Closed AirSkye closed 1 year ago
Hey @AirSkye, can you reproduce the issue on https://psalm.dev ?
Well this should work. At least it does when I make a snippet without CodeIgniter
can you add a /* @psalm-trace $this->input / and make sure you display infos (--show-info should be enough)
I simplified the code and found that psalm could not find this vulnerability,Using --show-info returns no results https://psalm.dev/r/feac64ed05
<?php // --taint-analysis
class CI_Input {
/** @psalm-taint-source input */
public function get_post($x){
return $_GET[$x];
}
}
/** @psalm-trace $this->input */
class Book {
public $input;
public function __construct(){
$this->input = new CI_Input();
}
public function search($key='') {
$key = $this->input->get_post('key');
eval($key);
}
}
$a= new Book();
$a->search();
I found these snippets:
You should make sure to fix important issues first, Taint analysis can only work properly if Psalm is able to infer your code correctly.
In this case, you're missing a property type: https://psalm.dev/r/a66f34a473
Psalm was not able to see that $this->input was a CI_input so it couldn't find your taint annotation
I found these snippets:
This is a modified code from a real project (this is the CodeIgniter framework in php), there is an eval function call in the search method of the Book class (this is the controller in MVC), after loading the CI_Input class by including the input.php file , in the search method, call the get_post method of the CI_Input class to get the get parameter key. I added the annotation @psalm-taint-source input to the get_post, which can actually achieve the effect of command execution, but psalm did not detect it.
This is Book.php
This is input.php
This is the execution result This is the
../vendor/bin/psalm --taint-analysis
resultphp == 7.4.30 psalm == 5.12.0@f90118cdeacd0088e7215e64c0c99ceca819e176