mirror of
https://github.com/nextcloud/server.git
synced 2026-02-03 20:41:22 -05:00
47ac8e0028
This adds the Psalm Security Analysis, as described at https://psalm.dev/docs/security_analysis/ It also adds a plugin for adding input into AppFramework. The results can be viewed in the GitHub Security tab at https://github.com/nextcloud/server/security/code-scanning **Q&A:** Q: Why do you not use the shipped Psalm version? A: I do a lot of changes to the Psalm Taint behaviour. Using released versions is not gonna get us the results we want. Q: How do I improve false positives? A: https://psalm.dev/docs/security_analysis/avoiding_false_positives/ Q: How do I add custom sources? A: https://psalm.dev/docs/security_analysis/custom_taint_sources/ Q: We should run this on apps! A: Yes. Q: What will change in Psalm? A: Quite some of the PHP core functions are not yet marked to propagate the taint. This leads to results where the taint flow is lost. That's something that I am currently working on. Q: Why is the plugin MIT licensed? A: Because its the first of its kind (based on GitHub Code Search) and I want other people to copy it if they want to. Security is for all :) Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
60 lines
2.3 KiB
PHP
60 lines
2.3 KiB
PHP
<?php
|
|
|
|
/**
|
|
* Copyright (c) 2020 Lukas Reschke <lukas@statuscode.ch>
|
|
*
|
|
* Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
* of this software and associated documentation files (the "Software"), to deal
|
|
* in the Software without restriction, including without limitation the rights
|
|
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
|
* copies of the Software, and to permit persons to whom the Software is
|
|
* furnished to do so, subject to the following conditions:
|
|
*
|
|
*
|
|
* The above copyright notice and this permission notice shall be included in all
|
|
* copies or substantial portions of the Software.
|
|
*
|
|
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
|
* SOFTWARE.
|
|
*/
|
|
use Psalm\CodeLocation;
|
|
use Psalm\Plugin\Hook\AfterFunctionLikeAnalysisInterface;
|
|
use Psalm\Type\TaintKindGroup;
|
|
|
|
class AppFrameworkTainter implements AfterFunctionLikeAnalysisInterface {
|
|
public static function afterStatementAnalysis(
|
|
PhpParser\Node\FunctionLike $stmt,
|
|
Psalm\Storage\FunctionLikeStorage $classlike_storage,
|
|
Psalm\StatementsSource $statements_source,
|
|
Psalm\Codebase $codebase,
|
|
array &$file_replacements = []
|
|
): ?bool {
|
|
if ($statements_source->getFQCLN() !== null) {
|
|
if ($codebase->classExtendsOrImplements($statements_source->getFQCLN(), \OCP\AppFramework\Controller::class)) {
|
|
if ($stmt instanceof PhpParser\Node\Stmt\ClassMethod) {
|
|
if ($stmt->isPublic() && !$stmt->isMagic()) {
|
|
foreach ($stmt->params as $i => $param) {
|
|
$expr_type = new Psalm\Type\Union([new Psalm\Type\Atomic\TString()]);
|
|
$expr_identifier = (strtolower($statements_source->getFQCLN()) . '::' . strtolower($classlike_storage->cased_name) . '#' . ($i+1));
|
|
|
|
if ($expr_type) {
|
|
$codebase->addTaintSource(
|
|
$expr_type,
|
|
$expr_identifier,
|
|
TaintKindGroup::ALL_INPUT,
|
|
new CodeLocation($statements_source, $param)
|
|
);
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
return null;
|
|
}
|
|
}
|