search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge "mediawiki.api: Remove console warning for legacy token type"
[mediawiki.git] / tests / phan / TaintCheckAnnotationsTest.php
blobb4479d6e17adf68d2b14933a7355b62a9211a11a
1 <?php
2
3 // phpcs:disable
4
5 /* @phan-file-suppress PhanTypeSuspiciousEcho, PhanTypeConversionFromArray, PhanPluginUseReturnValueInternalKnown, PhanNoopNew */
6 /* @phan-file-suppress PhanTypeMismatchArgument Ignore list/array mismatch for taint checks */
7
8 /*
9 * This test ensures that taint-check knows about unsafe methods in MediaWiki. Knowledge about those methods
10 * can come either from annotations on the methods themselves, or from the plugin. It does not really matter,
11 * as long as taint-check knows about them.
12 *
13 * If phan reports new security issues or unused suppressions in this file, DO NOT just fix the errors, and instead
14 * make sure that your patch is not causing some of the taintedness data to be lost.
15 *
16 * If you are introducing an alias for any of these classes, then duplicate the relevant test so that it covers
17 * both the old and the new class name.
18 */
19
20 use MediaWiki\CommentStore\CommentStore;
21 use MediaWiki\Html\Html;
22 use MediaWiki\Linker\Linker;
23 use MediaWiki\Linker\LinkRenderer;
24 use MediaWiki\Linker\LinkTarget;
25 use MediaWiki\Parser\Sanitizer;
26 use MediaWiki\Request\WebRequest;
27 use MediaWiki\Shell\Result;
28 use MediaWiki\Shell\Shell;
29 use MediaWiki\Status\Status;
30 use MediaWiki\Status\StatusFormatter;
31 use MediaWiki\Title\TitleValue;
32 use Shellbox\Command\UnboxedResult;
33 use Shellbox\Shellbox;
34 use Wikimedia\Rdbms\DeleteQueryBuilder;
35 use Wikimedia\Rdbms\Expression;
36 use Wikimedia\Rdbms\InsertQueryBuilder;
37 use Wikimedia\Rdbms\RawSQLExpression;
38 use Wikimedia\Rdbms\RawSQLValue;
39 use Wikimedia\Rdbms\ReplaceQueryBuilder;
40 use Wikimedia\Rdbms\SelectQueryBuilder;
41 use Wikimedia\Rdbms\UnionQueryBuilder;
42 use Wikimedia\Rdbms\UpdateQueryBuilder;
43
44 die( 'This file should never be loaded' );
45
46 class TaintCheckAnnotationsTest {
47 function testDatabase( \Wikimedia\Rdbms\Database $db ) {
48 $db->query( $_GET['a'] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
49 echo $db->query( 'safe' ); // @phan-suppress-current-line SecurityCheck-XSS
50
51 $db->select( $_GET['a'], '' ); // @phan-suppress-current-line SecurityCheck-SQLInjection
52 $db->select( '', $_GET['a'] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
53 $db->select( '', '', [ $_GET['a'] ] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
54 echo $db->select( 'safe', 'safe' ); // @phan-suppress-current-line SecurityCheck-XSS
55
56 $db->selectField( $_GET['a'], '' ); // @phan-suppress-current-line SecurityCheck-SQLInjection
57 $db->selectField( '', $_GET['a'] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
58 $db->selectField( '', '', [ $_GET['a'] ] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
59 echo $db->selectField( 'safe', 'safe' ); // @phan-suppress-current-line SecurityCheck-XSS
60
61 $db->selectFieldValues( $_GET['a'], '' ); // @phan-suppress-current-line SecurityCheck-SQLInjection
62 $db->selectFieldValues( '', $_GET['a'] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
63 $db->selectFieldValues( '', '', [ $_GET['a'] ] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
64 echo $db->selectFieldValues( 'safe', 'safe' ); // @phan-suppress-current-line SecurityCheck-XSS
65
66 $db->selectSQLText( $_GET['a'], '' ); // @phan-suppress-current-line SecurityCheck-SQLInjection
67 $db->selectSQLText( '', $_GET['a'] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
68 $db->selectSQLText( '', '', [ $_GET['a'] ] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
69 echo $db->selectSQLText( 'safe', 'safe' ); // @phan-suppress-current-line SecurityCheck-XSS
70 $db->query( $db->selectSQLText( 'safe', 'safe' ) ); // Safe
71
72 $db->selectRowCount( $_GET['a'], '' ); // @phan-suppress-current-line SecurityCheck-SQLInjection
73 $db->selectRowCount( '', $_GET['a'] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
74 $db->selectRowCount( '', '', [ $_GET['a'] ] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
75 echo $db->selectRowCount( 'safe', 'safe' ); // Safe
76
77 $db->selectRow( $_GET['a'], '', [] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
78 $db->selectRow( '', $_GET['a'], [] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
79 $db->selectRow( '', '', [ $_GET['a'] ] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
80 echo $db->selectRow( 'safe', 'safe', [] ); // @phan-suppress-current-line SecurityCheck-XSS
81
82 $db->delete( $_GET['a'], '' ); // @phan-suppress-current-line SecurityCheck-SQLInjection
83 $db->delete( '', [ $_GET['a'] ] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
84 $db->delete( '', '', $_GET['a'] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
85 echo $db->select( 'safe', 'safe' ); // @phan-suppress-current-line SecurityCheck-XSS
86
87 $db->insert( $_GET['a'], [] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
88 $db->insert( '', [ $_GET['a'] ] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
89 $db->insert( '', [], $_GET['a'] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
90 $db->insert( '', [], '', $_GET['a'] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
91 echo $db->insert( 'safe', [] ); // Safe
92
93 $db->update( $_GET['a'], [], [] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
94 $db->update( '', [ $_GET['a'] ], [] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
95 $db->update( '', [], [ $_GET['a'] ] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
96 $db->update( '', [], [], $_GET['a'] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
97 echo $db->update( 'safe', [], [] ); // Safe
98
99 $identQuoted = $db->addIdentifierQuotes( $_GET['a'] );
100 echo $identQuoted;// @phan-suppress-current-line SecurityCheck-XSS
101 $db->query( $identQuoted );// Safe
102
103 $quoted = $db->addQuotes( $_GET['a'] );
104 echo $quoted;// @phan-suppress-current-line SecurityCheck-XSS
105 $db->query( $quoted );// Safe
106
107 // buildLike is only hardcoded for the Database class
108 echo $db->buildLike( $_GET['a'] );// @phan-suppress-current-line SecurityCheck-XSS
109 $db->query( $db->buildLike( $_GET['a'] ) );// Safe
110 echo $db->buildLike( '', $_GET['a'] );// @phan-suppress-current-line SecurityCheck-XSS
111 $db->query( $db->buildLike( '', $_GET['a'] ) );// Safe
112 echo $db->buildLike( '', '', '', '', '', $_GET['a'] );// @phan-suppress-current-line SecurityCheck-XSS
113 $db->query( $db->buildLike( '', '', '', '', '', $_GET['a'] ) );// Safe
114 }
115
116 /**
117 * @suppress PhanParamTooFewInPHPDoc
118 */
119 function testIDatabase( \Wikimedia\Rdbms\IDatabase $db ) {
120 $db->query( $_GET['a'] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
