[RFR] Tainting

[adrienlucas]

Adding taint sources :

• Symfony\Component\HttpFoundation\InputBag::get and Symfony\Component\HttpFoundation\InputBag::all (reachable via Symfony\Component\HttpFoundation\Request::$request, Symfony\Component\HttpFoundation\Request::$query, and Symfony\Component\HttpFoundation\Request::$cookies)
• Symfony\Component\HttpFoundation\HeaderBag::__toString and Symfony\Component\HttpFoundation\HeaderBag::get (reachable via by Symfony\Component\HttpFoundation\Request::$headers) but only when the argument is user-agentin the second case.
• Symfony\Component\HttpFoundation\HeaderBag::__toString (reachable via by Symfony\Component\HttpFoundation\Request::$headers).

Open questions (i will try to answer them myself, but if someone want to give advices) :

• should we add a taint source for doctrine inserts/updates ? what about selects ? (see Add taint sinks on the DBAL Connection psalm-plugin-doctrine#61)
• should we try to add twig render as taint source ? if so, i'm not sure to know how to taint it.. (see [RFR] Tainting twig #61)
• are there other component to consider ? filesystem, process maybe.. to be continued
• we should try to also have ParameterBag::filter as source, but i'm not sure of how to proceed (only with an annotation or with an handler).. not a source, but maybe have the stub generator automatically add a flow or taint annotation to it (and all other similar cases)

[adrienlucas]

@seferov i can not manage to reproduce the issue of the 7.1, highest job on my local workspace... any idea ?

[seferov]

@adrienlucas thank you for the PR!
I will also try to reproduce the issue locally.

[adrienlucas]

hey @seferov this is now ready to be reviewed and merged :)

i got to refactor the HeaderBagHandler a bit as i found out that tainting through the MethodReturnTypeProviderInterface would be much more efficient than the previous implementation using a AfterExpressionAnalysisInterface.

the 7.1 build is still failing, but only for the tests related to the phpstub files, any clue ?

[seferov]

@adrienlucas thanks for the update.

The reason for the failure is that InputBag is introduced in Symfony 5.1.0 /~https://github.com/symfony/http-foundation/blob/master/CHANGELOG.md#510. Thus InputBag stubs doesn't have any affect for lower versions.

[adrienlucas]

Thank you @seferov ! I can swear I had tested it with --prefer-lowest, but obviously I did not, thanks for catching it.

So I introduced a "dependency check" step and now it's "ok" everywhere !