[MediaWiki-commits] [Gerrit] mediawiki...SecurityCheckPlugin[master]: Add support for IDatabase::select style arguments
Brian Wolff has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/394870 ) Change subject: Add support for IDatabase::select style arguments .. Add support for IDatabase::select style arguments Change-Id: Id52f45e3dfc21a4c522902a8d4d92e61b40b7202 --- M src/MediaWikiSecurityCheckPlugin.php M src/TaintednessBaseVisitor.php M src/TaintednessVisitor.php A tests/integration/arraynumkey/db.php A tests/integration/arraynumkey/expectedResults.txt A tests/integration/arraynumkey/test.php A tests/integration/multiassign/expectedResults.txt A tests/integration/multiassign/test.php A tests/integration/multiassign/test2.php 9 files changed, 289 insertions(+), 1 deletion(-) git pull ssh://gerrit.wikimedia.org:29418/mediawiki/tools/phan/SecurityCheckPlugin refs/changes/70/394870/1 diff --git a/src/MediaWikiSecurityCheckPlugin.php b/src/MediaWikiSecurityCheckPlugin.php index d17ebfa..2c25a07 100644 --- a/src/MediaWikiSecurityCheckPlugin.php +++ b/src/MediaWikiSecurityCheckPlugin.php @@ -76,6 +76,42 @@ // What should DB results be considered? 'overall' => self::YES_TAINT ], + '\Wikimedia\Rdbms\IDatabase::select' => [ + self::SQL_EXEC_TAINT, + self::SQL_EXEC_TAINT, + self::SQL_NUMKEY_EXEC_TAINT, + // the function name doesn't seem to be escaped + self::SQL_EXEC_TAINT, + // I'm not even sure for options + self::SQL_EXEC_TAINT, + self::SQL_NUMKEY_EXEC_TAINT, + // What should DB results be considered? + 'overall' => self::YES_TAINT + ], + '\Wikimedia\Rdbms\Database::select' => [ + self::SQL_EXEC_TAINT, + self::SQL_EXEC_TAINT, + self::SQL_NUMKEY_EXEC_TAINT, + // the function name doesn't seem to be escaped + self::SQL_EXEC_TAINT, + // I'm not even sure for options + self::SQL_EXEC_TAINT, + self::SQL_NUMKEY_EXEC_TAINT, + // What should DB results be considered? + 'overall' => self::YES_TAINT + ], + '\Wikimedia\Rdbms\DBConnRef::select' => [ + self::SQL_EXEC_TAINT, + self::SQL_EXEC_TAINT, + self::SQL_NUMKEY_EXEC_TAINT, + // the function name doesn't seem to be escaped + self::SQL_EXEC_TAINT, + // I'm not even sure for options + self::SQL_EXEC_TAINT, + self::SQL_NUMKEY_EXEC_TAINT, + // What should DB results be considered? + 'overall' => self::YES_TAINT + ], '\Wikimedia\Rdbms\Database::addIdentifierQuotes' => [ self::YES_TAINT & ~self::SQL_TAINT, 'overall' => self::NO_TAINT, diff --git a/src/TaintednessBaseVisitor.php b/src/TaintednessBaseVisitor.php index 89a47b1..4a01337 100644 --- a/src/TaintednessBaseVisitor.php +++ b/src/TaintednessBaseVisitor.php @@ -12,6 +12,7 @@ use Phan\Language\UnionType; use Phan\Language\Type\CallableType; use Phan\Language\Type\MixedType; +use Phan\Language\Type\IntType; use Phan\Language\Type\StringType; use Phan\Language\FQSEN\FullyQualifiedFunctionLikeName; use Phan\Language\FQSEN\FullyQualifiedFunctionName; @@ -1359,7 +1360,12 @@ ) { $issueType = 'SecurityCheck-XSS'; } elseif ( - $combinedTaint === SecurityCheckPlugin::SQL_TAINT + $combinedTaint === SecurityCheckPlugin::SQL_TAINT || + $combinedTaint === SecurityCheckPlugin::SQL_NUMKEY_TAINT || + $combinedTaint === ( + SecurityCheckPlugin::SQL_TAINT | + SecurityCheckPlugin::SQL_NUMKEY_TAINT + ) ) { $issueType = 'SecurityCheck-SQLInjection'; $severity = Issue::SEVERITY_CRITICAL; @@ -1459,6 +1465,16 @@ $curArgTaintedness = SecurityCheckPlugin::NO_TAINT; $effectiveArgTaintedness = SecurityCheckPlugin::NO_TAINT;
