Idea: Add option to mark other filesystem functions as taint sinks

[TysonAndre]

Currently, file_get_contents and file_put_contents are marked as sinks, but others also read files (e.g. https://www.php.net/readfile)

https://www.ixiacom.com/company/blog/exploiting-php-phar-deserialization-vulnerabilities-part-1 may matter if projects are used with code that accept uploads in guessable paths, but would not matter if there are no allowed uploads or php is compiled without phar in the target environment

Here is a list of filesystem functions that trigger phar deserialization:

copy                file_exists         file_get_contents   file_put_contents   
file                fileatime           filectime           filegroup           
fileinode           filemtime           fileowner           fileperms           
filesize            filetype            fopen               is_dir              
is_executable       is_file             is_link             is_readable         
is_writable         lstat               mkdir               parse_ini_file      
readfile            rename              rmdir               stat                
touch               unlink              

I'm not sure if that's complete. For example, other functions also read file contents

php > var_export(md5_file('https://www.google.com'));
'82455db7a026874129b223e5b670158c'

There's also some of psalm's list of file i/o functions such as unlink()/symlink(), for other reasons

[psalm-github-bot[bot]]

Hey @TysonAndre, can you reproduce the issue on https://psalm.dev ?