On Sat, 17 Jul 2021 at 4:05 pm, Marco Pivetta <ocram...@gmail.com> wrote:
> my belief is that this is not a runtime problem, but rather a type-level > issue with tainted/untainted input/output. > Thank you for the feedback Marco, As you appreciate, I don’t believe we can get every PHP developer to use Static Analysis. It’s an extra step that developers with less time, energy, or care, will not setup and use. Putting something in the base language, means that libraries can just use it, and people using the sites/systems of rushed or lazier developers will have these checks helping keep their data secure. Data breeches can have life-changing consequences for people, Injection Vulnerabilities are one of the biggest causes of them, and since we have the ability for libraries to warn all developers about these mistake, we should. At the moment our house can catch on fire and we don’t even have a smoke alarm. This is the smoke alarm. And there are reasons why it’s builders and landlords that have to install them, and we don’t rely on the tenants going and sorting them out themselves. Because if they don’t, for the best or the worse reasons, either way there are severe consequences to everybody. In regards to Taint Checking, it has a significant problem as it creates a false sense of security, hence these examples in the RFC: $sql = 'SELECT * FROM users WHERE id = ' . $db->real_escape_string($id); // INSECURE $html = "<img src=" . htmlentities($url) . " alt='' />"; // INSECURE $html = "<a href='" . htmlentities($url) . "'>..."; // INSECURE Fortunately Psalm has just implemented the is_literal() concept, so those developers who do use Psalm can protect themselves from these issues: https://github.com/vimeo/psalm/releases/tag/4.8.0 In addition to that, a mechanism to un-taint values is missing, > That’s the main flaw with Taint Checking, because it’s not possible to mark something as safe without knowing about the context. As in, developers use an escaping function (to mark as untainted), think the value is now “safe”, and incorrectly use that value in a way that causes a security vulnerability. is_literal() simplifies this problem considerably, by just identifying developer defined strings, and instead using libraries to handle user values. Craig
