Merge branch 'master' into fixes

zoonru · Dec 19, 2023 · 5c77202 · 5c77202
2 parents e4fdc99 + f1733c3
commit 5c77202
Show file tree

Hide file tree

Showing 50 changed files with 651 additions and 224 deletions.
diff --git a/UPGRADING.md b/UPGRADING.md
@@ -17,7 +17,7 @@
 
 - [BC] Class `Psalm\Issue\MixedInferredReturnType` was removed
 
-- [BC] Value of constant `Psalm\Type\TaintKindGroup::ALL_INPUT` changed to reflect new `TaintKind::INPUT_SLEEP` and `TaintKind::INPUT_XPATH` have been added. Accordingly, default values for `$taint` parameters of `Psalm\Codebase::addTaintSource()` and `Psalm\Codebase::addTaintSink()` have been changed as well.
+- [BC] Value of constant `Psalm\Type\TaintKindGroup::ALL_INPUT` changed to reflect new `TaintKind::INPUT_EXTRACT`, `TaintKind::INPUT_SLEEP` and `TaintKind::INPUT_XPATH` have been added. Accordingly, default values for `$taint` parameters of `Psalm\Codebase::addTaintSource()` and `Psalm\Codebase::addTaintSink()` have been changed as well.
 
 - [BC] Property `Config::$shepherd_host` was replaced with `Config::$shepherd_endpoint`
 

diff --git a/composer.json b/composer.json
@@ -31,7 +31,7 @@
         "dnoegel/php-xdg-base-dir": "^0.1.1",
         "felixfbecker/advanced-json-rpc": "^3.1",
         "felixfbecker/language-server-protocol": "^1.5.2",
-        "fidry/cpu-core-counter": "^0.4.1 || ^0.5.1",
+        "fidry/cpu-core-counter": "^0.4.1 || ^0.5.1 || ^1.0.0",
         "netresearch/jsonmapper": "^1.0 || ^2.0 || ^3.0 || ^4.0",
         "nikic/php-parser": "^4.16",
         "sebastian/diff": "^4.0 || ^5.0",

diff --git a/config.xsd b/config.xsd
@@ -434,6 +434,7 @@
             <xs:element name="TaintedCookie" type="IssueHandlerType" minOccurs="0" />
             <xs:element name="TaintedCustom" type="IssueHandlerType" minOccurs="0" />
             <xs:element name="TaintedEval" type="IssueHandlerType" minOccurs="0" />
+            <xs:element name="TaintedExtract" type="IssueHandlerType" minOccurs="0" />
             <xs:element name="TaintedFile" type="IssueHandlerType" minOccurs="0" />
             <xs:element name="TaintedHeader" type="IssueHandlerType" minOccurs="0" />
             <xs:element name="TaintedHtml" type="IssueHandlerType" minOccurs="0" />

diff --git a/dictionaries/CallMap.php b/dictionaries/CallMap.php
@@ -12923,8 +12923,8 @@
 'strrpos' => ['int|false', 'haystack'=>'string', 'needle'=>'string', 'offset='=>'int'],
 'strspn' => ['int', 'string'=>'string', 'characters'=>'string', 'offset='=>'int', 'length='=>'?int'],
 'strstr' => ['string|false', 'haystack'=>'string', 'needle'=>'string', 'before_needle='=>'bool'],
-'strtok' => ['string|false', 'string'=>'string', 'token'=>'string'],
-'strtok\'1' => ['string|false', 'string'=>'string'],
+'strtok' => ['non-empty-string|false', 'string'=>'string', 'token'=>'string'],
+'strtok\'1' => ['non-empty-string|false', 'string'=>'string'],
 'strtolower' => ['lowercase-string', 'string'=>'string'],
 'strtotime' => ['int|false', 'datetime'=>'string', 'baseTimestamp='=>'?int'],
 'strtoupper' => ['string', 'string'=>'string'],

