Merge pull request #249 from koriym/add-fetch-taint-annotations

harikt · web-flow · commit 6b0c1f84bbe5 · 2026-01-05T10:43:22.000+05:30
Add psalm taint-sink annotations to fetch*/yield*/perform methods
diff --git a/src/ExtendedPdoInterface.php b/src/ExtendedPdoInterface.php
@@ -47,6 +47,7 @@ public function disconnect(): void;
      *
      * @return int
      *
+     * @psalm-taint-sink sql $statement
      */
     public function fetchAffected(string $statement, array $values = []): int;
 
@@ -61,6 +62,7 @@ public function fetchAffected(string $statement, array $values = []): int;
      *
      * @return array
      *
+     * @psalm-taint-sink sql $statement
      */
     public function fetchAll(string $statement, array $values = []): array;
 
@@ -79,6 +81,7 @@ public function fetchAll(string $statement, array $values = []): array;
      *
      * @return array
      *
+     * @psalm-taint-sink sql $statement
      */
     public function fetchAssoc(string $statement, array $values = []): array;
 
@@ -92,6 +95,7 @@ public function fetchAssoc(string $statement, array $values = []): array;
      *
      * @return array
      *
+     * @psalm-taint-sink sql $statement
      */
     public function fetchCol(string $statement, array $values = []): array;
 
@@ -109,6 +113,7 @@ public function fetchCol(string $statement, array $values = []): array;
      *
      * @return array
      *
+     * @psalm-taint-sink sql $statement
      */
     public function fetchGroup(
         string $statement,
@@ -137,6 +142,7 @@ public function fetchGroup(
      *
      * @return object|false
      *
+     * @psalm-taint-sink sql $statement
      */
     public function fetchObject(
         string $statement,
@@ -168,6 +174,7 @@ public function fetchObject(
      *
      * @return array
      *
+     * @psalm-taint-sink sql $statement
      */
     public function fetchObjects(
         string $statement,
@@ -186,6 +193,7 @@ public function fetchObjects(
      *
      * @return array|false
      *
+     * @psalm-taint-sink sql $statement
      */
     public function fetchOne(string $statement, array $values = []): array|false;
 
@@ -200,6 +208,7 @@ public function fetchOne(string $statement, array $values = []): array|false;
      *
      * @return array
      *
+     * @psalm-taint-sink sql $statement
      */
     public function fetchPairs(string $statement, array $values = []): array;
 
@@ -213,6 +222,7 @@ public function fetchPairs(string $statement, array $values = []): array;
      *
      * @return mixed
      *
+     * @psalm-taint-sink sql $statement
      */
     public function fetchValue(string $statement, array $values = []): mixed;
 
@@ -304,6 +314,7 @@ public function setProfiler(ProfilerInterface $profiler): void;
      *
      * @return \Generator
      *
+     * @psalm-taint-sink sql $statement
      */
     public function yieldAll(string $statement, array $values = []): Generator;
 
@@ -317,6 +328,7 @@ public function yieldAll(string $statement, array $values = []): Generator;
      *
      * @return \Generator
      *
+     * @psalm-taint-sink sql $statement
      */
     public function yieldAssoc(string $statement, array $values = []): Generator;
 
@@ -330,6 +342,7 @@ public function yieldAssoc(string $statement, array $values = []): Generator;
      *
      * @return \Generator
      *
+     * @psalm-taint-sink sql $statement
      */
     public function yieldCol(string $statement, array $values = []): Generator;
 
@@ -354,6 +367,7 @@ public function yieldCol(string $statement, array $values = []): Generator;
      *
      * @return \Generator
      *
+     * @psalm-taint-sink sql $statement
      */
     public function yieldObjects(
         string $statement,
@@ -373,6 +387,7 @@ public function yieldObjects(
      *
      * @return \Generator
      *
+     * @psalm-taint-sink sql $statement
      */
     public function yieldPairs(string $statement, array $values = []): Generator;
 
@@ -387,6 +402,7 @@ public function yieldPairs(string $statement, array $values = []): Generator;
      *
      * @return \PDOStatement
      *
+     * @psalm-taint-sink sql $statement
      */
     public function perform(string $statement, array $values = []): PDOStatement;
 
@@ -411,6 +427,7 @@ public function perform(string $statement, array $values = []): PDOStatement;
      *
      * @see http://php.net/manual/en/pdo.prepare.php
      *
+     * @psalm-taint-sink sql $statement
      */
     public function prepareWithValues(string $statement, array $values = []): PDOStatement;
 }

