Page MenuHomePhabricator
Create Task
Maniphest T204911

make phan-taint-check handle array_map
Open, Needs TriagePublic
Actions

Description

E.g. line 865 DatabasePostgres.php, of which a simplified version is:

$arr = some_unsafe_data_in_an_array;
$list = implode( ',', array_map( [ $this, 'addQuotes' ], $arr ) );
$this->query( "SELECT * FROM tb WHERE fld IN ($list)" );

Related Objects

Event Timeline

Bawolff created this task.Sep 20 2018, 5:23 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 20 2018, 5:23 AM
Bawolff moved this task from Backlog to Plugin itself on the phan-taint-check-plugin board.Feb 17 2019, 12:18 PM
Daimona updated the task description. (Show Details)May 6 2019, 12:18 PM
Daimona added a project: User-Daimona.May 7 2019, 5:48 PM
Daimona subscribed.Jul 6 2020, 8:28 AM

So, phan does this with an ad-hoc internal plugin (ArrayReturnTypeOverridePlugin, source), where it keeps a map of array functions and closures that applies their effects on the array shape.

I think we should adopt a similar approach, i.e. hook into getTaintOfFunctionPHP and override the taint for array functions. The list used by phan can be used as a baseline for what functions we should handle and what's their effect, but aside from that we cannot reuse anything because phan works on union types, and we work on taintedness.

It goes without saying that any progress in this task should not happen before T253875.

Daimona added a comment.Jul 6 2020, 4:07 PM

(POC at https://gerrit.wikimedia.org/r/c/mediawiki/tools/phan/SecurityCheckPlugin/+/609803, it doesn't really handle array_map though).

Daimona added a comment.Jan 15 2021, 1:27 PM

Given the recent improvements re tracking array shapes, I think it might be a good time to do this. I still think that we should keep a list of "special-cased" internal functions, and check that list at the beginning of getTaintOfFunctionPHP. For array_map, it would be something similar to handling a call to the provided callback, passing the following arguments to array_map as arguments to the callback. I'll try this soon-ish.

Daimona mentioned this in T272134: Follow-up to T272123: check if the errors are valid.Jan 15 2021, 2:10 PM
matmarex subscribed.Feb 10 2024, 1:20 AM

This would be nice to have, it comes up as an annoyance fairly often, e.g. https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1000243

For reference, the current behavior of array_map is implemented here: "For now we only preserve taintedness of array arguments." https://gerrit.wikimedia.org/g/mediawiki/tools/phan/SecurityCheckPlugin/+/01fb7e924a2e9fa58e88eda61775feccee38aad6/src/TaintednessBaseVisitor.php#2318

Daimona added a comment.Feb 10 2024, 1:42 AM

Very old and experimental patch: https://gerrit.wikimedia.org/r/c/mediawiki/tools/phan/SecurityCheckPlugin/+/656523

I'd say the only useful thing from that patch are the test cases, as the actual code needs to be rewritten from scratch. I'm not sure if this would be easier to do now than in 2021.

Jdforrester-WMF subscribed.Feb 10 2024, 1:59 PM
Daimona removed a project: User-Daimona.Mar 3 2024, 5:04 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL