Merge pull request #11384 from vimeo/combined_analysis

Combined analysis

Author: danog

docs/security_analysis/index.md

@@ -2,7 +2,7 @@
 
 Psalm can attempt to find connections between user-controlled input (like `$_GET['name']`) and places that we don’t want unescaped user-controlled input to end up (like `echo "<h1>$name</h1>"` by looking at the ways that data flows through your application (via assignments, function/method calls and array/property access).
 
-You can enable this mode with the `--taint-analysis` command line flag. When taint analysis is enabled, no other analysis is performed.  To [ensure comprehensive results](https://github.com/vimeo/psalm/issues/6156), Psalm should be run normally prior to taint analysis, and any errors should be fixed.
+You can enable this mode with the `--taint-analysis` command line flag.  
 
 Tainted input is anything that can be controlled, wholly or in part, by a user of your application. In taint analysis, tainted input is called a _taint source_.
 

psalm-baseline.xml

@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<files psalm-version="dev-master@354b4d49a646d88aeb9612668c15402416cc70c0">
+<files psalm-version="dev-master@a4b37609d5438890372257fef3012cad3e0ca48d">
   <file src="examples/TemplateChecker.php">
     <PossiblyUndefinedIntArrayOffset>
       <code><![CDATA[$comment_block->tags['variablesfrom'][0]]]></code>
@@ -154,6 +154,11 @@
       <code><![CDATA[$creating_conditional_id]]></code>
     </RiskyTruthyFalsyComparison>
   </file>
+  <file src="src/Psalm/Internal/Algebra/FormulaGenerator.php">
+    <ComplexMethod>
+      <code><![CDATA[getFormula]]></code>
+    </ComplexMethod>
+  </file>
   <file src="src/Psalm/Internal/Analyzer/AlgebraAnalyzer.php">
     <ImplicitToStringCast>
       <code><![CDATA[$clause_1]]></code>
@@ -403,6 +408,9 @@
     </ArgumentTypeCoercion>
   </file>
   <file src="src/Psalm/Internal/Analyzer/Statements/Block/ForeachAnalyzer.php">
+    <ComplexMethod>
+      <code><![CDATA[checkIteratorType]]></code>
+    </ComplexMethod>
     <ConflictingReferenceConstraint>
       <code><![CDATA[if (AtomicTypeComparator::isContainedBy(]]></code>
       <code><![CDATA[if (AtomicTypeComparator::isContainedBy(]]></code>
@@ -452,6 +460,11 @@
       <code><![CDATA[$statements_analyzer->getTemplateTypeMap()]]></code>
     </RiskyTruthyFalsyComparison>
   </file>
+  <file src="src/Psalm/Internal/Analyzer/Statements/Block/LoopAnalyzer.php">
+    <ComplexMethod>
+      <code><![CDATA[analyze]]></code>
+    </ComplexMethod>
+  </file>
   <file src="src/Psalm/Internal/Analyzer/Statements/Block/SwitchAnalyzer.php">
     <InvalidPropertyAssignmentValue>
       <code><![CDATA[$context->assigned_var_ids += $switch_scope->new_assigned_var_ids]]></code>
@@ -936,16 +949,6 @@
     </RiskyTruthyFalsyComparison>
   </file>
   <file src="src/Psalm/Internal/Analyzer/Statements/Expression/Call/FunctionCallAnalyzer.php">
-    <PossiblyNullArgument>
-      <code><![CDATA[$function_name]]></code>
-      <code><![CDATA[$function_name]]></code>
-    </PossiblyNullArgument>
-    <PossiblyNullPropertyFetch>
-      <code><![CDATA[$stmt->getArgs()[0]->value]]></code>
-    </PossiblyNullPropertyFetch>
-    <PossiblyUndefinedArrayOffset>
-      <code><![CDATA[$stmt->getArgs()[0]]]></code>
-    </PossiblyUndefinedArrayOffset>
     <PossiblyUndefinedIntArrayOffset>
       <code><![CDATA[$parts[1]]]></code>
     </PossiblyUndefinedIntArrayOffset>
@@ -989,6 +992,9 @@
     </RiskyTruthyFalsyComparison>
