exclude Plus on arrays too

vimeo · Nov 3, 2021 · 9fb74a4 · 9fb74a4
1 parent 3b01713
commit 9fb74a4
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 0 deletions.
diff --git a/src/Psalm/Internal/Analyzer/Statements/Expression/BinaryOpAnalyzer.php b/src/Psalm/Internal/Analyzer/Statements/Expression/BinaryOpAnalyzer.php
@@ -378,6 +378,7 @@ public static function addDataFlow(
             && $stmt instanceof PhpParser\Node\Expr\BinaryOp
             && !$stmt instanceof PhpParser\Node\Expr\BinaryOp\Concat
             && !$stmt instanceof PhpParser\Node\Expr\BinaryOp\Coalesce
+            && (!$stmt instanceof PhpParser\Node\Expr\BinaryOp\Plus || !$result_type->hasArray())
         ) {
             //among BinaryOp, only Concat and Coalesce can pass tainted value to the result
             return;

diff --git a/tests/TaintTest.php b/tests/TaintTest.php
@@ -650,6 +650,12 @@ function takesArray(array $arr): void {
                     $var = $input === "x";
                     var_dump($var);'
             ],
+            'resultOfPlusIsNotTainted' => [
+                '<?php
+                    $input = $_GET["foo"];
+                    $var = $input + 1;
+                    var_dump($var);'
+            ],
         ];
     }
 
@@ -2159,6 +2165,16 @@ function takesArray(array $arr): void {
                     takesArray([$_GET["bad"] => "good"]);',
                 'error_message' => 'TaintedHtml',
             ],
+            'resultOfPlusIsTaintedOnArrays' => [
+                '<?php
+                    scope($_GET["foo"]);
+                    function scope(array $foo)
+                    {
+                        $var = $foo + [];
+                        var_dump($var);
+                    }',
+                'error_message' => 'TaintedHtml',
+            ],
             'taintArrayKeyWithExplicitSink' => [
                 '<?php
                     /** @psalm-taint-sink html $values */