/src/Psalm/Internal/Codebase/TaintFlowGraph.php

https://github.com/vimeo/psalm · PHP · 322 lines · 237 code · 69 blank · 16 comment · 36 complexity · 13019b90730aeefc9a51656f065c2946 MD5 · raw file 

    

  1. <?php
    2. 

  2. 

  3. namespace Psalm\Internal\Codebase;
    4. 

  4. 

  5. use Psalm\CodeLocation;
    6. 

  6. use Psalm\Internal\ControlFlow\Path;
    7. 

  7. use Psalm\Internal\ControlFlow\TaintSink;
    8. 

  8. use Psalm\Internal\ControlFlow\TaintSource;
    9. 

  9. use Psalm\Internal\ControlFlow\ControlFlowNode;
    10. 

  10. use Psalm\IssueBuffer;
    11. 

  11. use Psalm\Issue\TaintedInput;
    12. 

  12. use function array_merge;
    13. 

  13. use function count;
    14. 

  14. use function implode;
    15. 

  15. use function substr;
    16. 

  16. use function strlen;
    17. 

  17. use function array_intersect;
    18. 

  18. use function array_reverse;
    19. 

  19. 

  20. class TaintFlowGraph extends ControlFlowGraph
    21. 

  21. {
    22. 

  22.     /** @var array<string, TaintSource> */
    23. 

  23.     private $sources = [];
    24. 

  24. 

  25.     /** @var array<string, ControlFlowNode> */
    26. 

  26.     private $nodes = [];
    27. 

  27. 

  28.     /** @var array<string, TaintSink> */
    29. 

  29.     private $sinks = [];
    30. 

  30. 

  31.     /** @var array<string, array<string, true>> */
    32. 

  32.     private $specialized_calls = [];
    33. 

  33. 

  34.     /** @var array<string, array<string, true>> */
    35. 

  35.     private $specializations = [];
    36. 

  36. 

  37.     public function addNode(ControlFlowNode $node) : void
    38. 

  38.     {
    39. 

  39.         $this->nodes[$node->id] = $node;
    40. 

  40. 

  41.         if ($node->unspecialized_id && $node->specialization_key) {
    42. 

  42.             $this->specialized_calls[$node->specialization_key][$node->unspecialized_id] = true;
    43. 

  43.             $this->specializations[$node->unspecialized_id][$node->specialization_key] = true;
    44. 

  44.         }
    45. 

  45.     }
    46. 

  46. 

  47.     public function addSource(TaintSource $node) : void
    48. 

  48.     {
    49. 

  49.         $this->sources[$node->id] = $node;
    50. 

  50.     }
    51. 

  51. 

  52.     public function addSink(TaintSink $node) : void
    53. 

  53.     {
    54. 

  54.         $this->sinks[$node->id] = $node;
    55. 

  55.         // in the rare case the sink is the _next_ node, this is necessary
    56. 

  56.         $this->nodes[$node->id] = $node;
    57. 

  57.     }
    58. 

  58. 

  59.     public function addGraph(self $taint) : void
    60. 

  60.     {
    61. 

  61.         $this->sources += $taint->sources;
    62. 

  62.         $this->sinks += $taint->sinks;
    63. 

  63.         $this->nodes += $taint->nodes;
    64. 

  64.         $this->specialized_calls += $taint->specialized_calls;
    65. 

  65. 

  66.         foreach ($taint->forward_edges as $key => $map) {
    67. 

  67.             if (!isset($this->forward_edges[$key])) {
    68. 

  68.                 $this->forward_edges[$key] = $map;
    69. 

  69.             } else {
    70. 

  70.                 $this->forward_edges[$key] += $map;
    71. 

  71.             }
    72. 

  72.         }
    73. 

  73. 

  74.         foreach ($taint->specializations as $key => $map) {
    75. 

  75.             if (!isset($this->specializations[$key])) {
    76. 

  76.                 $this->specializations[$key] = $map;
    77. 

  77.             } else {
    78. 

  78.                 $this->specializations[$key] += $map;
    79. 

  79.             }
    80. 

  80.         }
    81. 

  81.     }
    82. 

  82. 

  83.     public function getPredecessorPath(ControlFlowNode $source) : string
    84. 

  84.     {
    85. 

  85.         $location_summary = '';
    86. 

  86. 

  87.         if ($source->code_location) {
    88. 

  88.             $location_summary = $source->code_location->getShortSummary();
    89. 

  89.         }
    90. 

  90. 

  91.         $source_descriptor = $source->label . ($location_summary ? ' (' . $location_summary . ')' : '');
    92. 

  92. 

  93.         $previous_source = $source->previous;
    94. 

  94. 

  95.         if ($previous_source) {
    96. 

  96.             if ($previous_source === $source) {
    97. 

  97.                 return '';
    98. 

  98.             }
    99. 

  99. 

  100.             return $this->getPredecessorPath($previous_source) . ' -> ' . $source_descriptor;
    101. 

  101.         }
    102. 

  102. 

