Merge pull request #24290 from nextcloud/propagate-taint

Add IRequest taint sources
This commit is contained in:
Roeland Jago Douma 2020-11-23 08:40:14 +01:00 committed by GitHub
commit a1cd5ca20c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 16 additions and 0 deletions

View File

@ -107,6 +107,8 @@ interface IRequest {
/** /**
* @param string $name * @param string $name
* *
* @psalm-taint-source input
*
* @return string * @return string
* @since 6.0.0 * @since 6.0.0
*/ */
@ -116,6 +118,8 @@ interface IRequest {
* Lets you access post and get parameters by the index * Lets you access post and get parameters by the index
* In case of json requests the encoded json body is accessed * In case of json requests the encoded json body is accessed
* *
* @psalm-taint-source input
*
* @param string $key the key which you want to access in the URL Parameter * @param string $key the key which you want to access in the URL Parameter
* placeholder, $_POST or $_GET array. * placeholder, $_POST or $_GET array.
* The priority how they're returned is the following: * The priority how they're returned is the following:
@ -134,6 +138,8 @@ interface IRequest {
* *
* (as GET or POST) or through the URL by the route * (as GET or POST) or through the URL by the route
* *
* @psalm-taint-source input
*
* @return array the array with all parameters * @return array the array with all parameters
* @since 6.0.0 * @since 6.0.0
*/ */
@ -170,6 +176,8 @@ interface IRequest {
/** /**
* Shortcut for getting cookie variables * Shortcut for getting cookie variables
* *
* @psalm-taint-source input
*
* @param string $key the key that will be taken from the $_COOKIE array * @param string $key the key that will be taken from the $_COOKIE array
* @return string|null the value in the $_COOKIE element * @return string|null the value in the $_COOKIE element
* @since 6.0.0 * @since 6.0.0
@ -244,6 +252,8 @@ interface IRequest {
* Returns the request uri, even if the website uses one or more * Returns the request uri, even if the website uses one or more
* reverse proxies * reverse proxies
* *
* @psalm-taint-source input
*
* @return string * @return string
* @since 8.1.0 * @since 8.1.0
*/ */
@ -252,6 +262,8 @@ interface IRequest {
/** /**
* Get raw PathInfo from request (not urldecoded) * Get raw PathInfo from request (not urldecoded)
* *
* @psalm-taint-source input
*
* @throws \Exception * @throws \Exception
* @return string Path info * @return string Path info
* @since 8.1.0 * @since 8.1.0
@ -261,6 +273,8 @@ interface IRequest {
/** /**
* Get PathInfo from request * Get PathInfo from request
* *
* @psalm-taint-source input
*
* @throws \Exception * @throws \Exception
* @return string|false Path info or false when not found * @return string|false Path info or false when not found
* @since 8.1.0 * @since 8.1.0
@ -289,6 +303,8 @@ interface IRequest {
* Returns the unverified server host from the headers without checking * Returns the unverified server host from the headers without checking
* whether it is a trusted domain * whether it is a trusted domain
* *
* @psalm-taint-source input
*
* @return string Server host * @return string Server host
* @since 8.1.0 * @since 8.1.0
*/ */