Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow to implement custom taint type classes #10736

Open
wants to merge 1 commit into
base: 5.x
Choose a base branch
from
Open

Allow to implement custom taint type classes #10736

wants to merge 1 commit into from

Conversation

ohader
Copy link
Contributor

@ohader ohader commented Feb 22, 2024
edited
Loading

Instead of just having a generic TaintedCustom for custom taint - this change allows plugins/extensions to register their own custom taint type classes.

Examples

$registry = Config::getInstance()->taint_kind_registry;

$registry->defineKinds([
  'mine' => \Example\Package\TaintedMine::class,
  'yours' => \Example\Package\TaintedYours::class,
], TaintKindGroup::GROUP_INPUT);

$registry->defineGroup('my-input', 'html', 'sql', 'shell');

$registry->defineGroupProxy('input-sql', 'input', [
  'sql' => \Example\Package\TaintedSqlSecondOrder::class,
]);

$registry->getKind('html'); // returns TaintedHtml::class;
$registry->getGroupKinds('input'); // returns ['html', 'sql', ...]

Fixes: #9186

TODO

  • Extend input in TaintKindGroup
  • Add documentation & examples for custom taint type classes

@ohader ohader marked this pull request as draft February 22, 2024 18:16
@ohader ohader force-pushed the issue-9186-5.x branch 2 times, most recently from 402317b to d464f6a Compare February 22, 2024 22:20
@ohader
Copy link
Contributor Author

ohader commented Feb 22, 2024

The failing BC tests are handled code-wise in those methods

  • Psalm\Codebase#addTaintSource()
  • Psalm\Codebase#addTaintSink()

weirdan
weirdan reviewed Feb 22, 2024
View reviewed changes
src/Psalm/Issue/TaintTypeFactory.php Outdated
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps move it out of Psalm/Issue namespace?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm undecided here... TaintTypeFactory creates those TaintedInput instances and probably should stay in the same namespace. However, the TaintTypeRegistry is closer to Psalm\Config and might be moved up as Psalm\TaintTypeRegistry. What do you think?

weirdan
weirdan reviewed Feb 23, 2024
View reviewed changes
src/Psalm/Issue/TaintTypeFactory.php Outdated Show resolved Hide resolved
src/Psalm/Issue/TaintTypeRegistry.php Outdated Show resolved Hide resolved
@ohader ohader mentioned this pull request Feb 24, 2024
Merged
@ohader ohader force-pushed the issue-9186-5.x branch 5 times, most recently from 6eb590e to 208566f Compare February 26, 2024 14:36
@ohader ohader marked this pull request as ready for review February 26, 2024 14:46
@ohader ohader force-pushed the issue-9186-5.x branch 2 times, most recently from cc0e23c to c558108 Compare February 26, 2024 15:03
@ohader
Allow to implement custom taint type classes
126a4b8 
Instead of just having a generic `TaintedCustom` for custom
taint - this change allows plugins/extensions to register their
own custom taint type classes.

Examples

```
$registry = Config::getInstance()->taint_kind_registry;

$registry->defineKinds([
  'mine' => \Example\Package\TaintedMine::class,
  'yours' => \Example\Package\TaintedYours::class,
], TaintKindGroup::GROUP_INPUT);

$registry->defineGroup('my-input', 'html', 'sql', 'shell');

$registry->defineGroupProxy('input-sql', 'input', [
  'sql' => \Example\Package\TaintedSqlSecondOrder::class,
]);

$registry->getKind('html'); // returns TaintedHtml::class;
$registry->getGroupKinds('input'); // returns ['html', 'sql', ...]
```
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@weirdan weirdan weirdan left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Allow to define custom taint types classes
2 participants
@ohader @weirdan