Prefer inference-placeholder over taint-escape sql (#536)

staabm · web-flow · commit 252409015658 · 2023-02-22T20:16:28.000Z
diff --git a/src/QueryReflection/QueryReflection.php b/src/QueryReflection/QueryReflection.php
@@ -337,14 +337,14 @@ private function resolveQueryStringExpr(Expr $queryExpr, Scope $scope, bool $res
         }
 
         if ($queryExpr instanceof Expr\CallLike) {
-            if ('sql' === PhpDocUtil::matchTaintEscape($queryExpr, $scope)) {
-                return '1';
-            }
-
             $placeholder = PhpDocUtil::matchInferencePlaceholder($queryExpr, $scope);
             if (null !== $placeholder) {
                 return $placeholder;
             }
+
+            if ('sql' === PhpDocUtil::matchTaintEscape($queryExpr, $scope)) {
+                return '1';
+            }
         }
 
         if ($queryExpr instanceof Concat) {
diff --git a/tests/rules/UnresolvableQueryMethodRuleTest.php b/tests/rules/UnresolvableQueryMethodRuleTest.php
@@ -65,4 +65,11 @@ public function testSyntaxErrorInQueryRule(): void
             ],
         ]);
     }
+
+    public function testBug536(): void
+    {
+        require_once __DIR__ . '/data/bug-536.php';
+
+        $this->analyse([__DIR__ . '/data/bug-536.php'], []);
+    }
 }
diff --git a/tests/rules/data/bug-536.php b/tests/rules/data/bug-536.php
@@ -0,0 +1,26 @@
+<?php
+
+namespace Bug536;
+
+use PDO;
+
+function taintEscapedAndInferencePlaceholder(PDO $pdo, string $s)
+{
+    $pdo->query('SELECT email, adaid FROM '. X::getTablePrefix('ada'), PDO::FETCH_ASSOC);
+}
+
+class X {
+    /**
+     * Returns the table prefix.
+     *
+     * @return non-empty-string
+     *
+     * @phpstandba-inference-placeholder 'ada'
+     * @psalm-taint-escape sql
+     */
+    public static function getTablePrefix()
+    {
+
+    }
+
+}

Original file line number	Diff line number	Diff line change
`@@ -337,14 +337,14 @@ private function resolveQueryStringExpr(Expr $queryExpr, Scope $scope, bool $res`
`337`	`337`	`}`
`338`	`338`
`339`	`339`	`if ($queryExpr instanceof Expr\CallLike) {`
`340`		`- if ('sql' === PhpDocUtil::matchTaintEscape($queryExpr, $scope)) {`
`341`		`- return '1';`
`342`		`- }`
`343`		`-`
`344`	`340`	`$placeholder = PhpDocUtil::matchInferencePlaceholder($queryExpr, $scope);`
`345`	`341`	`if (null !== $placeholder) {`
`346`	`342`	`return $placeholder;`
`347`	`343`	`}`
	`344`	`+`
	`345`	`+ if ('sql' === PhpDocUtil::matchTaintEscape($queryExpr, $scope)) {`
	`346`	`+ return '1';`
	`347`	`+ }`
`348`	`348`	`}`
`349`	`349`
`350`	`350`	`if ($queryExpr instanceof Concat) {`
Original file line number	Diff line number	Diff line change
`@@ -65,4 +65,11 @@ public function testSyntaxErrorInQueryRule(): void`
`65`	`65`	`],`
`66`	`66`	`]);`
`67`	`67`	`}`
	`68`	`+`
	`69`	`+ public function testBug536(): void`
	`70`	`+ {`
	`71`	`+ require_once __DIR__ . '/data/bug-536.php';`
	`72`	`+`
	`73`	`+ $this->analyse([__DIR__ . '/data/bug-536.php'], []);`
	`74`	`+ }`
`68`	`75`	`}`