  103.         return $source_descriptor;
    104. 

  104.     }
    105. 

  105. 

  106.     public function getSuccessorPath(ControlFlowNode $sink) : string
    107. 

  107.     {
    108. 

  108.         $location_summary = '';
    109. 

  109. 

  110.         if ($sink->code_location) {
    111. 

  111.             $location_summary = $sink->code_location->getShortSummary();
    112. 

  112.         }
    113. 

  113. 

  114.         $sink_descriptor = $sink->label . ($location_summary ? ' (' . $location_summary . ')' : '');
    115. 

  115. 

  116.         $next_sink = $sink->previous;
    117. 

  117. 

  118.         if ($next_sink) {
    119. 

  119.             if ($next_sink === $sink) {
    120. 

  120.                 return '';
    121. 

  121.             }
    122. 

  122. 

  123.             return $sink_descriptor . ' -> ' . $this->getSuccessorPath($next_sink);
    124. 

  124.         }
    125. 

  125. 

  126.         return $sink_descriptor;
    127. 

  127.     }
    128. 

  128. 

  129.     /**
    130. 

  130.      * @return list<array{location: ?CodeLocation, label: string, entry_path_type: string}>
    131. 

  131.      */
    132. 

  132.     public function getIssueTrace(ControlFlowNode $source) : array
    133. 

  133.     {
    134. 

  134.         $previous_source = $source->previous;
    135. 

  135. 

  136.         $node = [
    137. 

  137.             'location' => $source->code_location,
    138. 

  138.             'label' => $source->label,
    139. 

  139.             'entry_path_type' => \end($source->path_types) ?: ''
    140. 

  140.         ];
    141. 

  141. 

  142.         if ($previous_source) {
    143. 

  143.             if ($previous_source === $source) {
    144. 

  144.                 return [];
    145. 

  145.             }
    146. 

  146. 

  147.             return array_merge($this->getIssueTrace($previous_source), [$node]);
    148. 

  148.         }
    149. 

  149. 

  150.         return [$node];
    151. 

  151.     }
    152. 

  152. 

  153.     public function connectSinksAndSources() : void
    154. 

  154.     {
    155. 

  155.         $visited_source_ids = [];
    156. 

  156. 

  157.         $sources = $this->sources;
    158. 

  158.         $sinks = $this->sinks;
    159. 

  159. 

  160.         for ($i = 0; count($sinks) && count($sources) && $i < 40; $i++) {
    161. 

  161.             $new_sources = [];
    162. 

  162. 

  163.             foreach ($sources as $source) {
    164. 

  164.                 $source_taints = $source->taints;
    165. 

  165.                 \sort($source_taints);
    166. 

  166. 

  167.                 $visited_source_ids[$source->id][implode(',', $source_taints)] = true;
    168. 

  168. 

  169.                 $generated_sources = $this->getSpecializedSources($source);
    170. 

  170. 

  171.                 foreach ($generated_sources as $generated_source) {
    172. 

  172.                     $new_sources = array_merge(
    173. 

  173.                         $new_sources,
    174. 

  174.                         $this->getChildNodes(
    175. 

  175.                             $generated_source,
    176. 

  176.                             $source_taints,
    177. 

  177.                             $sinks,
    178. 

  178.                             $visited_source_ids
    179. 

  179.                         )
    180. 

  180.                     );
    181. 

  181.                 }
    182. 

  182.             }
    183. 

  183. 

  184.             $sources = $new_sources;
    185. 

  185.         }
    186. 

  186.     }
    187. 

  187. 

  188.     /**
    189. 

  189.      * @param array<string> $source_taints
    190. 

  190.      * @param array<ControlFlowNode> $sinks
    191. 

  191.      * @return array<ControlFlowNode>
    192. 

  192.      */
    193. 

  193.     private function getChildNodes(
    194. 

  194.         ControlFlowNode $generated_source,
    195. 

  195.         array $source_taints,
    196. 

  196.         array $sinks,
    197. 

  197.         array $visited_source_ids
    198. 

  198.     ) : array {
    199. 

  199.         $new_sources = [];
    200. 

  200. 

  201.         foreach ($this->forward_edges[$generated_source->id] as $to_id => $path) {
    202. 

  202.             $path_type = $path->type;
    203. 

  203.             $added_taints = $path->unescaped_taints ?: [];
    204. 

  204.             $removed_taints = $path->escaped_taints ?: [];
    205. 

  205. 

  206.             if (!isset($this->nodes[$to_id])) {
    207. 

  207.                 continue;
    208. 

  208.             }
    209. 

  209. 

  210.             $new_taints = \array_unique(
    211. 

  211.                 \array_diff(
    212. 

  212.                     \array_merge($source_taints, $added_taints),
    213. 

  213.                     $removed_taints
    214. 

  214.                 )
    215. 

  215.             );
    216. 

  216. 

  217.             \sort($new_taints);
    218. 

  218. 

  219.             $destination_node = $this->nodes[$to_id];
    220. 

  220. 

