Add TaintedCallable sinks for 4 core generic functions

vimeo · Sep 6, 2024 · cf148ac · cf148ac
1 parent 7c53c9d
commit cf148ac
Show file tree

Hide file tree

Showing 2 changed files with 56 additions and 0 deletions.
diff --git a/stubs/CoreGenericFunctions.phpstub b/stubs/CoreGenericFunctions.phpstub
@@ -1803,3 +1803,23 @@ function exec(string $command, &$output = null, int &$result_code = null): strin
 * @psalm-ignore-falsable-return
 */
 function get_browser(?string $user_agent = null, bool $return_array = false): object|array|false {}
+
+/**
+ * @psalm-taint-sink callable $callback
+ */
+function forward_static_call(callable $callback, mixed ...$args): mixed {}
+
+/**
+ * @psalm-taint-sink callable $callback
+ */
+function forward_static_call_array(callable $callback, array $args): mixed {}
+
+/**
+ * @psalm-taint-sink callable $callback
+ */
+function register_shutdown_function(callable $callback, mixed ...$args): void {}
+
+/**
+ * @psalm-taint-sink callable $callback
+ */
+function register_tick_function(callable $callback, mixed ...$args): bool {}
diff --git a/tests/TaintTest.php b/tests/TaintTest.php
@@ -2527,6 +2527,42 @@ public static function getPrevious(string $s): string {
                     $result = $mysqli->execute_query($query);',
                 'error_message' => 'TaintedSql',
             ],
+            'taintedRegisterShutdownFunction' => [
+                'code' => '<?php
+                    $foo = $_GET["foo"];
+                    register_shutdown_function($foo);',
+                'error_message' => 'TaintedCallable',
+            ],
+            'taintedRegisterTickFunction' => [
+                'code' => '<?php
+                    $foo = $_GET["foo"];
+                    register_tick_function($foo);',
+                'error_message' => 'TaintedCallable',
+            ],
+            'taintedForwardStaticCall' => [
+                'code' => '<?php
+                    $foo = $_GET["foo"];
+                    class B
+                    {
+                        public static function test($foo) {
+                            forward_static_call($foo, "one", "two");
+                        }
+                    }
+                    B::test($foo);',
+                'error_message' => 'TaintedCallable',
+            ],
+            'taintedForwardStaticCallArray' => [
+                'code' => '<?php
+                    $foo = $_GET["foo"];
+                    class B
+                    {
+                        public static function test($foo) {
+                            forward_static_call_array($foo, array("one", "two"));
+                        }
+                    }
+                    B::test($foo);',
+                'error_message' => 'TaintedCallable',
+            ],
         ];
     }