/
EchoAnalyzer.php
127 lines (112 loc) · 4.14 KB
/
EchoAnalyzer.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
<?php
namespace Psalm\Internal\Analyzer\Statements;
use PhpParser;
use Psalm\CodeLocation;
use Psalm\Context;
use Psalm\Internal\Analyzer\FunctionLikeAnalyzer;
use Psalm\Internal\Analyzer\Statements\Expression\Call\ArgumentAnalyzer;
use Psalm\Internal\Analyzer\Statements\Expression\CastAnalyzer;
use Psalm\Internal\Analyzer\StatementsAnalyzer;
use Psalm\Internal\Codebase\TaintFlowGraph;
use Psalm\Internal\DataFlow\TaintSink;
use Psalm\Issue\ForbiddenCode;
use Psalm\Issue\ImpureFunctionCall;
use Psalm\IssueBuffer;
use Psalm\Storage\FunctionLikeParameter;
use Psalm\Type;
use Psalm\Type\TaintKind;
/**
* @internal
*/
class EchoAnalyzer
{
public static function analyze(
StatementsAnalyzer $statements_analyzer,
PhpParser\Node\Stmt\Echo_ $stmt,
Context $context
): bool {
$echo_param = new FunctionLikeParameter(
'var',
false
);
$codebase = $statements_analyzer->getCodebase();
foreach ($stmt->exprs as $i => $expr) {
$context->inside_call = true;
ExpressionAnalyzer::analyze($statements_analyzer, $expr, $context);
$context->inside_call = false;
$expr_type = $statements_analyzer->node_data->getType($expr);
if ($statements_analyzer->data_flow_graph instanceof TaintFlowGraph) {
if ($expr_type && $expr_type->hasObjectType()) {
$expr_type = CastAnalyzer::castStringAttempt(
$statements_analyzer,
$context,
$expr_type,
$expr,
false
);
}
$call_location = new CodeLocation($statements_analyzer->getSource(), $stmt);
$echo_param_sink = TaintSink::getForMethodArgument(
'echo',
'echo',
(int) $i,
null,
$call_location
);
$echo_param_sink->taints = [
TaintKind::INPUT_HTML,
TaintKind::INPUT_HAS_QUOTES,
TaintKind::USER_SECRET,
TaintKind::SYSTEM_SECRET
];
$statements_analyzer->data_flow_graph->addSink($echo_param_sink);
}
if (ArgumentAnalyzer::verifyType(
$statements_analyzer,
$expr_type ?? Type::getMixed(),
Type::getString(),
null,
'echo',
null,
(int)$i,
new CodeLocation($statements_analyzer->getSource(), $expr),
$expr,
$context,
$echo_param,
false,
null,
true,
true,
new CodeLocation($statements_analyzer, $stmt)
) === false) {
return false;
}
}
if (isset($codebase->config->forbidden_functions['echo'])) {
IssueBuffer::maybeAdd(
new ForbiddenCode(
'Use of echo',
new CodeLocation($statements_analyzer, $stmt)
),
$statements_analyzer->getSource()->getSuppressedIssues()
);
}
if (!$context->collect_initializations && !$context->collect_mutations) {
if ($context->mutation_free || $context->external_mutation_free) {
IssueBuffer::maybeAdd(
new ImpureFunctionCall(
'Cannot call echo from a mutation-free context',
new CodeLocation($statements_analyzer, $stmt)
),
$statements_analyzer->getSuppressedIssues()
);
} elseif ($statements_analyzer->getSource() instanceof FunctionLikeAnalyzer
&& $statements_analyzer->getSource()->track_mutations
) {
$statements_analyzer->getSource()->inferred_has_mutation = true;
$statements_analyzer->getSource()->inferred_impure = true;
}
}
return true;
}
}