Taint detection should warn about output array of parse_str($input, $output)

vimeo / psalm

A static analysis tool for finding errors in PHP applications

https://psalm.dev

MIT License

5.54k stars 660 forks source link

Taint detection should warn about output array of parse_str($input, $output) #4877

Open TysonAndre opened 3 years ago

TysonAndre commented 3 years ago

e.g. https://psalm.dev/r/51496088ed

https://www.php.net/parse_str

Parses string as if it were the query string passed via a URL and sets variables in the current scope (or in the array if result is provided).

It may also be dubious to call it with a single argument, but that seems out of scope for deprecated functionality that could be warned about elsewhere.

psalm-github-bot[bot] commented 3 years ago

I found these snippets:

https://psalm.dev/r/51496088ed

```php

TysonAndre commented 3 years ago

https://psalm.dev/r/53c6e38378 - the return value of parse_url (which is often used with parse_str()) is also not checked - modifying src/Psalm/Internal/Provider/ReturnTypeProvider/ParseUrlReturnTypeProvider.php may make that possible

psalm-github-bot[bot] commented 3 years ago

I found these snippets:

https://psalm.dev/r/53c6e38378

```php ' echo parse_url($foo, PHP_URL_QUERY); ``` ``` Psalm output (using commit 3390097): No issues! ```