121 echo $db->query( 'safe' ); // @phan-suppress-current-line SecurityCheck-XSS
122
123 $db->select( $_GET['a'], '' ); // @phan-suppress-current-line SecurityCheck-SQLInjection
124 $db->select( '', $_GET['a'] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
125 $db->select( '', '', [ $_GET['a'] ] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
126 echo $db->select( 'safe', 'safe' ); // @phan-suppress-current-line SecurityCheck-XSS
127
128 $db->selectField( $_GET['a'], '' ); // @phan-suppress-current-line SecurityCheck-SQLInjection
129 $db->selectField( '', $_GET['a'] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
130 $db->selectField( '', '', [ $_GET['a'] ] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
131 echo $db->selectField( 'safe', 'safe' ); // @phan-suppress-current-line SecurityCheck-XSS
132
133 $db->selectFieldValues( $_GET['a'], '' ); // @phan-suppress-current-line SecurityCheck-SQLInjection
134 $db->selectFieldValues( '', $_GET['a'] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
135 $db->selectFieldValues( '', '', [ $_GET['a'] ] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
136 echo $db->selectFieldValues( 'safe', 'safe' ); // @phan-suppress-current-line SecurityCheck-XSS
137
138 $db->selectSQLText( $_GET['a'], '' ); // @phan-suppress-current-line SecurityCheck-SQLInjection
139 $db->selectSQLText( '', $_GET['a'] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
140 $db->selectSQLText( '', '', [ $_GET['a'] ] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
141 echo $db->selectSQLText( 'safe', 'safe' ); // @phan-suppress-current-line SecurityCheck-XSS
142 $db->query( $db->selectSQLText( 'safe', 'safe' ) ); // Safe
143
144 $db->selectRowCount( $_GET['a'], '' ); // @phan-suppress-current-line SecurityCheck-SQLInjection
145 $db->selectRowCount( '', $_GET['a'] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
146 $db->selectRowCount( '', '', [ $_GET['a'] ] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
147 echo $db->selectRowCount( 'safe', 'safe' ); // Safe
148
149 $db->selectRow( $_GET['a'], '', [] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
150 $db->selectRow( '', $_GET['a'], [] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
151 $db->selectRow( '', '', [ $_GET['a'] ] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
152 echo $db->selectRow( 'safe', 'safe', [] ); // @phan-suppress-current-line SecurityCheck-XSS
153
154 $db->delete( $_GET['a'], '' ); // @phan-suppress-current-line SecurityCheck-SQLInjection
155 $db->delete( '', [ $_GET['a'] ] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
156 $db->delete( '', '', $_GET['a'] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
157 echo $db->select( 'safe', 'safe' ); // @phan-suppress-current-line SecurityCheck-XSS
158
159 $db->insert( $_GET['a'], [] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
160 $db->insert( '', [ $_GET['a'] ] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
161 $db->insert( '', [], $_GET['a'] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
162 $db->insert( '', [], '', $_GET['a'] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
163 echo $db->insert( 'safe', [] ); // Safe
164
165 $db->update( $_GET['a'], [], [] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
166 $db->update( '', [ $_GET['a'] ], [] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
167 $db->update( '', [], [ $_GET['a'] ] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
168 $db->update( '', [], [], $_GET['a'] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
169 echo $db->update( 'safe', [], [] ); // Safe
170
171 $identQuoted = $db->addIdentifierQuotes( $_GET['a'] );
172 echo $identQuoted;// @phan-suppress-current-line SecurityCheck-XSS
173 $db->query( $identQuoted );// Safe
174
175 $quoted = $db->addQuotes( $_GET['a'] );
176 echo $quoted;// @phan-suppress-current-line SecurityCheck-XSS
177 $db->query( $quoted );// Safe
178
179 // makeList is only hardcoded for the IDatabase interface
180 echo $db->makeList( [ $_GET['a'] ] );// @phan-suppress-current-line SecurityCheck-XSS
181 $db->query( $db->makeList( $_GET['a'] ) );// Safe
182 echo $db->makeList( [] );// Safe
183 }
184
185 /**
186 * @suppress PhanParamTooFewInPHPDoc
187 */
188 function testIMaintainableDatabase( \Wikimedia\Rdbms\IMaintainableDatabase $db ) {
189 $db->query( $_GET['a'] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
190 echo $db->query( 'safe' ); // @phan-suppress-current-line SecurityCheck-XSS
191
192 $db->select( $_GET['a'], '' ); // @phan-suppress-current-line SecurityCheck-SQLInjection
193 $db->select( '', $_GET['a'] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
194 $db->select( '', '', [ $_GET['a'] ] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
195 echo $db->select( 'safe', 'safe' ); // @phan-suppress-current-line SecurityCheck-XSS
196
197 $db->selectField( $_GET['a'], '' ); // @phan-suppress-current-line SecurityCheck-SQLInjection
198 $db->selectField( '', $_GET['a'] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
199 $db->selectField( '', '', [ $_GET['a'] ] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
200 echo $db->selectField( 'safe', 'safe' ); // @phan-suppress-current-line SecurityCheck-XSS
201
202 $db->selectFieldValues( $_GET['a'], '' ); // @phan-suppress-current-line SecurityCheck-SQLInjection
203 $db->selectFieldValues( '', $_GET['a'] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
204 $db->selectFieldValues( '', '', [ $_GET['a'] ] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
205 echo $db->selectFieldValues( 'safe', 'safe' ); // @phan-suppress-current-line SecurityCheck-XSS
206
207 $db->selectSQLText( $_GET['a'], '' ); // @phan-suppress-current-line SecurityCheck-SQLInjection
208 $db->selectSQLText( '', $_GET['a'] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
209 $db->selectSQLText( '', '', [ $_GET['a'] ] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
210 echo $db->selectSQLText( 'safe', 'safe' ); // @phan-suppress-current-line SecurityCheck-XSS
211 $db->query( $db->selectSQLText( 'safe', 'safe' ) ); // Safe
212
213 $db->selectRowCount( $_GET['a'], '' ); // @phan-suppress-current-line SecurityCheck-SQLInjection
214 $db->selectRowCount( '', $_GET['a'] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
215 $db->selectRowCount( '', '', [ $_GET['a'] ] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
216 echo $db->selectRowCount( 'safe', 'safe' ); // Safe
217
218 $db->selectRow( $_GET['a'], '', [] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
219 $db->selectRow( '', $_GET['a'], [] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
220 $db->selectRow( '', '', [ $_GET['a'] ] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
221 echo $db->selectRow( 'safe', 'safe', [] ); // @phan-suppress-current-line SecurityCheck-XSS
222
223 $db->delete( $_GET['a'], '' ); // @phan-suppress-current-line SecurityCheck-SQLInjection
