From 083584d115b3a06c734c2264be3a39b8c0f1e4c1 Mon Sep 17 00:00:00 2001
From: cgocast <c.gouttebroze@castsoftware.com>
Date: Wed, 22 Nov 2023 11:10:50 +0100
Subject: [PATCH 1/2] TaintedExtract

---
 UPGRADING.md                                          |  2 +-
 config.xsd                                            |  1 +
 docs/running_psalm/error_levels.md                    |  1 +
 docs/running_psalm/issues.md                          |  1 +
 docs/running_psalm/issues/TaintedExtract.md           | 10 ++++++++++
 .../Statements/Expression/Call/ArgumentsAnalyzer.php  |  2 +-
 src/Psalm/Internal/Codebase/TaintFlowGraph.php        | 10 ++++++++++
 src/Psalm/Issue/TaintedExtract.php                    | 10 ++++++++++
 src/Psalm/Type/TaintKind.php                          |  1 +
 src/Psalm/Type/TaintKindGroup.php                     |  1 +
 stubs/CoreGenericFunctions.phpstub                    |  5 +++++
 tests/TaintTest.php                                   | 11 +++++++++++
 12 files changed, 53 insertions(+), 2 deletions(-)
 create mode 100644 docs/running_psalm/issues/TaintedExtract.md
 create mode 100644 src/Psalm/Issue/TaintedExtract.php

diff --git a/UPGRADING.md b/UPGRADING.md
index 9b3665d4dcf..767e293871e 100644
--- a/UPGRADING.md
+++ b/UPGRADING.md
@@ -17,7 +17,7 @@
 
 - [BC] Class `Psalm\Issue\MixedInferredReturnType` was removed
 
-- [BC] Value of constant `Psalm\Type\TaintKindGroup::ALL_INPUT` changed to reflect new `TaintKind::INPUT_SLEEP` and `TaintKind::INPUT_XPATH` have been added. Accordingly, default values for `$taint` parameters of `Psalm\Codebase::addTaintSource()` and `Psalm\Codebase::addTaintSink()` have been changed as well.
+- [BC] Value of constant `Psalm\Type\TaintKindGroup::ALL_INPUT` changed to reflect new `TaintKind::INPUT_EXTRACT`, `TaintKind::INPUT_SLEEP` and `TaintKind::INPUT_XPATH` have been added. Accordingly, default values for `$taint` parameters of `Psalm\Codebase::addTaintSource()` and `Psalm\Codebase::addTaintSink()` have been changed as well.
 
 - [BC] Property `Config::$shepherd_host` was replaced with `Config::$shepherd_endpoint`
 
