Taint detection does not work for closure use references or reference params

vimeo / psalm

A static analysis tool for finding errors in PHP applications

https://psalm.dev

MIT License

5.57k stars 660 forks source link

Taint detection does not work for closure use references or reference params #3688

Open TysonAndre opened 4 years ago

TysonAndre commented 4 years ago

Expected: Possibly have a way to analyse flows as if the reference param was just passed by value Observed: No TaintedInput issue was emitted

Low priority since this is an unrealistic use of references to test taint detection

https://psalm.dev/r/80a6231940

psalm-github-bot[bot] commented 4 years ago

I found these snippets:

https://psalm.dev/r/80a6231940

```php

ohader commented 3 years ago

It looks like this is not detected for "plain" closures. https://psalm.dev/r/4028363b36

Don't know (yet) whether there are any other alternative to annotate those closures (evaluated during runtime). Thanks in advance for any pointer on this topic.

psalm-github-bot[bot] commented 3 years ago

I found these snippets:

https://psalm.dev/r/4028363b36

```php */ private $handlers = []; /** * @psalm-param \Closure $handler */ public function addHandler(\Closure $handler): void { $this->handlers[] = $handler; } public function handle(string $data): void { foreach ($this->handlers as $handler) { $handler($data); } } } $handler = function(string $data): void { exec($data); }; $pool = new HandlerPool(); $pool->addHandler($handler); $pool->handle((string)($_GET['inject'] ?? '')); ``` ``` Psalm output (using commit 39e61ae): No issues! ```