224 $db->delete( '', [ $_GET['a'] ] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
225 $db->delete( '', '', $_GET['a'] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
226 echo $db->select( 'safe', 'safe' ); // @phan-suppress-current-line SecurityCheck-XSS
227
228 $db->insert( $_GET['a'], [] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
229 $db->insert( '', [ $_GET['a'] ] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
230 $db->insert( '', [], $_GET['a'] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
231 $db->insert( '', [], '', $_GET['a'] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
232 echo $db->insert( 'safe', [] ); // Safe
233
234 $db->update( $_GET['a'], [], [] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
235 $db->update( '', [ $_GET['a'] ], [] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
236 $db->update( '', [], [ $_GET['a'] ] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
237 $db->update( '', [], [], $_GET['a'] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
238 echo $db->update( 'safe', [], [] ); // Safe
239
240 $identQuoted = $db->addIdentifierQuotes( $_GET['a'] );
241 echo $identQuoted;// @phan-suppress-current-line SecurityCheck-XSS
242 $db->query( $identQuoted );// Safe
243
244 $quoted = $db->addQuotes( $_GET['a'] );
245 echo $quoted;// @phan-suppress-current-line SecurityCheck-XSS
246 $db->query( $quoted );// Safe
247 }
248
249 function testDBConnRef( \Wikimedia\Rdbms\DBConnRef $db ) {
250 $db->query( $_GET['a'] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
251 echo $db->query( 'safe' ); // @phan-suppress-current-line SecurityCheck-XSS
252
253 $db->select( $_GET['a'], '' ); // @phan-suppress-current-line SecurityCheck-SQLInjection
254 $db->select( '', $_GET['a'] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
255 $db->select( '', '', [ $_GET['a'] ] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
256 echo $db->select( 'safe', 'safe' ); // @phan-suppress-current-line SecurityCheck-XSS
257
258 $db->selectField( $_GET['a'], '' ); // @phan-suppress-current-line SecurityCheck-SQLInjection
259 $db->selectField( '', $_GET['a'] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
260 $db->selectField( '', '', [ $_GET['a'] ] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
261 echo $db->selectField( 'safe', 'safe' ); // @phan-suppress-current-line SecurityCheck-XSS
262
263 $db->selectFieldValues( $_GET['a'], '' ); // @phan-suppress-current-line SecurityCheck-SQLInjection
264 $db->selectFieldValues( '', $_GET['a'] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
265 $db->selectFieldValues( '', '', [ $_GET['a'] ] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
266 echo $db->selectFieldValues( 'safe', 'safe' ); // @phan-suppress-current-line SecurityCheck-XSS
267
268 $db->selectSQLText( $_GET['a'], '' ); // @phan-suppress-current-line SecurityCheck-SQLInjection
269 $db->selectSQLText( '', $_GET['a'] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
270 $db->selectSQLText( '', '', [ $_GET['a'] ] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
271 echo $db->selectSQLText( 'safe', 'safe' ); // @phan-suppress-current-line SecurityCheck-XSS
272 $db->query( $db->selectSQLText( 'safe', 'safe' ) ); // Safe
273
274 $db->selectRowCount( $_GET['a'], '' ); // @phan-suppress-current-line SecurityCheck-SQLInjection
275 $db->selectRowCount( '', $_GET['a'] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
276 $db->selectRowCount( '', '', [ $_GET['a'] ] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
277 echo $db->selectRowCount( 'safe', 'safe' ); // Safe
278
279 $db->selectRow( $_GET['a'], '', [] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
280 $db->selectRow( '', $_GET['a'], [] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
281 $db->selectRow( '', '', [ $_GET['a'] ] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
282 echo $db->selectRow( 'safe', 'safe', [] ); // @phan-suppress-current-line SecurityCheck-XSS
283
284 $db->delete( $_GET['a'], '' ); // @phan-suppress-current-line SecurityCheck-SQLInjection
285 $db->delete( '', [ $_GET['a'] ] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
286 $db->delete( '', '', $_GET['a'] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
287 echo $db->select( 'safe', 'safe' ); // @phan-suppress-current-line SecurityCheck-XSS
288
289 $db->insert( $_GET['a'], [] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
290 $db->insert( '', [ $_GET['a'] ] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
291 $db->insert( '', [], $_GET['a'] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
292 $db->insert( '', [], '', $_GET['a'] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
293 echo $db->insert( 'safe', [] ); // Safe
294
295 $db->update( $_GET['a'], [], [] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
296 $db->update( '', [ $_GET['a'] ], [] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
297 $db->update( '', [], [ $_GET['a'] ] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
298 $db->update( '', [], [], $_GET['a'] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
299 echo $db->update( 'safe', [], [] ); // Safe
300
301 $identQuoted = $db->addIdentifierQuotes( $_GET['a'] );
302 echo $identQuoted;// @phan-suppress-current-line SecurityCheck-XSS
303 $db->query( $identQuoted );// Safe
304
305 $quoted = $db->addQuotes( $_GET['a'] );
306 echo $quoted;// @phan-suppress-current-line SecurityCheck-XSS
307 $db->query( $quoted );// Safe
308 }
309
310 function testDatabaseMySQL( \Wikimedia\Rdbms\DatabaseMySQL $db ) {
311 $quoted = $db->addQuotes( $_GET['a'] );
312 echo $quoted;// @phan-suppress-current-line SecurityCheck-XSS
313 $db->query( $quoted );// Safe
314
315 $identQuoted = $db->addIdentifierQuotes( $_GET['a'] );
316 echo $identQuoted;// @phan-suppress-current-line SecurityCheck-XSS
317 $db->query( $identQuoted );// Safe
318 }
319
320 function testDatabasePostgres( \Wikimedia\Rdbms\DatabasePostgres $db ) {
321 $quoted = $db->addQuotes( $_GET['a'] );
322 echo $quoted;// @phan-suppress-current-line SecurityCheck-XSS
323 $db->query( $quoted );// Safe
324 }
325
326 function testDatabaseSqlite( \Wikimedia\Rdbms\DatabaseSqlite $db ) {
327 $quoted = $db->addQuotes( $_GET['a'] );
328 echo $quoted;// @phan-suppress-current-line SecurityCheck-XSS
329 $db->query( $quoted );// Safe
330 }
331
332 function testSelectQueryBuilder( SelectQueryBuilder $sqb ) {
333 $sqb->table( $_GET['a'] );// @phan-suppress-current-line SecurityCheck-SQLInjection
334 $sqb->table( '', $_GET['a'] );// @phan-suppress-current-line SecurityCheck-SQLInjection
335 $sqb->tables( [ $_GET['a'] ] );// @phan-suppress-current-line SecurityCheck-SQLInjection
336 $sqb->from( $_GET['a'] );// @phan-suppress-current-line SecurityCheck-SQLInjection
337 $sqb->from( '', $_GET['a'] );// @phan-suppress-current-line SecurityCheck-SQLInjection