diff --git a/config.xsd b/config.xsd
index 6a6d182dca3..c97e3198ad9 100644
--- a/config.xsd
+++ b/config.xsd
@@ -433,6 +433,7 @@
             <xs:element name="TaintedCookie" type="IssueHandlerType" minOccurs="0" />
             <xs:element name="TaintedCustom" type="IssueHandlerType" minOccurs="0" />
             <xs:element name="TaintedEval" type="IssueHandlerType" minOccurs="0" />
+            <xs:element name="TaintedExtract" type="IssueHandlerType" minOccurs="0" />
             <xs:element name="TaintedFile" type="IssueHandlerType" minOccurs="0" />
             <xs:element name="TaintedHeader" type="IssueHandlerType" minOccurs="0" />
             <xs:element name="TaintedHtml" type="IssueHandlerType" minOccurs="0" />
diff --git a/docs/running_psalm/error_levels.md b/docs/running_psalm/error_levels.md
index 2d9c35ced37..a7b61ee78a1 100644
--- a/docs/running_psalm/error_levels.md
+++ b/docs/running_psalm/error_levels.md
@@ -286,6 +286,7 @@ Level 5 and above allows a more non-verifiable code, and higher levels are even
  - [TaintedCookie](issues/TaintedCookie.md)
  - [TaintedCustom](issues/TaintedCustom.md)
  - [TaintedEval](issues/TaintedEval.md)
+ - [TaintedExtract](issues/TaintedExtract.md)
  - [TaintedFile](issues/TaintedFile.md)
  - [TaintedHeader](issues/TaintedHeader.md)
  - [TaintedHtml](issues/TaintedHtml.md)
diff --git a/docs/running_psalm/issues.md b/docs/running_psalm/issues.md
index 95f3839593b..364541ee439 100644
--- a/docs/running_psalm/issues.md
+++ b/docs/running_psalm/issues.md
@@ -234,6 +234,7 @@
  - [TaintedCookie](issues/TaintedCookie.md)
  - [TaintedCustom](issues/TaintedCustom.md)
  - [TaintedEval](issues/TaintedEval.md)
+ - [TaintedExtract](issues/TaintedExtract.md)
  - [TaintedFile](issues/TaintedFile.md)
  - [TaintedHeader](issues/TaintedHeader.md)
  - [TaintedHtml](issues/TaintedHtml.md)
diff --git a/docs/running_psalm/issues/TaintedExtract.md b/docs/running_psalm/issues/TaintedExtract.md
new file mode 100644
index 00000000000..7b0fa27d85a
--- /dev/null
+++ b/docs/running_psalm/issues/TaintedExtract.md
@@ -0,0 +1,10 @@
+# TaintedExtract
+
+Emitted when user-controlled array can be passed into an `extract` call.
+
+```php
+<?php
+
+$array = $_GET;
+extract($array);
+```
diff --git a/src/Psalm/Internal/Analyzer/Statements/Expression/Call/ArgumentsAnalyzer.php b/src/Psalm/Internal/Analyzer/Statements/Expression/Call/ArgumentsAnalyzer.php
index 87106622daa..acdd6c272fd 100644
--- a/src/Psalm/Internal/Analyzer/Statements/Expression/Call/ArgumentsAnalyzer.php
+++ b/src/Psalm/Internal/Analyzer/Statements/Expression/Call/ArgumentsAnalyzer.php
@@ -1270,7 +1270,7 @@ private static function handleByRefFunctionArg(
 
         $builtin_array_functions = [
             'ksort', 'asort', 'krsort', 'arsort', 'natcasesort', 'natsort',
-            'reset', 'end', 'next', 'prev', 'array_pop', 'array_shift',
+            'reset', 'end', 'next', 'prev', 'array_pop', 'array_shift', 'extract'
         ];
 
         if (($var_id && isset($context->vars_in_scope[$var_id]))
diff --git a/src/Psalm/Internal/Codebase/TaintFlowGraph.php b/src/Psalm/Internal/Codebase/TaintFlowGraph.php
index 5c5f72173eb..1cab3ea6dd8 100644
--- a/src/Psalm/Internal/Codebase/TaintFlowGraph.php
+++ b/src/Psalm/Internal/Codebase/TaintFlowGraph.php
@@ -14,6 +14,7 @@
 use Psalm\Issue\TaintedCookie;
 use Psalm\Issue\TaintedCustom;
 use Psalm\Issue\TaintedEval;
+use Psalm\Issue\TaintedExtract;
 use Psalm\Issue\TaintedFile;
 use Psalm\Issue\TaintedHeader;
 use Psalm\Issue\TaintedHtml;
@@ -471,6 +472,15 @@ private function getChildNodes(
                                 );
                                 break;
 