   </file>
   <file src="src/Psalm/Internal/Analyzer/Statements/Expression/Call/Method/ExistingAtomicMethodCallAnalyzer.php">
+    <ComplexMethod>
+      <code><![CDATA[analyze]]></code>
+    </ComplexMethod>
     <ImplicitToStringCast>
       <code><![CDATA[$method_id]]></code>
       <code><![CDATA[$pseudo_set_type]]></code>
@@ -1120,6 +1126,9 @@
     </RiskyTruthyFalsyComparison>
   </file>
   <file src="src/Psalm/Internal/Analyzer/Statements/Expression/Call/StaticMethod/ExistingAtomicStaticCallAnalyzer.php">
+    <ComplexMethod>
+      <code><![CDATA[analyze]]></code>
+    </ComplexMethod>
     <ImplicitToStringCast>
       <code><![CDATA[$method_id]]></code>
       <code><![CDATA[$method_id]]></code>
@@ -1200,6 +1209,9 @@
     </RiskyTruthyFalsyComparison>
   </file>
   <file src="src/Psalm/Internal/Analyzer/Statements/Expression/Fetch/ArrayFetchAnalyzer.php">
+    <ComplexMethod>
+      <code><![CDATA[handleArrayAccessOnKeyedArray]]></code>
+    </ComplexMethod>
     <ImplicitToStringCast>
       <code><![CDATA[$array_type]]></code>
       <code><![CDATA[$array_type]]></code>
@@ -1305,6 +1317,9 @@
     </RiskyTruthyFalsyComparison>
   </file>
   <file src="src/Psalm/Internal/Analyzer/Statements/Expression/SimpleTypeInferer.php">
+    <ComplexMethod>
+      <code><![CDATA[infer]]></code>
+    </ComplexMethod>
     <RiskyTruthyFalsyComparison>
       <code><![CDATA[$fq_classlike_name]]></code>
     </RiskyTruthyFalsyComparison>
@@ -1489,6 +1504,11 @@
       <code><![CDATA[empty($classlike_storage->overridden_method_ids[$method_name])]]></code>
     </RiskyTruthyFalsyComparison>
   </file>
+  <file src="src/Psalm/Internal/Codebase/CombinedFlowGraph.php">
+    <PossiblyUnusedMethod>
+      <code><![CDATA[addSink]]></code>
+    </PossiblyUnusedMethod>
+  </file>
   <file src="src/Psalm/Internal/Codebase/ConstantTypeResolver.php">
     <InvalidOperand>
       <code><![CDATA[$left->value & $right->value]]></code>
@@ -2147,6 +2167,9 @@
     </RiskyTruthyFalsyComparison>
   </file>
   <file src="src/Psalm/Internal/Type/Comparator/AtomicTypeComparator.php">
+    <ComplexMethod>
+      <code><![CDATA[isContainedBy]]></code>
+    </ComplexMethod>
     <PossiblyUndefinedIntArrayOffset>
       <code><![CDATA[$array->properties[0]]]></code>
       <code><![CDATA[$array->properties[0]]]></code>
@@ -2271,6 +2294,9 @@
     </RiskyTruthyFalsyComparison>
   </file>
   <file src="src/Psalm/Internal/Type/TemplateStandinTypeReplacer.php">
+    <ComplexMethod>
+      <code><![CDATA[handleTemplateParamStandin]]></code>
+    </ComplexMethod>
     <ImpureMethodCall>
       <code><![CDATA[getClassTemplateTypes]]></code>
     </ImpureMethodCall>
@@ -2318,6 +2344,9 @@
     </RiskyTruthyFalsyComparison>
   </file>
   <file src="src/Psalm/Internal/Type/TypeExpander.php">
+    <ComplexMethod>
+      <code><![CDATA[expandConditional]]></code>
+    </ComplexMethod>
     <InvalidArgument>
       <code><![CDATA[$fallback_params]]></code>
     </InvalidArgument>
@@ -2860,6 +2889,14 @@
       <code><![CDATA[empty($normalizedEntry['type'])]]></code>
     </RiskyTruthyFalsyComparison>
   </file>
+  <file src="tests/ReportOutputTest.php">
+    <MixedAssignment>
+      <code><![CDATA[$issue_data]]></code>
+    </MixedAssignment>
+    <PossiblyFalseArgument>
+      <code><![CDATA[file_get_contents(__DIR__.'/sarif.json')]]></code>
+    </PossiblyFalseArgument>
+  </file>
   <file src="tests/TestConfig.php">
     <InvalidExtendClass>
       <code><![CDATA[Config]]></code>