338
339 $sqb->fields( [ $_GET['a'] ] );// @phan-suppress-current-line SecurityCheck-SQLInjection
340 $sqb->select( [ $_GET['a'] ] );// @phan-suppress-current-line SecurityCheck-SQLInjection
341 $sqb->field( $_GET['a'] );// @phan-suppress-current-line SecurityCheck-SQLInjection
342 $sqb->field( '', $_GET['a'] );// @phan-suppress-current-line SecurityCheck-SQLInjection
343
344 $sqb->where( [ $_GET['a'] ] );// @phan-suppress-current-line SecurityCheck-SQLInjection
345 $sqb->where( $_GET['a'] );// @phan-suppress-current-line SecurityCheck-SQLInjection
346 $sqb->where( [ 'foo' => $_GET['a'] ] );// Safe
347 $sqb->andWhere( [ $_GET['a'] ] );// @phan-suppress-current-line SecurityCheck-SQLInjection
348 $sqb->andWhere( $_GET['a'] );// @phan-suppress-current-line SecurityCheck-SQLInjection
349 $sqb->andWhere( [ 'foo' => $_GET['a'] ] );// Safe
350 $sqb->conds( [ $_GET['a'] ] );// @phan-suppress-current-line SecurityCheck-SQLInjection
351 $sqb->conds( $_GET['a'] );// @phan-suppress-current-line SecurityCheck-SQLInjection
352 $sqb->conds( [ 'foo' => $_GET['a'] ] );// Safe
353 $sqb->groupBy( $_GET['a'] );// @phan-suppress-current-line SecurityCheck-SQLInjection
354 $sqb->having( $_GET['a'] );// @phan-suppress-current-line SecurityCheck-SQLInjection
355 $sqb->orderBy( $_GET['a'], $_GET['a'] );// @phan-suppress-current-line SecurityCheck-SQLInjection
356 $sqb->useIndex( $_GET['a'] );// @phan-suppress-current-line SecurityCheck-SQLInjection
357 $sqb->ignoreIndex( $_GET['a'] );// @phan-suppress-current-line SecurityCheck-SQLInjection
358
359 $sqb->caller( $_GET['a'] );// @phan-suppress-current-line SecurityCheck-SQLInjection
360
361 echo $sqb->fetchResultSet();// @phan-suppress-current-line SecurityCheck-XSS
362 echo $sqb->fetchField();// @phan-suppress-current-line SecurityCheck-XSS
363 echo $sqb->fetchFieldValues();// @phan-suppress-current-line SecurityCheck-XSS
364 echo $sqb->fetchRow();// @phan-suppress-current-line SecurityCheck-XSS
365 }
366
367 function testInsertQueryBuilder( InsertQueryBuilder $iqb ) {
368 $iqb->table( $_GET['a'] );// @phan-suppress-current-line SecurityCheck-SQLInjection
369 $iqb->insert( $_GET['a'] );// @phan-suppress-current-line SecurityCheck-SQLInjection
370 $iqb->insertInto( $_GET['a'] );// @phan-suppress-current-line SecurityCheck-SQLInjection
371
372 $iqb->row( $_GET['a'] );// @phan-suppress-current-line SecurityCheck-SQLInjection
373 $iqb->row( [ 'bar' => $_GET['a'] ] );// Safe
374 $iqb->row( [ $_GET['a'] => 'foo' ] );// @phan-suppress-current-line SecurityCheck-SQLInjection
375
376 $iqb->rows( $_GET['a'] );// @phan-suppress-current-line SecurityCheck-SQLInjection
377 $iqb->rows( [ $_GET['a'] ] );// @phan-suppress-current-line SecurityCheck-SQLInjection
378 $iqb->rows( [ $_GET['a'] => [] ] );// Safe
379 $iqb->rows( [ $_GET['a'] => [ 'foo' => $_GET['a'] ] ] );// Safe
380 $iqb->rows( [ $_GET['a'] => [ $_GET['a'] => 'foo' ] ] );// @phan-suppress-current-line SecurityCheck-SQLInjection
381
382 $iqb->set( $_GET['a'] );// @phan-suppress-current-line SecurityCheck-SQLInjection
383 $iqb->set( [ $_GET['a'] ] );// @phan-suppress-current-line SecurityCheck-SQLInjection
384 $iqb->set( [ 'x' => $_GET['a'] ] );// Safe
385
386 $iqb->andSet( $_GET['a'] );// @phan-suppress-current-line SecurityCheck-SQLInjection
387 $iqb->andSet( [ $_GET['a'] ] );// @phan-suppress-current-line SecurityCheck-SQLInjection
388 $iqb->andSet( [ 'x' => $_GET['a'] ] );// Safe
389
390 $iqb->caller( $_GET['a'] );// @phan-suppress-current-line SecurityCheck-SQLInjection
391 }
392
393 function testReplaceQueryBuilder( ReplaceQueryBuilder $rqb ) {
394 $rqb->table( $_GET['a'] );// @phan-suppress-current-line SecurityCheck-SQLInjection
395 $rqb->replaceInto( $_GET['a'] );// @phan-suppress-current-line SecurityCheck-SQLInjection
396
397 // FIXME: After T361523 and a new release, the suppression must be enabled
398 $rqb->row( $_GET['a'] );// phan-suppress-current-line SecurityCheck-SQLInjection
399 $rqb->row( [ 'bar' => $_GET['a'] ] );// Safe
400 // FIXME: After T361523 and a new release, the suppression must be enabled
401 $rqb->row( [ $_GET['a'] => 'foo' ] );// phan-suppress-current-line SecurityCheck-SQLInjection
402
403 // FIXME: After T361523 and a new release, the suppression must be enabled
404 $rqb->rows( $_GET['a'] );// phan-suppress-current-line SecurityCheck-SQLInjection
405 // FIXME: After T361523 and a new release, the suppression must be enabled
406 $rqb->rows( [ $_GET['a'] ] );// phan-suppress-current-line SecurityCheck-SQLInjection
407 $rqb->rows( [ $_GET['a'] => [] ] );// Safe
408 $rqb->rows( [ $_GET['a'] => [ 'foo' => $_GET['a'] ] ] );// Safe
409 // FIXME: After T361523 and a new release, the suppression must be enabled
410 $rqb->rows( [ $_GET['a'] => [ $_GET['a'] => 'foo' ] ] );// phan-suppress-current-line SecurityCheck-SQLInjection
411
412 $rqb->caller( $_GET['a'] );// @phan-suppress-current-line SecurityCheck-SQLInjection
413 }
414
415 function testUpdateQueryBuilder( UpdateQueryBuilder $uqb ) {
416 $uqb->table( $_GET['a'] );// @phan-suppress-current-line SecurityCheck-SQLInjection
417 $uqb->update( $_GET['a'] );// @phan-suppress-current-line SecurityCheck-SQLInjection
418
419 $uqb->where( [ $_GET['a'] ] );// @phan-suppress-current-line SecurityCheck-SQLInjection
420 $uqb->where( $_GET['a'] );// @phan-suppress-current-line SecurityCheck-SQLInjection
421 $uqb->where( [ 'foo' => $_GET['a'] ] );// Safe
422 $uqb->andWhere( [ $_GET['a'] ] );// @phan-suppress-current-line SecurityCheck-SQLInjection
423 $uqb->andWhere( $_GET['a'] );// @phan-suppress-current-line SecurityCheck-SQLInjection
424 $uqb->andWhere( [ 'foo' => $_GET['a'] ] );// Safe
425 $uqb->conds( [ $_GET['a'] ] );// @phan-suppress-current-line SecurityCheck-SQLInjection
426 $uqb->conds( $_GET['a'] );// @phan-suppress-current-line SecurityCheck-SQLInjection
427 $uqb->conds( [ 'foo' => $_GET['a'] ] );// Safe
428
429 $uqb->set( $_GET['a'] );// @phan-suppress-current-line SecurityCheck-SQLInjection
430 $uqb->set( [ $_GET['a'] ] );// @phan-suppress-current-line SecurityCheck-SQLInjection
431 $uqb->set( [ 'x' => $_GET['a'] ] );// Safe
432 $uqb->andSet( $_GET['a'] );// @phan-suppress-current-line SecurityCheck-SQLInjection
433 $uqb->andSet( [ $_GET['a'] ] );// @phan-suppress-current-line SecurityCheck-SQLInjection
434 $uqb->andSet( [ 'x' => $_GET['a'] ] );// Safe
435
436 $uqb->caller( $_GET['a'] );// @phan-suppress-current-line SecurityCheck-SQLInjection
437 }
438
439 function testDeleteQueryBuilder( DeleteQueryBuilder $dqb ) {
440 $dqb->table( $_GET['a'] );// @phan-suppress-current-line SecurityCheck-SQLInjection
441 $dqb->deleteFrom( $_GET['a'] );// @phan-suppress-current-line SecurityCheck-SQLInjection
442 $dqb->delete( $_GET['a'] );// @phan-suppress-current-line SecurityCheck-SQLInjection
443
444 $dqb->where( [ $_GET['a'] ] );// @phan-suppress-current-line SecurityCheck-SQLInjection