diff --git a/dictionaries/CallMap_historical.php b/dictionaries/CallMap_historical.php
@@ -14333,8 +14333,8 @@
     'strrpos' => ['int|false', 'haystack'=>'string', 'needle'=>'string|int', 'offset='=>'int'],
     'strspn' => ['int', 'string'=>'string', 'characters'=>'string', 'offset='=>'int', 'length='=>'int'],
     'strstr' => ['string|false', 'haystack'=>'string', 'needle'=>'string|int', 'before_needle='=>'bool'],
-    'strtok' => ['string|false', 'string'=>'string', 'token'=>'string'],
-    'strtok\'1' => ['string|false', 'string'=>'string'],
+    'strtok' => ['non-empty-string|false', 'string'=>'string', 'token'=>'string'],
+    'strtok\'1' => ['non-empty-string|false', 'string'=>'string'],
     'strtolower' => ['lowercase-string', 'string'=>'string'],
     'strtotime' => ['int|false', 'datetime'=>'string', 'baseTimestamp='=>'int'],
     'strtoupper' => ['string', 'string'=>'string'],

diff --git a/docs/annotating_code/supported_annotations.md b/docs/annotating_code/supported_annotations.md
@@ -263,9 +263,9 @@ is not within the given namespace.
 <?php
 namespace A\B {
     /**
-    * @internal
-    * @psalm-internal A\B
-    */
+     * @internal
+     * @psalm-internal A\B
+     */
     class Foo { }
 }
 

diff --git a/docs/running_psalm/error_levels.md b/docs/running_psalm/error_levels.md
@@ -286,6 +286,7 @@ Level 5 and above allows a more non-verifiable code, and higher levels are even
  - [TaintedCookie](issues/TaintedCookie.md)
  - [TaintedCustom](issues/TaintedCustom.md)
  - [TaintedEval](issues/TaintedEval.md)
+ - [TaintedExtract](issues/TaintedExtract.md)
  - [TaintedFile](issues/TaintedFile.md)
  - [TaintedHeader](issues/TaintedHeader.md)
  - [TaintedHtml](issues/TaintedHtml.md)

diff --git a/docs/running_psalm/issues.md b/docs/running_psalm/issues.md
@@ -234,6 +234,7 @@
  - [TaintedCookie](issues/TaintedCookie.md)
  - [TaintedCustom](issues/TaintedCustom.md)
  - [TaintedEval](issues/TaintedEval.md)
+ - [TaintedExtract](issues/TaintedExtract.md)
  - [TaintedFile](issues/TaintedFile.md)
  - [TaintedHeader](issues/TaintedHeader.md)
  - [TaintedHtml](issues/TaintedHtml.md)

diff --git a/docs/running_psalm/issues/TaintedExtract.md b/docs/running_psalm/issues/TaintedExtract.md
@@ -0,0 +1,10 @@
+# TaintedExtract
+
+Emitted when user-controlled array can be passed into an `extract` call.
+
+```php
+<?php
+
+$array = $_GET;
+extract($array);
+```
diff --git a/src/Psalm/Internal/Analyzer/Statements/Expression/AssertionFinder.php b/src/Psalm/Internal/Analyzer/Statements/Expression/AssertionFinder.php
@@ -546,9 +546,9 @@ private static function scrapeEqualityAssertions(
                 );
             } else {
                 // both side of the Identical can be asserted to the intersection of both
-                $intersection_type = Type::intersectUnionTypes($var_type, $other_type, $codebase);
+                $intersection_type = Type::intersectUnionTypes($var_type, $other_type, $codebase, false, false);
 
-                if ($intersection_type !== null && $intersection_type->isSingle()) {
+                if ($intersection_type !== null) {
                     $if_types = [];
 
                     $var_name_left = ExpressionIdentifier::getExtendedVarId(
@@ -559,8 +559,13 @@ private static function scrapeEqualityAssertions(
 
