity objects hold user data
• most fields that hold input data are on objects with public readonly fields

The current taint analysis only operates with taint sources being function-alike nodes:

• https://github.com/vimeo/psalm/blob/7d6c88e88a55cf04af4d6932cfb906d15ac2fe23/tests/TaintTest.php#L792
• https://github.com/vimeo/psalm/blob/7d6c88e88a55cf04af4d6932cfb906d15ac2fe23/src/Psalm/Internal/PhpVisitor/Reflector/FunctionLikeDocblockParser.php#L237

I'm wondering if it makes sense to allow object properties to be marked as taint sources.

[psalm-github-bot[bot]]

Hey @Ocramius, can you reproduce the issue on https://psalm.dev? These will be used as phpunit tests when implementing the feature or fixing this bug.

[Ocramius]

Seems like this is achievable via custom taint sources:

https://github.com/vimeo/psalm/blob/7d6c88e88a55cf04af4d6932cfb906d15ac2fe23/docs/security_analysis/custom_taint_sources.md#L19-L74