Taint through reset call

src/Psalm/Internal/Provider/ReturnTypeProvider/ArrayPointerAdjustmentReturnTypeProvider.php

@@ -3,6 +3,7 @@
 
 use PhpParser;
 use Psalm\Plugin\EventHandler\Event\FunctionReturnTypeProviderEvent;
+use Psalm\Internal\Analyzer\Statements\Expression\Fetch\ArrayFetchAnalyzer;
 use Psalm\Type;
 
 class ArrayPointerAdjustmentReturnTypeProvider implements \Psalm\Plugin\EventHandler\FunctionReturnTypeProviderInterface
@@ -77,6 +78,14 @@ public static function getFunctionReturnType(FunctionReturnTypeProviderEvent $ev
             }
         }
 
+        ArrayFetchAnalyzer::taintArrayFetch(
+            $statements_source,
+            $first_arg,
+            null,
+            $value_type,
+            Type::getMixed()
+        );
+
         return $value_type;
     }
 }

tests/TaintTest.php

@@ -2122,6 +2122,17 @@ function doTheMagic(array $values) {}
                     doTheMagic([(string)$_GET["bad"] => "foo"]);',
                 'error_message' => 'TaintedHtml',
             ],
+            'taintThroughReset' => [
+                '<?php
+                    function foo(array $arr) : void {
+                        if ($arr) {
+                            echo reset($arr);
+                        }
+                    }
+
+                    foo([$_GET["a"]]);',
+                'error_message' => 'TaintedHtml',
+            ],
             /*
             // TODO: Stubs do not support this type of inference even with $this->message = $message.
             // Most uses of getMessage() would be with caught exceptions, so this is not representative of real code.