Page MenuHomePhabricator
Create Task
Maniphest T291743

Caused-by lines for annotated params should say so, rather than report the line of the signature
Closed, ResolvedPublic
Actions

Description

<?php

/**
 * @return-taint tainted
 */
function getUnsafe() { // Line 6
}
echo getUnsafe();

input:8: SecurityCheck-XSS Echoing expression that was not html escaped (Caused by: input +6)

(demo link)

The caused-by line should say something like "return value of \getUnsafe() is annotated at input.php +4", and not point to line 6.

Details

SubjectRepoBranchLines +/-
Improve caused-by error for annotated functionsmediawiki/tools/phan/SecurityCheckPluginmaster+115 -113
Customize query in gerrit

Related Objects

Event Timeline

Daimona created this task.Sep 25 2021, 6:46 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 25 2021, 6:46 PM
Daimona moved this task from Backlog to Plugin itself on the phan-taint-check-plugin board.Oct 15 2022, 5:22 PM
Daimona mentioned this in T166010: The Great Namespaceization Effort.Oct 27 2022, 1:38 PM
Daimona mentioned this in T321806: Move hardcoded taintedness data from taint-check to annotations in MW core.
gerritbot added a comment.Sep 27 2023, 11:22 PM

Change 961485 had a related patch set uploaded (by Daimona Eaytoy; author: Daimona Eaytoy):

[mediawiki/tools/phan/SecurityCheckPlugin@master] Improve caused-by error for annotated functions

https://gerrit.wikimedia.org/r/961485

gerritbot added a project: Patch-For-Review.Sep 27 2023, 11:22 PM
Daimona claimed this task.Sep 27 2023, 11:23 PM

return value of \getUnsafe() is annotated at input.php +4

This is not easy. By the time we set the annotation, we don't know what parameters are annotated, nor what lines the annotations are on. But I think even just a general message mentioning annotations would be better than the status quo.

gerritbot added a comment.Sep 28 2023, 1:47 PM

Change 961485 merged by jenkins-bot:

[mediawiki/tools/phan/SecurityCheckPlugin@master] Improve caused-by error for annotated functions

https://gerrit.wikimedia.org/r/961485

Daimona closed this task as Resolved.Sep 28 2023, 2:01 PM
Maintenance_bot removed a project: Patch-For-Review.Sep 28 2023, 2:11 PM
Daimona mentioned this in T351366: phan-taint-check-plugin needs clearer error messages.Nov 16 2023, 1:56 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL