Add taint sinks on the DBAL Connection

stubs/Connection.phpstub

@@ -3,6 +3,7 @@
 namespace Doctrine\DBAL;
 
 use Doctrine\DBAL\Driver\Connection as DriverConnection;
+use Doctrine\DBAL\Driver\Statement as DriverStatement;
 
 class Connection implements DriverConnection
 {
@@ -38,4 +39,43 @@ class Connection implements DriverConnection
 
     /** @var int */
     public const ARRAY_PARAM_OFFSET = 100;
+
+    /**
+     * @throws DBALException
+     * @psalm-taint-sink sql $statement
+     */
+    public function prepare(string $statement): DriverStatement {}
+
+    /**
+     * @psalm-taint-sink sql $statement
+     */
+    public function exec(string $statement): int {}
+
+    /**
+     * @psalm-param string[] $query The SQL query parts.
+     *
+     * @throws DBALException
+     * @psalm-taint-sink sql $query
+     */
+    public function query(...$query): DriverStatement {}
+
+    /**
+     * @psalm-param scalar[]        $params The query parameters.
+     * @psalm-param int[]|string[]  $types  The parameter types.
+     *
+     * @throws DBALException
+     * @psalm-taint-sink sql $query
+     */
+    public function executeUpdate(string $query, array $params = [], array $types = []): int {}
+
+    /**
+     * @psalm-pure
+     *
+     * @psalm-param scalar $input
+     * @psalm-return string
+     *
+     * @psalm-taint-escape sql
+     * @psalm-flow ($input) -> return
+     */
+    public function quote($input, int $type = ParameterType::STRING);
 }

tests/acceptance/Tainting.feature

@@ -0,0 +1,63 @@
+Feature: Tainting
+  In order to prevent SQL injection when using Doctrine
+  As a Psalm user
+  I need Psalm to spot taint sources and sinks
+
+  Background:
+    Given I have Psalm newer than "3.12" (because of "taint analysis")
+    And I have the following config
+      """
+      <?xml version="1.0"?>
+      <psalm totallyTyped="true">
+        <projectFiles>
+          <directory name="."/>
+        </projectFiles>
+        <plugins>
+          <pluginClass class="Weirdan\DoctrinePsalmPlugin\Plugin" />
+        </plugins>
+      </psalm>
+      """
+    And I have the following code preamble
+      """
+      <?php
+      use Doctrine\DBAL\Connection;
+
+      /**
+       * @psalm-suppress InvalidReturnType
+       * @return Connection
+       */
+      function connection() {}
+
+      """
+
+  @Connection::prepare
+  @Connection::exec
+  @Connection::query
+  @Connection::executeUpdate
+  Scenario Outline: Using user input on Connection's query methods
+    Given I have the following code
+      """
+      $sql = 'INSERT INTO sometable (item_name) VALUES ("'.$_GET['untrusted'].'")';
+      connection()-><method>($sql);
+      """
+    When I run Psalm with taint analysis
+    Then I see these errors
+      | Type         | Message              |
+      | TaintedInput | Detected tainted sql |
+    And I see no other errors
+  Examples:
+    | method        |
+    | prepare       |
+    | exec          |
+    | query         |
+    | executeUpdate |
+
+  @Connection::quote
+  Scenario: Using Connection's quote method on user input
+    Given I have the following code
+      """
+      $sql = 'SELECT * FROM sometable WHERE id=' . connection()->quote($_GET['untrusted']);
+      connection()->query($sql);
+      """
+    When I run Psalm with taint analysis
+    Then I see no errors