445 $dqb->where( $_GET['a'] );// @phan-suppress-current-line SecurityCheck-SQLInjection
446 $dqb->where( [ 'foo' => $_GET['a'] ] );// Safe
447 $dqb->andWhere( [ $_GET['a'] ] );// @phan-suppress-current-line SecurityCheck-SQLInjection
448 $dqb->andWhere( $_GET['a'] );// @phan-suppress-current-line SecurityCheck-SQLInjection
449 $dqb->andWhere( [ 'foo' => $_GET['a'] ] );// Safe
450 $dqb->conds( [ $_GET['a'] ] );// @phan-suppress-current-line SecurityCheck-SQLInjection
451 $dqb->conds( $_GET['a'] );// @phan-suppress-current-line SecurityCheck-SQLInjection
452 $dqb->conds( [ 'foo' => $_GET['a'] ] );// Safe
453
454 $dqb->caller( $_GET['a'] );// @phan-suppress-current-line SecurityCheck-SQLInjection
455 }
456
457 function testUnionQueryBuilder( UnionQueryBuilder $uqb ) {
458 $uqb->orderBy( $_GET['a'], $_GET['a'] );// @phan-suppress-current-line SecurityCheck-SQLInjection
459
460 $uqb->caller( $_GET['a'] );// @phan-suppress-current-line SecurityCheck-SQLInjection
461
462 echo $uqb->fetchResultSet();// @phan-suppress-current-line SecurityCheck-XSS
463 echo $uqb->fetchField();// @phan-suppress-current-line SecurityCheck-XSS
464 echo $uqb->fetchFieldValues();// @phan-suppress-current-line SecurityCheck-XSS
465 echo $uqb->fetchRow();// @phan-suppress-current-line SecurityCheck-XSS
466 }
467
468 /**
469 * @suppress PhanPluginUseReturnValueKnown
470 */
471 function testExpression( \Wikimedia\Rdbms\IDatabase $db ) {
472 $db->expr( $_GET['field'], '=', 'a' ); // @phan-suppress-current-line SecurityCheck-SQLInjection
473 $db->expr( 'a', $_GET['op'], 'a' ); // @phan-suppress-current-line SecurityCheck-SQLInjection
474 $db->expr( 'a', '=', $_GET['value'] ); // Safe
475
476 new Expression( $_GET['field'], '=', 'a' ); // @phan-suppress-current-line SecurityCheck-SQLInjection
477 new Expression( 'a', $_GET['op'], 'a' ); // @phan-suppress-current-line SecurityCheck-SQLInjection
478 new Expression( 'a', '=', $_GET['value'] ); // Safe
479
480 new Expression( $_GET['field'], '=', new RawSQLValue( 'a' ) ); // @phan-suppress-current-line SecurityCheck-SQLInjection
481 new Expression( 'a', $_GET['op'], new RawSQLValue( 'a' ) ); // @phan-suppress-current-line SecurityCheck-SQLInjection
482 new Expression( 'a', '=', new RawSQLValue( $_GET['value'] ) ); // @phan-suppress-current-line SecurityCheck-SQLInjection
483
484 $safeExpr = new Expression( 'a', '=', 'a' );
485 $safeExpr->and( $_GET['field'], '=', 'a' ); // @phan-suppress-current-line SecurityCheck-SQLInjection
486 $safeExpr->and( 'a', $_GET['op'], 'a' ); // @phan-suppress-current-line SecurityCheck-SQLInjection
487 $safeExpr->and( 'a', '=', $_GET['value'] ); // Safe
488 $safeExpr->or( $_GET['field'], '=', 'a' ); // @phan-suppress-current-line SecurityCheck-SQLInjection
489 $safeExpr->or( 'a', $_GET['op'], 'a' ); // @phan-suppress-current-line SecurityCheck-SQLInjection
490 $safeExpr->or( 'a', '=', $_GET['value'] ); // Safe
491
492 $andExpr = $safeExpr->andExpr( $safeExpr );
493 $andExpr->and( $_GET['field'], '=', 'a' ); // @phan-suppress-current-line SecurityCheck-SQLInjection
494 $andExpr->and( 'a', $_GET['op'], 'a' ); // @phan-suppress-current-line SecurityCheck-SQLInjection
495 $andExpr->and( 'a', '=', $_GET['value'] ); // Safe
496 $andExpr2 = $db->andExpr( [ $safeExpr ] );
497
498 $orExpr = $safeExpr->orExpr( $safeExpr );
499 $orExpr->or( $_GET['field'], '=', 'a' ); // @phan-suppress-current-line SecurityCheck-SQLInjection
500 $orExpr->or( 'a', $_GET['op'], 'a' ); // @phan-suppress-current-line SecurityCheck-SQLInjection
501 $orExpr->or( 'a', '=', $_GET['value'] ); // Safe
502 $orExpr2 = $db->orExpr( [ $safeExpr ] );
503
504 $unsafeExpr = new Expression( $_GET['a'], $_GET['a'], $_GET['a'] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
505
506 $unsafeRawSQL = new RawSQLExpression( $_GET['a'] ); // @phan-suppress-current-line SecurityCheck-SQLInjection
507 $unsafeRawSQL->andExpr( new RawSQLExpression( 'b > ' . $_GET['a'] ) ); // @phan-suppress-current-line SecurityCheck-SQLInjection
508 $unsafeRawSQL->andExpr( new RawSQLExpression( 'a > b ' ) ); // Safe
509
510 // Not validated at this point, only when building the Expression
511 $db->newSelectQueryBuilder()->where( $safeExpr );
512 $db->newSelectQueryBuilder()->where( $unsafeExpr );
513 $db->newSelectQueryBuilder()->where( $unsafeRawSQL );
514 }
515
516 function testMessage( Message $msg ) {
517 echo $msg->plain();// @phan-suppress-current-line SecurityCheck-XSS
518 echo $msg->text();// @phan-suppress-current-line SecurityCheck-XSS
519 echo $msg->parseAsBlock(); // Safe
520 htmlspecialchars( $msg->parseAsBlock() );// @phan-suppress-current-line SecurityCheck-DoubleEscaped
521 echo $msg->parse(); // Safe
522 htmlspecialchars( $msg->parse() );// @phan-suppress-current-line SecurityCheck-DoubleEscaped
523 echo $msg->escaped(); // Safe
524 htmlspecialchars( $msg->escaped() );// @phan-suppress-current-line SecurityCheck-DoubleEscaped
525 echo $msg->__toString(); // Safe
526 htmlspecialchars( $msg->__toString() );// @phan-suppress-current-line SecurityCheck-DoubleEscaped
527 $msg->rawParams( $_GET['a'] );// @phan-suppress-current-line SecurityCheck-XSS
528 echo $msg->rawParams( '' );// Safe
529 shell_exec( $msg->rawParams( '' ) );// Safe
530 }
531
532 function testStripState( StripState $ss ) {
533 $ss->addNoWiki( $_GET['a'], '' );//Safe
534 $ss->addNoWiki( '', $_GET['b'] );// @phan-suppress-current-line SecurityCheck-XSS
535 $ss->addGeneral( $_GET['a'], '' );//Safe
536 $ss->addGeneral( '', $_GET['b'] );// @phan-suppress-current-line SecurityCheck-XSS
537 }
538
539 function testShellFunctions(
540 Shell $shell,
541 \MediaWiki\Shell\Command $shellCmd,
542 \Shellbox\Command\Command $shellboxCmd,
543 Result $result, // Alias of UnboxedResult
544 UnboxedResult $unboxedResult
545 ) {
546 wfShellExec( [ $_GET['a'] ] );// Safe
547 wfShellExec( $_GET['a'] );// @phan-suppress-current-line SecurityCheck-ShellInjection
548 echo wfShellExec( '' );// @phan-suppress-current-line SecurityCheck-XSS
549
550 wfShellExecWithStderr( [ $_GET['a'] ] );// Safe
551 wfShellExecWithStderr( $_GET['a'] );// @phan-suppress-current-line SecurityCheck-ShellInjection
552 echo wfShellExecWithStderr( '' );// @phan-suppress-current-line SecurityCheck-XSS
553
554 shell_exec( wfEscapeShellArg( $_GET['a'] ) ); // Safe
555 shell_exec( wfEscapeShellArg( '', '', '', '', '', $_GET['a'] ) ); // Safe
556 echo wfEscapeShellArg( $_GET['a'] ); // @phan-suppress-current-line SecurityCheck-XSS
557 echo wfEscapeShellArg( '', '', '', '', '', $_GET['a'] ); // @phan-suppress-current-line SecurityCheck-XSS
558
559 shell_exec( $shell->escape( $_GET['a'] ) ); // Safe
560 shell_exec( $shell->escape( '', '', '', '', '', $_GET['a'] ) ); // Safe
561 echo $shell->escape( $_GET['a'] ); // @phan-suppress-current-line SecurityCheck-XSS
562 echo $shell->escape( '', '', '', '', '', $_GET['a'] ); // @phan-suppress-current-line SecurityCheck-XSS
563