[MediaWiki-commits] [Gerrit] mediawiki...SecurityCheckPlugin[master]: Add support for IDatabase::select style arguments
Brian Wolff has submitted this change and it was merged. ( https://gerrit.wikimedia.org/r/394870 ) Change subject: Add support for IDatabase::select style arguments .. Add support for IDatabase::select style arguments Change-Id: Id52f45e3dfc21a4c522902a8d4d92e61b40b7202 --- M src/MediaWikiSecurityCheckPlugin.php M src/TaintednessBaseVisitor.php M src/TaintednessVisitor.php A tests/integration/arraynumkey/db.php A tests/integration/arraynumkey/expectedResults.txt A tests/integration/arraynumkey/test.php A tests/integration/multiassign/expectedResults.txt A tests/integration/multiassign/test.php A tests/integration/multiassign/test2.php 9 files changed, 289 insertions(+), 1 deletion(-) diff --git a/src/MediaWikiSecurityCheckPlugin.php b/src/MediaWikiSecurityCheckPlugin.php index d17ebfa..2c25a07 100644 --- a/src/MediaWikiSecurityCheckPlugin.php +++ b/src/MediaWikiSecurityCheckPlugin.php @@ -76,6 +76,42 @@ // What should DB results be considered? 'overall' => self::YES_TAINT ], + '\Wikimedia\Rdbms\IDatabase::select' => [ + self::SQL_EXEC_TAINT, + self::SQL_EXEC_TAINT, + self::SQL_NUMKEY_EXEC_TAINT, + // the function name doesn't seem to be escaped + self::SQL_EXEC_TAINT, + // I'm not even sure for options + self::SQL_EXEC_TAINT, + self::SQL_NUMKEY_EXEC_TAINT, + // What should DB results be considered? + 'overall' => self::YES_TAINT + ], + '\Wikimedia\Rdbms\Database::select' => [ + self::SQL_EXEC_TAINT, + self::SQL_EXEC_TAINT, + self::SQL_NUMKEY_EXEC_TAINT, + // the function name doesn't seem to be escaped + self::SQL_EXEC_TAINT, + // I'm not even sure for options + self::SQL_EXEC_TAINT, + self::SQL_NUMKEY_EXEC_TAINT, + // What should DB results be considered? + 'overall' => self::YES_TAINT + ], + '\Wikimedia\Rdbms\DBConnRef::select' => [ + self::SQL_EXEC_TAINT, + self::SQL_EXEC_TAINT, + self::SQL_NUMKEY_EXEC_TAINT, + // the function name doesn't seem to be escaped + self::SQL_EXEC_TAINT, + // I'm not even sure for options + self::SQL_EXEC_TAINT, + self::SQL_NUMKEY_EXEC_TAINT, + // What should DB results be considered? + 'overall' => self::YES_TAINT + ], '\Wikimedia\Rdbms\Database::addIdentifierQuotes' => [ self::YES_TAINT & ~self::SQL_TAINT, 'overall' => self::NO_TAINT, diff --git a/src/TaintednessBaseVisitor.php b/src/TaintednessBaseVisitor.php index 89a47b1..4a01337 100644 --- a/src/TaintednessBaseVisitor.php +++ b/src/TaintednessBaseVisitor.php @@ -12,6 +12,7 @@ use Phan\Language\UnionType; use Phan\Language\Type\CallableType; use Phan\Language\Type\MixedType; +use Phan\Language\Type\IntType; use Phan\Language\Type\StringType; use Phan\Language\FQSEN\FullyQualifiedFunctionLikeName; use Phan\Language\FQSEN\FullyQualifiedFunctionName; @@ -1359,7 +1360,12 @@ ) { $issueType = 'SecurityCheck-XSS'; } elseif ( - $combinedTaint === SecurityCheckPlugin::SQL_TAINT + $combinedTaint === SecurityCheckPlugin::SQL_TAINT || + $combinedTaint === SecurityCheckPlugin::SQL_NUMKEY_TAINT || + $combinedTaint === ( + SecurityCheckPlugin::SQL_TAINT | + SecurityCheckPlugin::SQL_NUMKEY_TAINT + ) ) { $issueType = 'SecurityCheck-SQLInjection'; $severity = Issue::SEVERITY_CRITICAL; @@ -1459,6 +1465,16 @@ $curArgTaintedness = SecurityCheckPlugin::NO_TAINT; $effectiveArgTaintedness = SecurityCheckPlugin::NO_TAINT; } elseif ( isset( $taint[$i] ) ) { + if ( +