vimeo/psalm

Global type not respected during taint analysis

Open

#8,359 opened on Aug 2, 2022

View on GitHub
 (3 comments) (0 reactions) (0 assignees)PHP (668 forks)batch import
Help wantedbugtaint analysis

Repository metrics

Stars
 (5,369 stars)
PR merge metrics
 (Avg merge 3d 12h) (5 merged PRs in 30d)

Description

With the following psalm.xml:

<?xml version="1.0"?>
<psalm>
	<projectFiles>
		<directory name="." />
	</projectFiles>
	<globals>
		<var name="connection" type="mysqli" />
	</globals>
</psalm>

...and the following file.php:

<?php
$connection->query($_GET['injection']);
// function a(mysqli $b){}

A taint is not reported, even though it should be. Strangely, if you uncomment the function a... line, the taint is reported correctly. It's like psalm doesn't become aware of the mysqli type unless it is referenced in an unrelated location.

This example was distilled from an actual use case in a much larger code base. Let me know if there is any more information I can provide, or if you have a hunch that it's related to a particular part of the psalm source that I could look into.

Contributor guide