564 $shellCmd->unsafeParams( $_GET['a'] );// @phan-suppress-current-line SecurityCheck-ShellInjection
565 $shellCmd->unsafeParams( '', '', '', '', $_GET['a'] );// @phan-suppress-current-line SecurityCheck-ShellInjection
566
567 shell_exec( Shellbox::escape( $_GET['a'] ) ); // Safe
568 shell_exec( Shellbox::escape( '', '', '', '', '', $_GET['a'] ) ); // Safe
569 echo Shellbox::escape( $_GET['a'] ); // @phan-suppress-current-line SecurityCheck-XSS
570 echo Shellbox::escape( '', '', '', '', '', $_GET['a'] ); // @phan-suppress-current-line SecurityCheck-XSS
571
572 $shellboxCmd->unsafeParams( $_GET['a'] );// @phan-suppress-current-line SecurityCheck-ShellInjection
573 $shellboxCmd->unsafeParams( '', '', '', '', $_GET['a'] );// @phan-suppress-current-line SecurityCheck-ShellInjection
574
575 echo $result->getStdout();// @phan-suppress-current-line SecurityCheck-XSS
576 echo $result->getStderr();// @phan-suppress-current-line SecurityCheck-XSS
577
578 echo $unboxedResult->getStdout();// @phan-suppress-current-line SecurityCheck-XSS
579 echo $unboxedResult->getStderr();// @phan-suppress-current-line SecurityCheck-XSS
580 }
581
582 function testHtml() {
583 echo Html::rawElement( $_GET['a'] );// @phan-suppress-current-line SecurityCheck-XSS
584 Html::rawElement( '', [ htmlspecialchars( '' ) ] );// @phan-suppress-current-line SecurityCheck-DoubleEscaped
585 echo Html::rawElement( '', $_GET['a'] );// Safe
586 echo Html::rawElement( '', [], $_GET['a'] );// @phan-suppress-current-line SecurityCheck-XSS
587 echo Html::rawElement( '', [], '' );// Safe
588 htmlspecialchars( Html::rawElement( '', [], '' ) );// @phan-suppress-current-line SecurityCheck-DoubleEscaped
589
590 echo Html::element( $_GET['a'] );// @phan-suppress-current-line SecurityCheck-XSS
591 Html::element( '', [ htmlspecialchars( '' ) ] );// @phan-suppress-current-line SecurityCheck-DoubleEscaped
592 echo Html::element( '', $_GET['a'] );// Safe
593 echo Html::element( '', [], htmlspecialchars( '' ) );// @phan-suppress-current-line SecurityCheck-DoubleEscaped
594 echo Html::element( '', [], $_GET['a'] );// Safe
595 echo Html::element( '', [], '' );// Safe
596 htmlspecialchars( Html::element( '', [], '' ) );// @phan-suppress-current-line SecurityCheck-DoubleEscaped
597
598 echo Html::encodeJsVar( $_GET['a'] );// Safe
599 echo Html::encodeJsVar( htmlspecialchars( '' ) );// @phan-suppress-current-line SecurityCheck-DoubleEscaped
600
601 echo Html::encodeJsCall( $_GET['a'], [] );// @phan-suppress-current-line SecurityCheck-XSS
602 echo Html::encodeJsCall( '', $_GET['a'] );// Safe
603 echo Html::encodeJsCall( '', [ htmlspecialchars( '' ) ] );// @phan-suppress-current-line SecurityCheck-DoubleEscaped
604 }
605
606 /**
607 * Non-namespaced alias of the Html class.
608 */
609 function testHtmlAlias() {
610 echo \Html::rawElement( $_GET['a'] );// @phan-suppress-current-line SecurityCheck-XSS
611 \Html::rawElement( '', [ htmlspecialchars( '' ) ] );// @phan-suppress-current-line SecurityCheck-DoubleEscaped
612 echo \Html::rawElement( '', $_GET['a'] );// Safe
613 echo \Html::rawElement( '', [], $_GET['a'] );// @phan-suppress-current-line SecurityCheck-XSS
614 echo \Html::rawElement( '', [], '' );// Safe
615 htmlspecialchars( \Html::rawElement( '', [], '' ) );// @phan-suppress-current-line SecurityCheck-DoubleEscaped
616
617 echo \Html::element( $_GET['a'] );// @phan-suppress-current-line SecurityCheck-XSS
618 \Html::element( '', [ htmlspecialchars( '' ) ] );// @phan-suppress-current-line SecurityCheck-DoubleEscaped
619 echo \Html::element( '', $_GET['a'] );// Safe
620 echo \Html::element( '', [], htmlspecialchars( '' ) );// @phan-suppress-current-line SecurityCheck-DoubleEscaped
621 echo \Html::element( '', [], $_GET['a'] );// Safe
622 echo \Html::element( '', [], '' );// Safe
623 htmlspecialchars( \Html::element( '', [], '' ) );// @phan-suppress-current-line SecurityCheck-DoubleEscaped
624 }
625
626 function textXml() {
627 echo \MediaWiki\Xml\Xml::tags( $_GET['a'], [], '' );// @phan-suppress-current-line SecurityCheck-XSS
628 \MediaWiki\Xml\Xml::tags( '', [ htmlspecialchars( '' ) ], '' );// @phan-suppress-current-line SecurityCheck-DoubleEscaped
629 echo \MediaWiki\Xml\Xml::tags( '', $_GET['a'], '' );// Safe
630 echo \MediaWiki\Xml\Xml::tags( '', [], $_GET['a'] );// @phan-suppress-current-line SecurityCheck-XSS
631 echo \MediaWiki\Xml\Xml::tags( '', [], '' );// Safe
632 htmlspecialchars( \MediaWiki\Xml\Xml::tags( '', [], '' ) );// @phan-suppress-current-line SecurityCheck-DoubleEscaped
633
634 echo \MediaWiki\Xml\Xml::element( $_GET['a'] );// @phan-suppress-current-line SecurityCheck-XSS
635 \MediaWiki\Xml\Xml::element( '', [ htmlspecialchars( '' ) ] );// @phan-suppress-current-line SecurityCheck-DoubleEscaped
636 echo \MediaWiki\Xml\Xml::element( '', $_GET['a'] );// Safe
637 echo \MediaWiki\Xml\Xml::element( '', [], htmlspecialchars( '' ) );// @phan-suppress-current-line SecurityCheck-DoubleEscaped
638 echo \MediaWiki\Xml\Xml::element( '', [], $_GET['a'] );// Safe
639 echo \MediaWiki\Xml\Xml::element( '', [], '' );// Safe
640 htmlspecialchars( \MediaWiki\Xml\Xml::element( '', [], '' ) );// @phan-suppress-current-line SecurityCheck-DoubleEscaped
641
642 echo \MediaWiki\Xml\Xml::encodeJsVar( $_GET['a'] );// Safe
643 echo \MediaWiki\Xml\Xml::encodeJsVar( htmlspecialchars( '' ) );// @phan-suppress-current-line SecurityCheck-DoubleEscaped
644
645 echo \MediaWiki\Xml\Xml::encodeJsCall( $_GET['a'], [] );// @phan-suppress-current-line SecurityCheck-XSS
646 echo \MediaWiki\Xml\Xml::encodeJsCall( '', $_GET['a'] );// Safe
647 echo \MediaWiki\Xml\Xml::encodeJsCall( '', [ htmlspecialchars( '' ) ] );// @phan-suppress-current-line SecurityCheck-DoubleEscaped
648 }
649
650 function testHtmlArmor() {
651 new HtmlArmor( $_GET['a'] );// @phan-suppress-current-line SecurityCheck-XSS
652 }
653
654 function testOutputPage( \MediaWiki\Output\OutputPage $out ) {
655 $out->addHeadItem( $_GET['a'], '' );// safe
656 $out->addHeadItem( '', $_GET['a'] );// @phan-suppress-current-line SecurityCheck-XSS
657 $out->addHeadItems( [ 'foo' => $_GET['a'] ] );// @phan-suppress-current-line SecurityCheck-XSS
658
659 $out->addHTML( $_GET['a'] );// @phan-suppress-current-line SecurityCheck-XSS
660
661 $out->prependHTML( $_GET['a'] );// @phan-suppress-current-line SecurityCheck-XSS
662
663 $out->addInlineStyle( $_GET['a'] );// @phan-suppress-current-line SecurityCheck-XSS
664 $out->addSubtitle( $_GET['a'] );// @phan-suppress-current-line SecurityCheck-XSS
665 $out->setSubtitle( $_GET['a'] );// @phan-suppress-current-line SecurityCheck-XSS
666 $out->addScript( $_GET['a'] );// @phan-suppress-current-line SecurityCheck-XSS
667 $out->addInlineScript( $_GET['a'] );// @phan-suppress-current-line SecurityCheck-XSS
668 $out->setIndicators( [ 'foo' => $_GET['a'] ] );// @phan-suppress-current-line SecurityCheck-XSS
669 }
670
671 /**
672 * Non-namespaced alias of the OutputPage class.