  221.             if (isset($visited_source_ids[$to_id][implode(',', $new_taints)])) {
    222. 

  222.                 continue;
    223. 

  223.             }
    224. 

  224. 

  225.             if (self::shouldIgnoreFetch($path_type, 'array', $generated_source->path_types)) {
    226. 

  226.                 continue;
    227. 

  227.             }
    228. 

  228. 

  229.             if (self::shouldIgnoreFetch($path_type, 'property', $generated_source->path_types)) {
    230. 

  230.                 continue;
    231. 

  231.             }
    232. 

  232. 

  233.             if (isset($sinks[$to_id])) {
    234. 

  234.                 $matching_taints = array_intersect($sinks[$to_id]->taints, $new_taints);
    235. 

  235. 

  236.                 if ($matching_taints && $generated_source->code_location) {
    237. 

  237.                     $config = \Psalm\Config::getInstance();
    238. 

  238. 

  239.                     if ($sinks[$to_id]->code_location
    240. 

  240.                         && $config->reportIssueInFile('TaintedInput', $sinks[$to_id]->code_location->file_path)
    241. 

  241.                     ) {
    242. 

  242.                         $issue_location = $sinks[$to_id]->code_location;
    243. 

  243.                     } else {
    244. 

  244.                         $issue_location = $generated_source->code_location;
    245. 

  245.                     }
    246. 

  246. 

  247.                     if (IssueBuffer::accepts(
    248. 

  248.                         new TaintedInput(
    249. 

  249.                             'Detected tainted ' . implode(', ', $matching_taints),
    250. 

  250.                             $issue_location,
    251. 

  251.                             $this->getIssueTrace($generated_source),
    252. 

  252.                             $this->getPredecessorPath($generated_source)
    253. 

  253.                                 . ' -> ' . $this->getSuccessorPath($sinks[$to_id])
    254. 

  254.                         )
    255. 

  255.                     )) {
    256. 

  256.                         // fall through
    257. 

  257.                     }
    258. 

  258. 

  259.                     continue;
    260. 

  260.                 }
    261. 

  261.             }
    262. 

  262. 

  263.             $new_destination = clone $destination_node;
    264. 

  264.             $new_destination->previous = $generated_source;
    265. 

  265.             $new_destination->taints = $new_taints;
    266. 

  266.             $new_destination->specialized_calls = $generated_source->specialized_calls;
    267. 

  267.             $new_destination->path_types = array_merge($generated_source->path_types, [$path_type]);
    268. 

  268. 

  269.             $new_sources[$to_id] = $new_destination;
    270. 

  270.         }
    271. 

  271. 

  272.         return $new_sources;
    273. 

  273.     }
    274. 

  274. 

  275.     /** @return array<ControlFlowNode> */
    276. 

  276.     private function getSpecializedSources(ControlFlowNode $source) : array
    277. 

  277.     {
    278. 

  278.         $generated_sources = [];
    279. 

  279. 

  280.         if (isset($this->forward_edges[$source->id])) {
    281. 

  281.             return [$source];
    282. 

  282.         }
    283. 

  283. 

  284.         if ($source->specialization_key && isset($this->specialized_calls[$source->specialization_key])) {
    285. 

  285.             $generated_source = clone $source;
    286. 

  286. 

  287.             $generated_source->specialized_calls[$source->specialization_key]
    288. 

  288.                 = $this->specialized_calls[$source->specialization_key];
    289. 

  289. 

  290.             $generated_source->id = substr($source->id, 0, -strlen($source->specialization_key) - 1);
    291. 

  291. 

  292.             $generated_sources[] = $generated_source;
    293. 

  293.         } elseif (isset($this->specializations[$source->id])) {
    294. 

  294.             foreach ($this->specializations[$source->id] as $specialization => $_) {
    295. 

  295.                 if (!$source->specialized_calls || isset($source->specialized_calls[$specialization])) {
    296. 

  296.                     $new_source = clone $source;
    297. 

  297. 

  298.                     $new_source->id = $source->id . '-' . $specialization;
    299. 

  299. 

  300.                     $generated_sources[] = $new_source;
    301. 

  301.                 }
    302. 

  302.             }
    303. 

  303.         } else {
    304. 

  304.             foreach ($source->specialized_calls as $key => $map) {
    305. 

  305.                 if (isset($map[$source->id]) && isset($this->forward_edges[$source->id . '-' . $key])) {
    306. 

  306.                     $new_source = clone $source;
    307. 

  307. 

  308.                     $new_source->id = $source->id . '-' . $key;
    309. 

  309. 

  310.                     $generated_sources[] = $new_source;
    311. 

  311.                 }
    312. 

  312.             }
    313. 

  313.         }
    314. 

  314. 

  315.         return \array_filter(
    316. 

  316.             $generated_sources,
    317. 

  317.             function ($new_source): bool {
    318. 

  318.                 return isset($this->forward_edges[$new_source->id]);
    319. 

  319.             }
    320. 

  320.         );
    321. 

  321.     }
    322. 

  322. }
    323.