1 files changed, 39 insertions, 0 deletions

diff --git a/build/psalm/AppFrameworkTainter.php b/build/psalm/AppFrameworkTainter.php
new file mode 100644
index 00000000000..448922d25a5
--- /dev/null
+++ b/build/psalm/AppFrameworkTainter.php
@@ -0,0 +1,39 @@
+<?php
+
+/**
+ * SPDX-FileCopyrightText: 2020 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: MIT
+ */
+use Psalm\CodeLocation;
+use Psalm\Plugin\EventHandler\AfterFunctionLikeAnalysisInterface;
+use Psalm\Plugin\EventHandler\Event\AfterFunctionLikeAnalysisEvent;
+use Psalm\Type\TaintKindGroup;
+
+class AppFrameworkTainter implements AfterFunctionLikeAnalysisInterface {
+	public static function afterStatementAnalysis(AfterFunctionLikeAnalysisEvent $event): ?bool {
+		if ($event->getStatementsSource()->getFQCLN() === null) {
+			return null;
+		}
+		if (!$event->getCodebase()->classExtendsOrImplements($event->getStatementsSource()->getFQCLN(), \OCP\AppFramework\Controller::class)) {
+			return null;
+		}
+		if (!($event->getStmt() instanceof PhpParser\Node\Stmt\ClassMethod)) {
+			return null;
+		}
+		if (!$event->getStmt()->isPublic() || $event->getStmt()->isMagic()) {
+			return null;
+		}
+		foreach ($event->getStmt()->params as $i => $param) {
+			$expr_type = new Psalm\Type\Union([new Psalm\Type\Atomic\TString()]);
+			$expr_identifier = (strtolower($event->getStatementsSource()->getFQCLN()) . '::' . strtolower($event->getFunctionlikeStorage()->cased_name) . '#' . ($i + 1));
+			$event->getCodebase()->addTaintSource(
+				$expr_type,
+				$expr_identifier,
+				TaintKindGroup::ALL_INPUT,
+				new CodeLocation($event->getStatementsSource(), $param)
+			);
+		}
+
+		return null;
+	}
+}