vimeo/psalm

Global type not respected during taint analysis

Open

#8,359 opened on Aug 2, 2022

View on GitHub
 (3 comments) (0 reactions) (0 assignees)PHP (5,369 stars) (668 forks)batch import
Help wantedbugtaint analysis

Description

With the following psalm.xml:

<?xml version="1.0"?>
<psalm>
	<projectFiles>
		<directory name="." />
	</projectFiles>
	<globals>
		<var name="connection" type="mysqli" />
	</globals>
</psalm>

...and the following file.php:

<?php
$connection->query($_GET['injection']);
// function a(mysqli $b){}

A taint is not reported, even though it should be. Strangely, if you uncomment the function a... line, the taint is reported correctly. It's like psalm doesn't become aware of the mysqli type unless it is referenced in an unrelated location.

This example was distilled from an actual use case in a much larger code base. Let me know if there is any more information I can provide, or if you have a hunch that it's related to a particular part of the psalm source that I could look into.

Contributor guide

Tech stack
None
Domain
developer experiencesecurity
Issue type
bug
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-2 days
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
stale
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
PHPbasic static analysis concepts
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
40
Research direction
Investigate Psalm's handling of global types defined in psalm.xml and how they are used during taint analysis. Look at the code that processes the psalm.xml configuration (likely in src/Psalm/Config.php) and the taint analysis module (in src/Psalm/Internal/Analyzer/TaintAnalyzer.php). Understand why the global type for 'connection' is not resolved unless the type is referenced elsewhere, as in the minimal reproduction provided. Consider checking how global variables are loaded and if there is a missing step in the taint context setup.