Fix tainting of function calls absent taintable params

muglug · muglug · commit 03e9649d49d5 · 2020-06-15T20:59:48.000-04:00
diff --git a/src/Psalm/Internal/Analyzer/Statements/Expression/Call/FunctionCallAnalyzer.php b/src/Psalm/Internal/Analyzer/Statements/Expression/Call/FunctionCallAnalyzer.php
@@ -1025,49 +1025,50 @@ private static function getFunctionCallReturnType(
 
         if ($codebase->taint
             && $function_storage
-            && $function_storage->return_source_params
             && $stmt_type
             && $codebase->config->trackTaintsInPath($statements_analyzer->getFilePath())
         ) {
-            foreach ($function_storage->return_source_params as $i) {
-                if (!isset($stmt->args[$i])) {
-                    continue;
-                }
+            $return_location = new CodeLocation($statements_analyzer->getSource(), $stmt);
 
-                $arg_location = new CodeLocation(
-                    $statements_analyzer->getSource(),
-                    $stmt->args[$i]->value
-                );
+            $function_return_sink = TaintNode::getForMethodReturn(
+                $function_id,
+                $function_id,
+                $return_location,
+                $function_storage->specialize_call ? $return_location : null
+            );
 
-                $return_location = new CodeLocation($statements_analyzer->getSource(), $stmt);
+            $codebase->taint->addTaintNode($function_return_sink);
 
-                $function_param_sink = TaintNode::getForMethodArgument(
-                    $function_id,
-                    $function_id,
-                    $i,
-                    $arg_location,
-                    $function_storage->specialize_call ? $return_location : null
-                );
+            $stmt_type->parent_nodes[] = $function_return_sink;
 
-                $codebase->taint->addTaintNode($function_param_sink);
+            if ($function_storage->return_source_params) {
+                foreach ($function_storage->return_source_params as $i) {
+                    if (!isset($stmt->args[$i])) {
+                        continue;
+                    }
 
-                $function_return_sink = TaintNode::getForMethodReturn(
-                    $function_id,
-                    $function_id,
-                    $return_location,
-                    $function_storage->specialize_call ? $return_location : null
-                );
+                    $arg_location = new CodeLocation(
+                        $statements_analyzer->getSource(),
+                        $stmt->args[$i]->value
+                    );
 
-                $codebase->taint->addTaintNode($function_return_sink);
+                    $function_param_sink = TaintNode::getForMethodArgument(
+                        $function_id,
+                        $function_id,
+                        $i,
+                        $arg_location,
+                        $function_storage->specialize_call ? $return_location : null
+                    );
 
-                $codebase->taint->addPath(
-                    $function_param_sink,
-                    $function_return_sink,
-                    $function_storage->added_taints,
-                    $function_storage->removed_taints
-                );
+                    $codebase->taint->addTaintNode($function_param_sink);
 
-                $stmt_type->parent_nodes[] = $function_return_sink;
+                    $codebase->taint->addPath(
+                        $function_param_sink,
+                        $function_return_sink,
+                        $function_storage->added_taints,
+                        $function_storage->removed_taints
+                    );
+                }
             }
         }
 
diff --git a/tests/TaintTest.php b/tests/TaintTest.php
@@ -9,7 +9,7 @@ class TaintTest extends TestCase
     /**
      * @return void
      */
-    public function testTaintedInputFromReturnTypeSimple()
+    public function testTaintedInputFromMethodReturnTypeSimple()
     {
         $this->expectException(\Psalm\Exception\CodeException::class);
         $this->expectExceptionMessage('TaintedInput');
@@ -38,6 +38,29 @@ public function deleteUser(PDO $pdo) : void {
         $this->analyzeFile('somefile.php', new Context());
     }
 
+    /**
+     * @return void
+     */
+    public function testTaintedInputFromFunctionReturnType()
+    {
+        $this->expectException(\Psalm\Exception\CodeException::class);
+        $this->expectExceptionMessage('TaintedInput');
+
+        $this->project_analyzer->trackTaintedInputs();
+
+        $this->addFile(
+            'somefile.php',
+            '<?php
+                function getName() : string {
+                    return $_GET["name"] ?? "unknown";
+                }
+
+                echo getName();'
+        );
+
+        $this->analyzeFile('somefile.php', new Context());
+    }
+
     /**
      * @return void
      */
