Skip to content

Commit

Permalink
exclude Plus on arrays too
Browse files Browse the repository at this point in the history
  • Loading branch information
orklah committed Nov 3, 2021
1 parent fc90d5b commit 68f31ca
Show file tree
Hide file tree
Showing 2 changed files with 17 additions and 0 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -378,6 +378,7 @@ public static function addDataFlow(
&& $stmt instanceof PhpParser\Node\Expr\BinaryOp
&& !$stmt instanceof PhpParser\Node\Expr\BinaryOp\Concat
&& !$stmt instanceof PhpParser\Node\Expr\BinaryOp\Coalesce
&& (!$stmt instanceof PhpParser\Node\Expr\BinaryOp\Plus || !$result_type->hasArray())
) {
//among BinaryOp, only Concat and Coalesce can pass tainted value to the result
return;
Expand Down
16 changes: 16 additions & 0 deletions tests/TaintTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -650,6 +650,12 @@ function takesArray(array $arr): void {
$var = $input === "x";
var_dump($var);'
],
'resultOfPlusIsNotTainted' => [
'<?php
$input = $_GET["foo"];
$var = $input + 1;
var_dump($var);'
],
];
}

Expand Down Expand Up @@ -2159,6 +2165,16 @@ function takesArray(array $arr): void {
takesArray([$_GET["bad"] => "good"]);',
'error_message' => 'TaintedHtml',
],
'resultOfPlusIsTaintedOnArrays' => [
'<?php
scope($_GET["foo"]);
function scope(array $foo)
{
$var = $foo + [];
var_dump($var);
}',
'error_message' => 'TaintedHtml',
],
'taintArrayKeyWithExplicitSink' => [
'<?php
/** @psalm-taint-sink html $values */
Expand Down

0 comments on commit 68f31ca

Please sign in to comment.