+                            case TaintKind::INPUT_EXTRACT:
+                                $issue = new TaintedExtract(
+                                    'Detected tainted extract',
+                                    $issue_location,
+                                    $issue_trace,
+                                    $path,
+                                );
+                                break;
+
                             default:
                                 $issue = new TaintedCustom(
                                     'Detected tainted ' . $matching_taint,
diff --git a/src/Psalm/Issue/TaintedExtract.php b/src/Psalm/Issue/TaintedExtract.php
new file mode 100644
index 00000000000..60eef6b9271
--- /dev/null
+++ b/src/Psalm/Issue/TaintedExtract.php
@@ -0,0 +1,10 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Psalm\Issue;
+
+final class TaintedExtract extends TaintedInput
+{
+    public const SHORTCODE = 327;
+}
diff --git a/src/Psalm/Type/TaintKind.php b/src/Psalm/Type/TaintKind.php
index ecd355d3532..5b2ac02a8ae 100644
--- a/src/Psalm/Type/TaintKind.php
+++ b/src/Psalm/Type/TaintKind.php
@@ -24,6 +24,7 @@ final class TaintKind
     public const INPUT_HEADER = 'header';
     public const INPUT_XPATH = 'xpath';
     public const INPUT_SLEEP = 'sleep';
+    public const INPUT_EXTRACT = 'extract';
     public const USER_SECRET = 'user_secret';
     public const SYSTEM_SECRET = 'system_secret';
 }
diff --git a/src/Psalm/Type/TaintKindGroup.php b/src/Psalm/Type/TaintKindGroup.php
index 19c8bb63030..cbe04e8ee21 100644
--- a/src/Psalm/Type/TaintKindGroup.php
+++ b/src/Psalm/Type/TaintKindGroup.php
@@ -25,5 +25,6 @@ final class TaintKindGroup
         TaintKind::INPUT_COOKIE,
         TaintKind::INPUT_XPATH,
         TaintKind::INPUT_SLEEP,
+        TaintKind::INPUT_EXTRACT,
     ];
 }
diff --git a/stubs/CoreGenericFunctions.phpstub b/stubs/CoreGenericFunctions.phpstub
index 735953ed454..a5f996beca3 100644
--- a/stubs/CoreGenericFunctions.phpstub
+++ b/stubs/CoreGenericFunctions.phpstub
@@ -1825,3 +1825,8 @@ function time_sleep_until(float $timestamp): bool {}
  * @psalm-ignore-falsable-return
  */
 function get_browser(?string $user_agent = null, bool $return_array = false): object|array|false {}
+
+/**
+ * @psalm-taint-sink extract $array
+ */
+function extract(array &$array, int $flags = EXTR_OVERWRITE, string $prefix = ""): int {}
diff --git a/tests/TaintTest.php b/tests/TaintTest.php
index 6f6fdfe5757..a5e1cf28f0e 100644
--- a/tests/TaintTest.php
+++ b/tests/TaintTest.php
@@ -2587,6 +2587,17 @@ function evaluateExpression(DOMXPath $xpath) : mixed {
                     time_sleep_until($_GET["timestamp"]);',
                 'error_message' => 'TaintedSleep',
             ],
+            'taintedExtract' => [
+                'code' => '<?php
+                    $array = $_GET;
+                    extract($array);',
+                'error_message' => 'TaintedExtract',
+            ],
+            'extractPost' => [
+                'code' => '<?php
+                    extract($_POST);',
+                'error_message' => 'TaintedExtract',
+            ],
         ];
     }
 

From c75e6da8665b83ae30fe5f0174368b26f7581e92 Mon Sep 17 00:00:00 2001
From: cgocast <c.gouttebroze@castsoftware.com>
Date: Tue, 28 Nov 2023 10:24:01 +0100
Subject: [PATCH 2/2] Fix coding style

---
 .../Analyzer/Statements/Expression/Call/ArgumentsAnalyzer.php   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Psalm/Internal/Analyzer/Statements/Expression/Call/ArgumentsAnalyzer.php b/src/Psalm/Internal/Analyzer/Statements/Expression/Call/ArgumentsAnalyzer.php
index acdd6c272fd..d265e22d0bb 100644
--- a/src/Psalm/Internal/Analyzer/Statements/Expression/Call/ArgumentsAnalyzer.php
+++ b/src/Psalm/Internal/Analyzer/Statements/Expression/Call/ArgumentsAnalyzer.php
@@ -1270,7 +1270,7 @@ private static function handleByRefFunctionArg(
 
         $builtin_array_functions = [
             'ksort', 'asort', 'krsort', 'arsort', 'natcasesort', 'natsort',
-            'reset', 'end', 'next', 'prev', 'array_pop', 'array_shift', 'extract'
+            'reset', 'end', 'next', 'prev', 'array_pop', 'array_shift', 'extract',
         ];
 
         if (($var_id && isset($context->vars_in_scope[$var_id]))