diff options
| author | Morris Jobke <hey@morrisjobke.de> | 2018-04-17 13:45:27 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2018-04-17 13:45:27 +0200 |
| commit | 1bc192fbd4ceba3aed46df77d21048baa915a176 (patch) | |
| tree | 542f32276a4d9f7c2e466f9bd6eb3a636bef9e13 | |
| parent | 63dfbb2127ec9a930778dd5d31b640c5f2cc3652 (diff) | |
| parent | 1f06bc246c1de15d835ea563b5d5c4f820fa6df8 (diff) | |
| download | nextcloud-server-1bc192fbd4ceba3aed46df77d21048baa915a176.tar.gz nextcloud-server-1bc192fbd4ceba3aed46df77d21048baa915a176.zip | |
Merge pull request #9203 from nextcloud/declare-func-as-safe
Declare func() as safe method in phan
| -rw-r--r-- | build/.phan/plugin-checker.php | 22 | ||||
| -rw-r--r-- | build/.phan/plugins/SqlInjectionCheckerPlugin.php | 10 |
2 files changed, 17 insertions, 15 deletions
diff --git a/build/.phan/plugin-checker.php b/build/.phan/plugin-checker.php index 92eb3496ed5..f7946fc2a42 100644 --- a/build/.phan/plugin-checker.php +++ b/build/.phan/plugin-checker.php @@ -20,17 +20,17 @@ */ $expected = <<<EOT -build/.phan/tests/SqlInjectionCheckerTest.php:23 SqlInjectionChecker Potential SQL injection detected -build/.phan/tests/SqlInjectionCheckerTest.php:35 SqlInjectionChecker Potential SQL injection detected -build/.phan/tests/SqlInjectionCheckerTest.php:37 SqlInjectionChecker Potential SQL injection detected -build/.phan/tests/SqlInjectionCheckerTest.php:39 SqlInjectionChecker Potential SQL injection detected -build/.phan/tests/SqlInjectionCheckerTest.php:41 SqlInjectionChecker Potential SQL injection detected -build/.phan/tests/SqlInjectionCheckerTest.php:43 SqlInjectionChecker Potential SQL injection detected -build/.phan/tests/SqlInjectionCheckerTest.php:54 SqlInjectionChecker Potential SQL injection detected -build/.phan/tests/SqlInjectionCheckerTest.php:61 SqlInjectionChecker Potential SQL injection detected -build/.phan/tests/SqlInjectionCheckerTest.php:62 SqlInjectionChecker Potential SQL injection detected -build/.phan/tests/SqlInjectionCheckerTest.php:69 SqlInjectionChecker Potential SQL injection detected -build/.phan/tests/SqlInjectionCheckerTest.php:70 SqlInjectionChecker Potential SQL injection detected +build/.phan/tests/SqlInjectionCheckerTest.php:23 SqlInjectionChecker Potential SQL injection detected - neither a parameter nor a string +build/.phan/tests/SqlInjectionCheckerTest.php:35 SqlInjectionChecker Potential SQL injection detected - neither a parameter nor a string +build/.phan/tests/SqlInjectionCheckerTest.php:37 SqlInjectionChecker Potential SQL injection detected - neither a parameter nor a string +build/.phan/tests/SqlInjectionCheckerTest.php:39 SqlInjectionChecker Potential SQL injection detected - neither a parameter nor a string +build/.phan/tests/SqlInjectionCheckerTest.php:41 SqlInjectionChecker Potential SQL injection detected - neither a parameter nor a string +build/.phan/tests/SqlInjectionCheckerTest.php:43 SqlInjectionChecker Potential SQL injection detected - neither a parameter nor a string +build/.phan/tests/SqlInjectionCheckerTest.php:54 SqlInjectionChecker Potential SQL injection detected - neither a parameter nor a string +build/.phan/tests/SqlInjectionCheckerTest.php:61 SqlInjectionChecker Potential SQL injection detected - method: no child method +build/.phan/tests/SqlInjectionCheckerTest.php:62 SqlInjectionChecker Potential SQL injection detected - method: no child method +build/.phan/tests/SqlInjectionCheckerTest.php:69 SqlInjectionChecker Potential SQL injection detected - method: no child method +build/.phan/tests/SqlInjectionCheckerTest.php:70 SqlInjectionChecker Potential SQL injection detected - method: no child method EOT; diff --git a/build/.phan/plugins/SqlInjectionCheckerPlugin.php b/build/.phan/plugins/SqlInjectionCheckerPlugin.php index 8cfd5ac4752..a9a0b817d5c 100644 --- a/build/.phan/plugins/SqlInjectionCheckerPlugin.php +++ b/build/.phan/plugins/SqlInjectionCheckerPlugin.php @@ -33,10 +33,10 @@ class SqlInjectionCheckerPlugin extends PluginV2 implements AnalyzeNodeCapabili class SqlInjectionCheckerVisitor extends PluginAwareAnalysisVisitor { - private function throwError() { + private function throwError(string $hint) { $this->emit( 'SqlInjectionChecker', - 'Potential SQL injection detected', + 'Potential SQL injection detected - ' . $hint, [], \Phan\Issue::SEVERITY_CRITICAL ); @@ -64,6 +64,8 @@ class SqlInjectionCheckerVisitor extends PluginAwareAnalysisVisitor { 'createNamedParameter', 'createPositionalParameter', 'createParameter', + 'createFunction', + 'func', ]; $functionsToSearch = [ @@ -84,7 +86,7 @@ class SqlInjectionCheckerVisitor extends PluginAwareAnalysisVisitor { // For set actions if(isset($node->children['method']) && in_array($node->children['method'], $functionsToSearch, true) && !is_string($subChild)) { if(!isset($subChild->children['method']) || !in_array($subChild->children['method'], $safeFunctions, true)) { - $this->throwError(); + $this->throwError('method: ' . ($subChild->children['method'] ?? 'no child method')); } } @@ -115,7 +117,7 @@ class SqlInjectionCheckerVisitor extends PluginAwareAnalysisVisitor { // If it is an IParameter or a pure string no error is thrown if((string)$expandedNode !== '\OCP\DB\QueryBuilder\IParameter' && !is_string($secondParameterNode)) { - $this->throwError(); + $this->throwError('neither a parameter nor a string'); } } } |