Allow suppressing preg_match_with_matches taints based on regex

slackhq · Mar 25, 2024 · 2a2bbea · 2a2bbea
1 parent f06eae7
commit 2a2bbea
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 2 deletions.
diff --git a/src/analyzer/expr/call/arguments_analyzer.rs b/src/analyzer/expr/call/arguments_analyzer.rs
@@ -41,7 +41,7 @@ use oxidized::ast_defs::ParamKind;
 use oxidized::pos::Pos;
 use oxidized::{aast, ast_defs};
 
-use super::argument_analyzer;
+use super::argument_analyzer::{self, get_removed_taints_in_comments};
 use super::method_call_info::MethodCallInfo;
 
 pub(crate) fn check_arguments_match(
@@ -1077,6 +1077,9 @@ fn handle_possibly_matching_inout_param(
         )
     ) && argument_offset == 2
     {
+        let removed_taints =
+            get_removed_taints_in_comments(statements_analyzer, all_args[0].1.pos());
+
         let argument_node = DataFlowNode::get_for_method_argument(
             functionlike_id.to_string(statements_analyzer.get_interner()),
             0,
@@ -1112,7 +1115,7 @@ fn handle_possibly_matching_inout_param(
             &out_node,
             PathKind::Default,
             vec![],
-            vec![],
+            removed_taints,
         );
     } else if matches!(
         functionlike_id,

diff --git a/tests/security/dontTaintThroughPregMatchWithIgnore/input.hack b/tests/security/dontTaintThroughPregMatchWithIgnore/input.hack
@@ -0,0 +1,16 @@
+function foo(): void {
+    $text = $_GET['bad'];
+    $matches = dict[];
+    if (
+        \preg_match_all_with_matches(
+            /* HAKANA_SECURITY_IGNORE[HtmlTag] */
+            '!<@([WU]+[0-9A-Z]+)!',
+            $text,
+            inout $matches,
+        )
+    ) {
+        foreach ($matches[1] as $match) {
+            echo $match;
+        }
+    }
+}