Possibility mark all public method parameters of a class as taint source

vimeo / psalm

A static analysis tool for finding errors in PHP applications

https://psalm.dev

MIT License

5.54k stars 660 forks source link

Possibility mark all public method parameters of a class as taint source #5186

Open ArtemGoutsoul opened 3 years ago

ArtemGoutsoul commented 3 years ago

Use case: a method is exposed as an API endpoint, i.e. all params are input taint sources.

Example suggestion:

/**
 * @psalm-taint-source input
 **/
class ApiEndpoints extends Some_Api_Abstract
{
    public funciton endPointA($param1, $param2) {}
    public funciton endPointB($param2, $param3) {}
    public funciton endPointC($param4, $param5) {}
}

This would be equivalent to marking each individual method.

Would be even better if one could mark Some_Api_Abstract as a taint source, and all child class method parameters would become taint sources.

psalm-github-bot[bot] commented 3 years ago

Hey @ArtemGoutsoul, can you reproduce the issue on https://psalm.dev ?

ohader commented 3 years ago

https://psalm.dev/r/fceb4efe6b

psalm-github-bot[bot] commented 3 years ago

I found these snippets:

https://psalm.dev/r/fceb4efe6b

```php endPointA('a', 'b')); ``` ``` Psalm output (using commit 40bc7cf): No issues! ```

ArtemGoutsoul commented 1 year ago

I could try to write a custom plugin, but so far I was not able to find a way to start.

One could take a few approaches:

add input taint all params of all methods of classes extending class X - where X could be hard coded or a plugin config
add input taint to all params of all methods of classes marked with @psalm-taint-source input

So far I checked the following:

Should one create a class implementing \Psalm\Plugin\EventHandler\MethodParamsProviderInterface ?

Would anyone have a closer example or some more hints?

Thank you!

orklah commented 1 year ago

I'd try to use one of those two plugin interfaces:

AfterClassLikeVisitInterface This one will be called after the class has been parsed. It should allow you to go change the taints in each FunctionLikeStorage created when parsing the class
DynamicFunctionStorageProviderInterface That one was added recently in https://github.com/vimeo/psalm/pull/7471. It should allow you to create entire FunctionLikeStorage out of the blue with what you want

The first one will probably be simpler, but I think there's one disadvantage with the first: it's called before the cache is created (so whatever the plugin does will end up cached). That means your plugin won't be able to change things between runs that uses the cache (but it may not be an issue if you just want to add taints to every method)

orklah commented 1 year ago

Seems like https://github.com/2e3s/psalm/blob/f70b375da3a06346d21bef8950753810b640dbb9/src/Psalm/Internal/Provider/AddRemoveTaints/HtmlFunctionTainter.php#L19

Is a better example on how to add taints