Original file line number	Diff line number	Diff line change
`@@ -47,6 +47,7 @@ public function disconnect(): void;`
`47`	`47`	`*`
`48`	`48`	`* @return int`
`49`	`49`	`*`
	`50`	`+ * @psalm-taint-sink sql $statement`
`50`	`51`	`*/`
`51`	`52`	`public function fetchAffected(string $statement, array $values = []): int;`
`52`	`53`
`@@ -61,6 +62,7 @@ public function fetchAffected(string $statement, array $values = []): int;`
`61`	`62`	`*`
`62`	`63`	`* @return array`
`63`	`64`	`*`
	`65`	`+ * @psalm-taint-sink sql $statement`
`64`	`66`	`*/`
`65`	`67`	`public function fetchAll(string $statement, array $values = []): array;`
`66`	`68`
`@@ -79,6 +81,7 @@ public function fetchAll(string $statement, array $values = []): array;`
`79`	`81`	`*`
`80`	`82`	`* @return array`
`81`	`83`	`*`
	`84`	`+ * @psalm-taint-sink sql $statement`
`82`	`85`	`*/`
`83`	`86`	`public function fetchAssoc(string $statement, array $values = []): array;`
`84`	`87`
`@@ -92,6 +95,7 @@ public function fetchAssoc(string $statement, array $values = []): array;`
`92`	`95`	`*`
`93`	`96`	`* @return array`
`94`	`97`	`*`
	`98`	`+ * @psalm-taint-sink sql $statement`
`95`	`99`	`*/`
`96`	`100`	`public function fetchCol(string $statement, array $values = []): array;`
`97`	`101`
`@@ -109,6 +113,7 @@ public function fetchCol(string $statement, array $values = []): array;`
`109`	`113`	`*`
`110`	`114`	`* @return array`
`111`	`115`	`*`
	`116`	`+ * @psalm-taint-sink sql $statement`
`112`	`117`	`*/`
`113`	`118`	`public function fetchGroup(`
`114`	`119`	`string $statement,`
`@@ -137,6 +142,7 @@ public function fetchGroup(`
`137`	`142`	`*`
`138`	`143`	`* @return object\|false`
`139`	`144`	`*`
	`145`	`+ * @psalm-taint-sink sql $statement`
`140`	`146`	`*/`
`141`	`147`	`public function fetchObject(`
`142`	`148`	`string $statement,`
`@@ -168,6 +174,7 @@ public function fetchObject(`
`168`	`174`	`*`
`169`	`175`	`* @return array`
`170`	`176`	`*`
	`177`	`+ * @psalm-taint-sink sql $statement`
`171`	`178`	`*/`
`172`	`179`	`public function fetchObjects(`
`173`	`180`	`string $statement,`
`@@ -186,6 +193,7 @@ public function fetchObjects(`
`186`	`193`	`*`
`187`	`194`	`* @return array\|false`
`188`	`195`	`*`
	`196`	`+ * @psalm-taint-sink sql $statement`
`189`	`197`	`*/`
`190`	`198`	`public function fetchOne(string $statement, array $values = []): array\|false;`
`191`	`199`
`@@ -200,6 +208,7 @@ public function fetchOne(string $statement, array $values = []): array\|false;`
`200`	`208`	`*`
`201`	`209`	`* @return array`
`202`	`210`	`*`
	`211`	`+ * @psalm-taint-sink sql $statement`
`203`	`212`	`*/`
`204`	`213`	`public function fetchPairs(string $statement, array $values = []): array;`
`205`	`214`
`@@ -213,6 +222,7 @@ public function fetchPairs(string $statement, array $values = []): array;`
`213`	`222`	`*`
`214`	`223`	`* @return mixed`
`215`	`224`	`*`
	`225`	`+ * @psalm-taint-sink sql $statement`
`216`	`226`	`*/`
`217`	`227`	`public function fetchValue(string $statement, array $values = []): mixed;`
`218`	`228`
`@@ -304,6 +314,7 @@ public function setProfiler(ProfilerInterface $profiler): void;`
`304`	`314`	`*`
`305`	`315`	`* @return \Generator`
`306`	`316`	`*`
	`317`	`+ * @psalm-taint-sink sql $statement`
`307`	`318`	`*/`
`308`	`319`	`public function yieldAll(string $statement, array $values = []): Generator;`
`309`	`320`
`@@ -317,6 +328,7 @@ public function yieldAll(string $statement, array $values = []): Generator;`
`317`	`328`	`*`
`318`	`329`	`* @return \Generator`
`319`	`330`	`*`
	`331`	`+ * @psalm-taint-sink sql $statement`
`320`	`332`	`*/`
`321`	`333`	`public function yieldAssoc(string $statement, array $values = []): Generator;`
`322`	`334`
`@@ -330,6 +342,7 @@ public function yieldAssoc(string $statement, array $values = []): Generator;`
`330`	`342`	`*`
`331`	`343`	`* @return \Generator`
`332`	`344`	`*`
	`345`	`+ * @psalm-taint-sink sql $statement`
`333`	`346`	`*/`
`334`	`347`	`public function yieldCol(string $statement, array $values = []): Generator;`
`335`	`348`
`@@ -354,6 +367,7 @@ public function yieldCol(string $statement, array $values = []): Generator;`
`354`	`367`	`*`
`355`	`368`	`* @return \Generator`
`356`	`369`	`*`
	`370`	`+ * @psalm-taint-sink sql $statement`
`357`	`371`	`*/`
`358`	`372`	`public function yieldObjects(`
`359`	`373`	`string $statement,`
`@@ -373,6 +387,7 @@ public function yieldObjects(`
`373`	`387`	`*`
`374`	`388`	`* @return \Generator`
`375`	`389`	`*`
	`390`	`+ * @psalm-taint-sink sql $statement`
`376`	`391`	`*/`
`377`	`392`	`public function yieldPairs(string $statement, array $values = []): Generator;`
`378`	`393`
`@@ -387,6 +402,7 @@ public function yieldPairs(string $statement, array $values = []): Generator;`
`387`	`402`	`*`
`388`	`403`	`* @return \PDOStatement`
`389`	`404`	`*`
	`405`	`+ * @psalm-taint-sink sql $statement`
`390`	`406`	`*/`
`391`	`407`	`public function perform(string $statement, array $values = []): PDOStatement;`
`392`	`408`
`@@ -411,6 +427,7 @@ public function perform(string $statement, array $values = []): PDOStatement;`
`411`	`427`	`*`
`412`	`428`	`* @see http://php.net/manual/en/pdo.prepare.php`
`413`	`429`	`*`
	`430`	`+ * @psalm-taint-sink sql $statement`
`414`	`431`	`*/`
`415`	`432`	`public function prepareWithValues(string $statement, array $values = []): PDOStatement;`
`416`	`433`	`}`