Custom Tainted Input Sources

[yoshifp]

Hello,

I am looking to write a custom plugin for Psalm with the intention of publishing it once I get it working for Yii 1.1 and another for Yii 2, with a focus on Tainted Input issues.

I've been able to use the annotations and phpstub system for my initial analysis, but I have found it is not identifying other Tainted Input sources due to the way the framework calls certain functions. The example I have is when the parameters are passed to Controller::actionMethod($param) within a controller, these aren't identified as tainted input while they are being populated from $_GET.

In Yii 1.1, the Controller is initialised, then processes the requested Action (route), which gathers the parameters and calls the method via Reflection, via a protected method. This seems to be where my problem lies as Psalm doesn't know this is calling Controller::actionMethod($param) with $param populated from $_GET.

I have taken a look at the plugin samples Psalm provides, and some other plugins published (eg. Symfony) but I am not having much luck, especially not finding anything that is adding a similar Tainted Input source.

I'm currently trying to write a plugin which will treat any parameter in a Controller::actionMethod() context to be classified as Tainted Input, if there is a better way to do this, such as with Psalm configuration and without writing a plugin or you can help with some sample code I'd appreciate it.

I did try adding annotations onto the function in the Controller, didn't help and isn't sustainable on a large code base. I essentially have a skeleton plugin going which is being loaded but I haven't been able to get it to trigger any new tainted input issues.

[ArtemGoutsoul]

Related issue: #5186