Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add dedicated types for 'file', 'header' and 'cookie' #4630

Merged
merged 5 commits into from
Nov 19, 2020
Merged

Add dedicated types for 'file', 'header' and 'cookie' #4630

merged 5 commits into from
Nov 19, 2020

Conversation

LukasReschke
Copy link
Contributor

@LukasReschke LukasReschke commented Nov 19, 2020
edited
Loading

This creates the three new dedicated rules and the responding documentation:

  • file
  • header
  • cookie

For the file type, this change also adds more sinks.

Fixes #4596

LukasReschke
LukasReschke commented Nov 19, 2020
View reviewed changes
dictionaries/InternalTaintSinkMap.php
'fopen' => [['shell']],
'header' => [['text']],
'file_get_contents' => [['file']],
'file_put_contents' => [['file']],
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Technically that could also be used for RCE (by writing a file somewhere in the web root).

I'll make sure to document the different risks in the documentation for the file type. In the future we could consider having separate types that all potentially share similar sanitizers though.

@LukasReschke LukasReschke changed the title [WIP] Add dedicated sinks for 'file', 'header' and 'cookie' Add dedicated sinks for 'file', 'header' and 'cookie' Nov 19, 2020
@LukasReschke LukasReschke marked this pull request as ready for review November 19, 2020 19:44
@LukasReschke LukasReschke changed the title Add dedicated sinks for 'file', 'header' and 'cookie' Add dedicated types for 'file', 'header' and 'cookie' Nov 19, 2020
@LukasReschke LukasReschke mentioned this pull request Nov 19, 2020
Merged
2 tasks
@muglug muglug merged commit 78f4a06 into vimeo:master Nov 19, 2020
@muglug
Copy link
Collaborator

muglug commented Nov 19, 2020

Thanks!

danog pushed a commit to danog/psalm that referenced this pull request Jan 29, 2021
@LukasReschke @danog
Add dedicated types for 'file', 'header' and 'cookie' (vimeo#4630)
2ad5eee 
* [WIP] Add dedicated sinks for 'file', 'header' and 'cookie'

* Add documentation

* Add mapping for taint flows

* Add tests

* Fix test
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Security] Improve file sinks
2 participants
@LukasReschke @muglug