From 68f31cafbbe9e56dd9f961d72bfc47f0fff01416 Mon Sep 17 00:00:00 2001
From: orklah <ronan_morin@hotmail.com>
Date: Thu, 4 Nov 2021 00:27:00 +0100
Subject: [PATCH] exclude Plus on arrays too

---
 .../Statements/Expression/BinaryOpAnalyzer.php   |  1 +
 tests/TaintTest.php                              | 16 ++++++++++++++++
 2 files changed, 17 insertions(+)

diff --git a/src/Psalm/Internal/Analyzer/Statements/Expression/BinaryOpAnalyzer.php b/src/Psalm/Internal/Analyzer/Statements/Expression/BinaryOpAnalyzer.php
index f761a6a8e2f..34a46992266 100644
--- a/src/Psalm/Internal/Analyzer/Statements/Expression/BinaryOpAnalyzer.php
+++ b/src/Psalm/Internal/Analyzer/Statements/Expression/BinaryOpAnalyzer.php
@@ -378,6 +378,7 @@ public static function addDataFlow(
             && $stmt instanceof PhpParser\Node\Expr\BinaryOp
             && !$stmt instanceof PhpParser\Node\Expr\BinaryOp\Concat
             && !$stmt instanceof PhpParser\Node\Expr\BinaryOp\Coalesce
+            && (!$stmt instanceof PhpParser\Node\Expr\BinaryOp\Plus || !$result_type->hasArray())
         ) {
             //among BinaryOp, only Concat and Coalesce can pass tainted value to the result
             return;
diff --git a/tests/TaintTest.php b/tests/TaintTest.php
index 5bbd74ec3b5..5cbbcb7b69b 100644
--- a/tests/TaintTest.php
+++ b/tests/TaintTest.php
@@ -650,6 +650,12 @@ function takesArray(array $arr): void {
                     $var = $input === "x";
                     var_dump($var);'
             ],
+            'resultOfPlusIsNotTainted' => [
+                '<?php
+                    $input = $_GET["foo"];
+                    $var = $input + 1;
+                    var_dump($var);'
+            ],
         ];
     }
 
@@ -2159,6 +2165,16 @@ function takesArray(array $arr): void {
                     takesArray([$_GET["bad"] => "good"]);',
                 'error_message' => 'TaintedHtml',
             ],
+            'resultOfPlusIsTaintedOnArrays' => [
+                '<?php
+                    scope($_GET["foo"]);
+                    function scope(array $foo)
+                    {
+                        $var = $foo + [];
+                        var_dump($var);
+                    }',
+                'error_message' => 'TaintedHtml',
+            ],
             'taintArrayKeyWithExplicitSink' => [
                 '<?php
                     /** @psalm-taint-sink html $values */