psalm.xml.dist

@@ -5,7 +5,7 @@
     name="Psalm for Psalm"
     errorLevel="1"
     noCache="true"
-    forceJit="true"
+    forceJit="false"
     throwExceptionOnError="0"
     findUnusedCode="true"
     ensureArrayStringOffsetsExist="true"
@@ -16,6 +16,7 @@
     allFunctionsGlobal="true"
     ensureOverrideAttribute="true"
     allConstantsGlobal="true"
+    runTaintAnalysis="true"
     findUnusedPsalmSuppress="true"
     findUnusedBaselineEntry="true"
     findUnusedIssueHandlerSuppression="true"

src/Psalm/Internal/Analyzer/ClosureAnalyzer.php

@@ -8,7 +8,6 @@
 use PhpParser;
 use Psalm\CodeLocation;
 use Psalm\Context;
-use Psalm\Internal\Codebase\VariableUseGraph;
 use Psalm\Internal\DataFlow\DataFlowNode;
 use Psalm\Internal\PhpVisitor\ShortClosureVisitor;
 use Psalm\Issue\DuplicateParam;
@@ -138,13 +137,13 @@ public static function analyzeExpression(
 
                 $use_var_id = '$' . $use->var->name;
 
-                if ($statements_analyzer->data_flow_graph instanceof VariableUseGraph
+                if ($statements_analyzer->variable_use_graph
                     && $context->hasVariable($use_var_id)
                 ) {
                     $parent_nodes = $context->vars_in_scope[$use_var_id]->parent_nodes;
 
                     foreach ($parent_nodes as $parent_node) {
-                        $statements_analyzer->data_flow_graph->addPath(
+                        $statements_analyzer->variable_use_graph->addPath(
                             $parent_node,
                             DataFlowNode::getForClosureUse(),
                             'closure-use',
@@ -184,11 +183,11 @@ public static function analyzeExpression(
                 if ($context->hasVariable($use_var_id)) {
                     $use_context->vars_in_scope[$use_var_id] = $context->vars_in_scope[$use_var_id];
 
-                    if ($statements_analyzer->data_flow_graph instanceof VariableUseGraph) {
+                    if ($statements_analyzer->variable_use_graph) {
                         $parent_nodes = $context->vars_in_scope[$use_var_id]->parent_nodes;
 
                         foreach ($parent_nodes as $parent_node) {
-                            $statements_analyzer->data_flow_graph->addPath(
+                            $statements_analyzer->variable_use_graph->addPath(
                                 $parent_node,
                                 DataFlowNode::getForClosureUse(),
                                 'closure-use',

src/Psalm/Internal/Analyzer/FunctionLikeAnalyzer.php

@@ -20,8 +20,6 @@
 use Psalm\Internal\Analyzer\FunctionLike\ReturnTypeCollector;
 use Psalm\Internal\Analyzer\Statements\Expression\Call\FunctionCallReturnTypeFetcher;
 use Psalm\Internal\Analyzer\Statements\ExpressionAnalyzer;
-use Psalm\Internal\Codebase\TaintFlowGraph;
-use Psalm\Internal\Codebase\VariableUseGraph;
 use Psalm\Internal\DataFlow\DataFlowNode;
 use Psalm\Internal\FileManipulation\FileManipulationBuffer;
 use Psalm\Internal\FileManipulation\FunctionDocblockManipulator;
@@ -1070,39 +1068,36 @@ private function processParams(
             if ($statements_analyzer->data_flow_graph
                 && $function_param->location
             ) {
-                //don't add to taint flow graph if the type can't transmit taints
-                if (!$statements_analyzer->data_flow_graph instanceof TaintFlowGraph
-                    || $function_param->type === null
-                    || !$function_param->type->isSingle()
-                    || (!$function_param->type->isInt()
-                        && !$function_param->type->isFloat()
-                        && !$function_param->type->isBool())
-                ) {
-                    $param_assignment = DataFlowNode::getForAssignment(
-                        $function_param_id,
-                        $function_param->location,
-                    );
-
-                    $statements_analyzer->data_flow_graph->addNode($param_assignment);
+                $param_assignment = DataFlowNode::getForAssignment(
+                    $function_param_id,
+                    $function_param->location,
+                );
 
-                    if ($cased_method_id !== null) {
-                        $type_source = DataFlowNode::getForMethodArgument(
-                            $cased_method_id,
-                            $cased_method_id,
-                            $offset,
-                            $function_param->location,
-                            null,
-                        );
+                $statements_analyzer->data_flow_graph->addNode($param_assignment);
 