                     $var_assertion_different = $var_type->getId() !== $intersection_type->getId();
 
+                    $all_assertions = [];
+                    foreach ($intersection_type->getAtomicTypes() as $atomic_type) {
+                        $all_assertions[] = new IsIdentical($atomic_type);
+                    }
+
                     if ($var_name_left && $var_assertion_different) {
-                        $if_types[$var_name_left] = [[new IsIdentical($intersection_type->getSingleAtomic())]];
+                        $if_types[$var_name_left] = [$all_assertions];
                     }
 
                     $var_name_right = ExpressionIdentifier::getExtendedVarId(
@@ -572,7 +577,7 @@ private static function scrapeEqualityAssertions(
                     $other_assertion_different = $other_type->getId() !== $intersection_type->getId();
 
                     if ($var_name_right && $other_assertion_different) {
-                        $if_types[$var_name_right] = [[new IsIdentical($intersection_type->getSingleAtomic())]];
+                        $if_types[$var_name_right] = [$all_assertions];
                     }
 
                     return $if_types ? [$if_types] : [];

diff --git a/src/Psalm/Internal/Analyzer/Statements/Expression/Call/ArgumentAnalyzer.php b/src/Psalm/Internal/Analyzer/Statements/Expression/Call/ArgumentAnalyzer.php
@@ -898,7 +898,7 @@ public static function verifyType(
             $input_type,
             $param_type,
             true,
-            true,
+            !isset($param_type->getAtomicTypes()['true']),
             $union_comparison_results,
         );
 

diff --git a/src/Psalm/Internal/Analyzer/Statements/Expression/Call/ArgumentsAnalyzer.php b/src/Psalm/Internal/Analyzer/Statements/Expression/Call/ArgumentsAnalyzer.php
@@ -1270,7 +1270,7 @@ private static function handleByRefFunctionArg(
 
         $builtin_array_functions = [
             'ksort', 'asort', 'krsort', 'arsort', 'natcasesort', 'natsort',
-            'reset', 'end', 'next', 'prev', 'array_pop', 'array_shift',
+            'reset', 'end', 'next', 'prev', 'array_pop', 'array_shift', 'extract',
         ];
 
         if (($var_id && isset($context->vars_in_scope[$var_id]))

diff --git a/src/Psalm/Internal/Analyzer/Statements/Expression/Call/FunctionCallReturnTypeFetcher.php b/src/Psalm/Internal/Analyzer/Statements/Expression/Call/FunctionCallReturnTypeFetcher.php
@@ -52,6 +52,7 @@
 use function strlen;
 use function strtolower;
 use function substr;
+use function trim;
 
 /**
  * @internal
@@ -632,17 +633,19 @@ private static function taintReturnType(
                     $first_arg_value = $first_stmt_type->getSingleStringLiteral()->value;
 
                     $pattern = substr($first_arg_value, 1, -1);
+                    if (strlen(trim($pattern)) > 0) {
+                        $pattern = trim($pattern);
+                        if ($pattern[0] === '['
+                            && $pattern[1] === '^'
+                            && substr($pattern, -1) === ']'
+                        ) {
+                            $pattern = substr($pattern, 2, -1);
 
-                    if ($pattern[0] === '['
-                        && $pattern[1] === '^'
-                        && str_ends_with($pattern, ']')
-                    ) {
-                        $pattern = substr($pattern, 2, -1);
-
-                        if (self::simpleExclusion($pattern, $first_arg_value[0])) {
-                            $removed_taints[] = 'html';
-                            $removed_taints[] = 'has_quotes';
-                            $removed_taints[] = 'sql';
+                            if (self::simpleExclusion($pattern, $first_arg_value[0])) {
+                                $removed_taints[] = 'html';
+                                $removed_taints[] = 'has_quotes';
+                                $removed_taints[] = 'sql';
+                            }
                         }
                     }
                 }