Conditional taint escaping not considered

vimeo / psalm

A static analysis tool for finding errors in PHP applications

https://psalm.dev

MIT License

5.54k stars 659 forks source link

Open ohader opened 3 years ago

ohader commented 3 years ago

conditional @psalm-taint-escape not resolved correctly
when used in a chain first(args) -> process(args, cond), escaping is not considered

psalm-github-bot[bot] commented 3 years ago

I found these snippets:

https://psalm.dev/r/0d37034313

```php

https://psalm.dev/r/aad2907670

```php

orklah commented 2 years ago

psalm-github-bot[bot] commented 2 years ago

I found these snippets:

https://psalm.dev/r/4d29ff4c63

```php

ohader commented 2 years ago

Thanks for your feedback. The title of this issue should have contained "chained", since that's the criteria that did and does not work.

function first() invokes process() with same parameters
calling process() work perfectly well, as expected
when calling first() decision branch in call graph is not expanded to first()
I know, that's not a simple task, since analyzer would have to
- walk the call graph tree backwards
- identify the branching point (based on conditional taint declaration)
- and mark it

psalm-github-bot[bot] commented 2 years ago

I found these snippets:

https://psalm.dev/r/cea07586c6

```php

orklah commented 2 years ago

Oh I get it. I'll reopen since it's a valid issue but I doubt we'll have the resources to work on it unless a contributor is motivated :)