1 files changed, 24 insertions, 4 deletions

diff --git a/lib/private/Config.php b/lib/private/Config.php
index 0e8d07955af..a9eb58a1866 100644
--- a/lib/private/Config.php
+++ b/lib/private/Config.php
@@ -65,17 +65,37 @@ class Config {
 	 */
 	public function getValue($key, $default = null) {
 		if (isset($this->envCache[$key])) {
-			return $this->envCache[$key];
+			return self::trustSystemConfig($this->envCache[$key]);
 		}
 
 		if (isset($this->cache[$key])) {
-			return $this->cache[$key];
+			return self::trustSystemConfig($this->cache[$key]);
 		}
 
 		return $default;
 	}
 
 	/**
+	 * Since system config is admin controlled, we can tell psalm to ignore any taint
+	 *
+	 * @psalm-taint-escape callable
+	 * @psalm-taint-escape cookie
+	 * @psalm-taint-escape file
+	 * @psalm-taint-escape has_quotes
+	 * @psalm-taint-escape header
+	 * @psalm-taint-escape html
+	 * @psalm-taint-escape include
+	 * @psalm-taint-escape ldap
+	 * @psalm-taint-escape shell
+	 * @psalm-taint-escape sql
+	 * @psalm-taint-escape unserialize
+	 * @psalm-pure
+	 */
+	public static function trustSystemConfig(mixed $value): mixed {
+		return $value;
+	}
+
+	/**
 	 * Sets and deletes values and writes the config.php
 	 *
 	 * @param array $configs Associative array with `key => value` pairs
@@ -246,7 +266,7 @@ class Config {
 	 * @throws HintException If the config file cannot be written to
 	 * @throws \Exception If no file lock can be acquired
 	 */
-	private function writeData() {
+	private function writeData(): void {
 		$this->checkReadOnly();
 
 		if (!is_file(\OC::$configDir . '/CAN_INSTALL') && !isset($this->cache['version'])) {
@@ -256,7 +276,7 @@ class Config {
 		// Create a php file ...
 		$content = "<?php\n";
 		$content .= '$CONFIG = ';
-		$content .= var_export($this->cache, true);
+		$content .= var_export(self::trustSystemConfig($this->cache), true);
 		$content .= ";\n";
 
 		touch($this->configFilePath);