-                        $statements_analyzer->data_flow_graph->addPath($type_source, $param_assignment, 'param');
-                    }
+                if ($cased_method_id !== null) {
+                    $type_source = DataFlowNode::getForMethodArgument(
+                        $cased_method_id,
+                        $cased_method_id,
+                        $offset,
+                        $function_param->location,
+                        null,
+                    );
 
-                    if ($storage->variadic) {
-                        $this->param_nodes += [$param_assignment->id => $param_assignment];
-                    }
+                    $statements_analyzer->data_flow_graph->addPath(
+                        $type_source,
+                        $param_assignment,
+                        'param',
+                        0,
+                        $function_param->signature_type?->getTaintsToRemove() ?? 0,
+                    );
+                }
 
-                    $parent_nodes = [$param_assignment->id => $param_assignment];
+                if ($storage->variadic) {
+                    $this->param_nodes += [$param_assignment->id => $param_assignment];
                 }
+
+                $parent_nodes = [$param_assignment->id => $param_assignment];
             }
 
             if ($function_param->type) {
@@ -2211,9 +2206,7 @@ private function detectUnusedParameters(
 
             $assignment_node = DataFlowNode::getForAssignment($var_name, $original_location);
 
-            if ($statements_analyzer->data_flow_graph instanceof VariableUseGraph
-                && $statements_analyzer->data_flow_graph->isVariableUsed($assignment_node)
-            ) {
+            if ($statements_analyzer->variable_use_graph?->isVariableUsed($assignment_node)) {
                 continue;
             }
 

src/Psalm/Internal/Analyzer/Statements/Block/IfElseAnalyzer.php

@@ -428,7 +428,7 @@ public static function analyze(
                             $codebase,
                         );
 
-                        if (!$combined_type->equals($context->vars_in_scope[$var_id])) {
+                        if (!$combined_type->equals($context->vars_in_scope[$var_id], true, false)) {
                             $context->removeDescendents($var_id, $combined_type);
                         }
 

src/Psalm/Internal/Analyzer/Statements/Block/TryAnalyzer.php

@@ -11,7 +11,6 @@
 use Psalm\Internal\Analyzer\ClassLikeNameOptions;
 use Psalm\Internal\Analyzer\ScopeAnalyzer;
 use Psalm\Internal\Analyzer\StatementsAnalyzer;
-use Psalm\Internal\Codebase\VariableUseGraph;
 use Psalm\Internal\DataFlow\DataFlowNode;
 use Psalm\Internal\Scope\FinallyScope;
 use Psalm\Issue\InvalidCatch;
@@ -310,13 +309,11 @@ public static function analyze(
                         ])
                     ;
 
-                    if ($statements_analyzer->data_flow_graph instanceof VariableUseGraph) {
-                        $statements_analyzer->data_flow_graph->addPath(
+                        $statements_analyzer->variable_use_graph?->addPath(
                             $catch_var_node,
                             DataFlowNode::getForVariableUse(),
                             'variable-use',
                         );
-                    }
                 }
             }
 

src/Psalm/Internal/Analyzer/Statements/EchoAnalyzer.php

@@ -11,7 +11,6 @@
 use Psalm\Internal\Analyzer\Statements\Expression\Call\ArgumentAnalyzer;
 use Psalm\Internal\Analyzer\Statements\Expression\CastAnalyzer;
 use Psalm\Internal\Analyzer\StatementsAnalyzer;
-use Psalm\Internal\Codebase\TaintFlowGraph;
 use Psalm\Internal\DataFlow\DataFlowNode;
 use Psalm\Issue\ForbiddenCode;
 use Psalm\Issue\ImpureFunctionCall;
@@ -44,7 +43,7 @@ public static function analyze(
 
             $expr_type = $statements_analyzer->node_data->getType($expr);
 
-            if ($statements_analyzer->data_flow_graph instanceof TaintFlowGraph) {
+            if ($statements_analyzer->taint_flow_graph) {
                 if ($expr_type && $expr_type->hasObjectType()) {
                     $expr_type = CastAnalyzer::castStringAttempt(
                         $statements_analyzer,
@@ -70,7 +69,7 @@ public static function analyze(
                 );
 
 
-                $statements_analyzer->data_flow_graph->addSink($echo_param_sink);
+                $statements_analyzer->taint_flow_graph->addSink($echo_param_sink);
             }
 
             if (ArgumentAnalyzer::verifyType(