New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Possibility mark all public method parameters of a class as taint source #5186
Comments
Hey @ArtemGoutsoul, can you reproduce the issue on https://psalm.dev ? |
I found these snippets: https://psalm.dev/r/fceb4efe6b<?php // --taint-analysis
/**
* @psalm-taint-source input
*/
class ApiEndpoints
{
public function endPointA($param1, $param2): string {}
public function endPointB($param2, $param3): string {}
public function endPointC($param4, $param5): string {}
}
$subject = new ApiEndpoints();
exec($subject->endPointA('a', 'b'));
|
I could try to write a custom plugin, but so far I was not able to find a way to start. One could take a few approaches:
So far I checked the following:
Should one create a class implementing \Psalm\Plugin\EventHandler\MethodParamsProviderInterface ? Would anyone have a closer example or some more hints? Thank you! |
I'd try to use one of those two plugin interfaces:
The first one will probably be simpler, but I think there's one disadvantage with the first: it's called before the cache is created (so whatever the plugin does will end up cached). That means your plugin won't be able to change things between runs that uses the cache (but it may not be an issue if you just want to add taints to every method) |
Is a better example on how to add taints |
Use case: a method is exposed as an API endpoint, i.e. all params are input taint sources.
Example suggestion:
This would be equivalent to marking each individual method.
Would be even better if one could mark Some_Api_Abstract as a taint source, and all child class method parameters would become taint sources.
The text was updated successfully, but these errors were encountered: