Open talarcin opened 2 months ago
Hey @talarcin, can you reproduce the issue on https://psalm.dev? These will be used as phpunit tests when implementing the feature or fixing this bug.
reproducer: https://psalm.dev/r/887f950099
Note that I commented the value you assigned into $_POST because otherwise Psalm can tell it's not tainted.
It does leave 2 unrecognized cases that are definitely bugs
I found these snippets:
Hey,
I am currently testing out Psalm's taint analysis feature. While testing it on some WordPress Plugins with known vulnerabilities I've seen that depending on the way the _POST array is accessed and values from it are passed to a custom taint sink, taint warnings are not reported consistently. The following code example should visualize the inconsistency.
The
update_option
function is from WordPress and is writing options settings to the database. Psalm only detects the taint for$recognized_value
and$new_nested_array_recognized
. However, I would expect it to detect it for all five cases, since tainted HTML would be written to the database in each of them.This is Psalm's output after running
psalm --taint-analysis
:Is this defined behavior or is there something not correct or incomplete with how Psalm handles the taint flow in this example?
Best Regards, Tuncay