673 */
674 function testOutputPageAlias( \OutputPage $out ) {
675 $out->addHeadItem( $_GET['a'], '' );// safe
676 $out->addHeadItem( '', $_GET['a'] );// @phan-suppress-current-line SecurityCheck-XSS
677 $out->addHeadItems( [ 'foo' => $_GET['a'] ] );// @phan-suppress-current-line SecurityCheck-XSS
678
679 $out->addHTML( $_GET['a'] );// @phan-suppress-current-line SecurityCheck-XSS
680
681 $out->prependHTML( $_GET['a'] );// @phan-suppress-current-line SecurityCheck-XSS
682
683 $out->addInlineStyle( $_GET['a'] );// @phan-suppress-current-line SecurityCheck-XSS
684 $out->addSubtitle( $_GET['a'] );// @phan-suppress-current-line SecurityCheck-XSS
685 $out->setSubtitle( $_GET['a'] );// @phan-suppress-current-line SecurityCheck-XSS
686 $out->addScript( $_GET['a'] );// @phan-suppress-current-line SecurityCheck-XSS
687 $out->addInlineScript( $_GET['a'] );// @phan-suppress-current-line SecurityCheck-XSS
688 $out->setIndicators( [ 'foo' => $_GET['a'] ] );// @phan-suppress-current-line SecurityCheck-XSS
689 }
690
691 function testSanitizer() {
692 echo Sanitizer::escapeHtmlAllowEntities( $_GET['a'] );// Safe
693 shell_exec( Sanitizer::escapeHtmlAllowEntities( $_GET['a'] ) );// @phan-suppress-current-line SecurityCheck-ShellInjection
694 htmlspecialchars( Sanitizer::escapeHtmlAllowEntities( '' ) );// @phan-suppress-current-line SecurityCheck-DoubleEscaped
695
696 echo Sanitizer::safeEncodeAttribute( $_GET['a'] );// Safe
697 Sanitizer::safeEncodeAttribute( htmlspecialchars( '' ) );// @phan-suppress-current-line SecurityCheck-DoubleEscaped
698 htmlspecialchars( Sanitizer::safeEncodeAttribute( '' ) );// @phan-suppress-current-line SecurityCheck-DoubleEscaped
699
700 echo Sanitizer::encodeAttribute( $_GET['a'] );// Safe
701 Sanitizer::encodeAttribute( htmlspecialchars( '' ) );// @phan-suppress-current-line SecurityCheck-DoubleEscaped
702 htmlspecialchars( Sanitizer::encodeAttribute( '' ) );// @phan-suppress-current-line SecurityCheck-DoubleEscaped
703 }
704
705 /**
706 * Non-namespaced alias of the Sanitizer class.
707 */
708 function testSanitizerAlias() {
709 echo \Sanitizer::escapeHtmlAllowEntities( $_GET['a'] );// Safe
710 shell_exec( \Sanitizer::escapeHtmlAllowEntities( $_GET['a'] ) );// @phan-suppress-current-line SecurityCheck-ShellInjection
711 htmlspecialchars( \Sanitizer::escapeHtmlAllowEntities( '' ) );// @phan-suppress-current-line SecurityCheck-DoubleEscaped
712
713 echo \Sanitizer::safeEncodeAttribute( $_GET['a'] );// Safe
714 \Sanitizer::safeEncodeAttribute( htmlspecialchars( '' ) );// @phan-suppress-current-line SecurityCheck-DoubleEscaped
715 htmlspecialchars( \Sanitizer::safeEncodeAttribute( '' ) );// @phan-suppress-current-line SecurityCheck-DoubleEscaped
716
717 echo \Sanitizer::encodeAttribute( $_GET['a'] );// Safe
718 \Sanitizer::encodeAttribute( htmlspecialchars( '' ) );// @phan-suppress-current-line SecurityCheck-DoubleEscaped
719 htmlspecialchars( \Sanitizer::encodeAttribute( '' ) );// @phan-suppress-current-line SecurityCheck-DoubleEscaped
720 }
721
722 function testWebRequest( WebRequest $req ) {
723 // @phan-suppress-next-line PhanAccessMethodPrivate
724 echo $req->getGPCVal( [], '', '' );// @phan-suppress-current-line SecurityCheck-XSS
725 echo $req->getRawVal( '' );// @phan-suppress-current-line SecurityCheck-XSS
726 echo $req->getVal( '' );// @phan-suppress-current-line SecurityCheck-XSS
727 echo $req->getArray( '' );// @phan-suppress-current-line SecurityCheck-XSS
728 echo $req->getIntArray( '' );// Safe
729 echo $req->getInt( '' );// Safe
730 echo $req->getIntOrNull( '' );// Safe
731 echo $req->getFloat( '' );// Safe
732 echo $req->getBool( '' );// Safe
733 echo $req->getFuzzyBool( '' );// Safe
734 echo $req->getCheck( '' );// Safe
735 echo $req->getText( '' );// @phan-suppress-current-line SecurityCheck-XSS
736 echo $req->getValues( '' );// @phan-suppress-current-line SecurityCheck-XSS
737 echo $req->getValueNames( [] );// @phan-suppress-current-line SecurityCheck-XSS
738 echo $req->getQueryValues();// @phan-suppress-current-line SecurityCheck-XSS
739 echo $req->getRawQueryString();// @phan-suppress-current-line SecurityCheck-XSS
740 echo $req->getRawPostString();// @phan-suppress-current-line SecurityCheck-XSS
741 echo $req->getRawInput();// @phan-suppress-current-line SecurityCheck-XSS
742 echo $req->getCookie( '' );// @phan-suppress-current-line SecurityCheck-XSS
743 echo WebRequest::getGlobalRequestURL();// @phan-suppress-current-line SecurityCheck-XSS
744 echo $req->getRequestURL();// @phan-suppress-current-line SecurityCheck-XSS
745 echo $req->getFullRequestURL();// @phan-suppress-current-line SecurityCheck-XSS
746 echo $req->getAllHeaders();// @phan-suppress-current-line SecurityCheck-XSS
747 echo $req->getHeader( '' );// @phan-suppress-current-line SecurityCheck-XSS
748 echo $req->getAcceptLang();// @phan-suppress-current-line SecurityCheck-XSS
749 }
750
751 /**
752 * Non-namespaced alias of the WebRequest class.
753 */
754 function testWebRequestAlias( \WebRequest $req ) {
755 // @phan-suppress-next-line PhanAccessMethodPrivate
756 echo $req->getGPCVal( [], '', '' );// @phan-suppress-current-line SecurityCheck-XSS
757 echo $req->getRawVal( '' );// @phan-suppress-current-line SecurityCheck-XSS
758 echo $req->getVal( '' );// @phan-suppress-current-line SecurityCheck-XSS
759 echo $req->getArray( '' );// @phan-suppress-current-line SecurityCheck-XSS
760 echo $req->getIntArray( '' );// Safe
761 echo $req->getInt( '' );// Safe
762 echo $req->getIntOrNull( '' );// Safe
763 echo $req->getFloat( '' );// Safe
764 echo $req->getBool( '' );// Safe
765 echo $req->getFuzzyBool( '' );// Safe
766 echo $req->getCheck( '' );// Safe
767 echo $req->getText( '' );// @phan-suppress-current-line SecurityCheck-XSS
768 echo $req->getValues( '' );// @phan-suppress-current-line SecurityCheck-XSS
769 echo $req->getValueNames( [] );// @phan-suppress-current-line SecurityCheck-XSS
770 echo $req->getQueryValues();// @phan-suppress-current-line SecurityCheck-XSS
771 echo $req->getRawQueryString();// @phan-suppress-current-line SecurityCheck-XSS
772 echo $req->getRawPostString();// @phan-suppress-current-line SecurityCheck-XSS
773 echo $req->getRawInput();// @phan-suppress-current-line SecurityCheck-XSS
774 echo $req->getCookie( '' );// @phan-suppress-current-line SecurityCheck-XSS
775 echo WebRequest::getGlobalRequestURL();// @phan-suppress-current-line SecurityCheck-XSS
776 echo $req->getRequestURL();// @phan-suppress-current-line SecurityCheck-XSS
777 echo $req->getFullRequestURL();// @phan-suppress-current-line SecurityCheck-XSS
778 echo $req->getAllHeaders();// @phan-suppress-current-line SecurityCheck-XSS
779 echo $req->getHeader( '' );// @phan-suppress-current-line SecurityCheck-XSS
780 echo $req->getAcceptLang();// @phan-suppress-current-line SecurityCheck-XSS
781 }
782
783 function testCommentStore( CommentStore $store, \Wikimedia\Rdbms\IDatabase $db ) {
784 echo $store->insert( $db, '' );// Safe
785 echo $store->getJoin( '' );// Safe
786 }
787
788 /**
789 * Non-namespaced alias of the CommentStore class.
790 */
791 function testCommentStoreAlias( \CommentStore $store, \Wikimedia\Rdbms\IDatabase $db ) {
792 echo $store->insert( $db, '' );// Safe
793 echo $store->getJoin( '' );// Safe
794 }
795
796 function testLinker( LinkTarget $target ) {
797 $unsafeTarget = $this->getUnsafeLinkTarget();
798 // Make sure taint-check knows it's unsafe
799 echo $unsafeTarget;// @phan-suppress-current-line SecurityCheck-XSS
800 echo Linker::linkKnown( $unsafeTarget );// Safe
801 echo Linker::linkKnown( $target, $_GET['a'] );// @phan-suppress-current-line SecurityCheck-XSS
802 echo Linker::linkKnown( $target, '', $_GET['a'] );// Safe
803 echo Linker::linkKnown( $target, '', [], $_GET['a'] );// Safe
804 echo Linker::linkKnown( $target, '', [], [], $_GET['a'] );// Safe
805 htmlspecialchars( Linker::linkKnown( $target ) );// @phan-suppress-current-line SecurityCheck-DoubleEscaped
806 }
807
808 /**
809 * Non-namespaced alias of the Linker class.
810 */
811 function testLinkerAlias( LinkTarget $target ) {
812 $unsafeTarget = $this->getUnsafeLinkTarget();
813 // Make sure taint-check knows it's unsafe
814 echo $unsafeTarget;// @phan-suppress-current-line SecurityCheck-XSS
815 echo \Linker::linkKnown( $unsafeTarget );// Safe
816 echo \Linker::linkKnown( $target, $_GET['a'] );// @phan-suppress-current-line SecurityCheck-XSS
817 echo \Linker::linkKnown( $target, '', $_GET['a'] );// Safe
818 echo \Linker::linkKnown( $target, '', [], $_GET['a'] );// Safe
819 echo \Linker::linkKnown( $target, '', [], [], $_GET['a'] );// Safe
820 htmlspecialchars( \Linker::linkKnown( $target ) );// @phan-suppress-current-line SecurityCheck-DoubleEscaped
821 }
822
823 function testLinkRenderer( LinkRenderer $linkRenderer, LinkTarget $target ) {
824 $unsafeTarget = $this->getUnsafeLinkTarget();
825 // Make sure taint-check knows it's unsafe
826 echo $unsafeTarget;// @phan-suppress-current-line SecurityCheck-XSS
827
828 echo $linkRenderer->makeLink( $unsafeTarget );// Safe
829 echo $linkRenderer->makeLink( $target, $_GET['a'] );// Safe
830 $linkRenderer->makeLink( $target, htmlspecialchars( '' ) );// @phan-suppress-current-line SecurityCheck-DoubleEscaped
831 echo $linkRenderer->makeLink( $target, '', $_GET['a'] );// Safe
832 echo $linkRenderer->makeLink( $target, '', [], $_GET['a'] );// Safe
833 htmlspecialchars( $linkRenderer->makeLink( $target ) );// @phan-suppress-current-line SecurityCheck-DoubleEscaped
834
835 echo $linkRenderer->makeKnownLink( $unsafeTarget );// Safe
836 echo $linkRenderer->makeKnownLink( $target, $_GET['a'] );// Safe
837 $linkRenderer->makeKnownLink( $target, htmlspecialchars( '' ) );// @phan-suppress-current-line SecurityCheck-DoubleEscaped
838 echo $linkRenderer->makeKnownLink( $target, '', $_GET['a'] );// Safe
839 echo $linkRenderer->makeKnownLink( $target, '', [], $_GET['a'] );// Safe
840 htmlspecialchars( $linkRenderer->makeKnownLink( $target ) );// @phan-suppress-current-line SecurityCheck-DoubleEscaped
841
842 echo $linkRenderer->makePreloadedLink( $unsafeTarget );// Safe
843 echo $linkRenderer->makePreloadedLink( $target, $_GET['a'] );// Safe
844 $linkRenderer->makePreloadedLink( $target, htmlspecialchars( '' ) );// @phan-suppress-current-line SecurityCheck-DoubleEscaped
845 echo $linkRenderer->makePreloadedLink( $target, '', $_GET['a'] );// Safe
846 echo $linkRenderer->makePreloadedLink( $target, '', '', $_GET['a'] );// Safe
847 htmlspecialchars( $linkRenderer->makePreloadedLink( $target ) );// @phan-suppress-current-line SecurityCheck-DoubleEscaped
848
849 echo $linkRenderer->makeBrokenLink( $unsafeTarget );// Safe
850 echo $linkRenderer->makeBrokenLink( $target, $_GET['a'] );// Safe
851 $linkRenderer->makeBrokenLink( $target, htmlspecialchars( '' ) );// @phan-suppress-current-line SecurityCheck-DoubleEscaped
852 echo $linkRenderer->makeBrokenLink( $target, '', $_GET['a'] );// Safe
853 echo $linkRenderer->makeBrokenLink( $target, '', [], $_GET['a'] );// Safe
854 htmlspecialchars( $linkRenderer->makeBrokenLink( $target ) );// @phan-suppress-current-line SecurityCheck-DoubleEscaped
855 }
856
857 /**
858 * NOTE: we can't type hint this as LinkTarget, or taint-check will think that it's safe
859 * due to __toString().
860 *
861 * @return-taint tainted
862 */
863 function getUnsafeLinkTarget() {
864 return $GLOBALS['unsafeLinkTarget'];
865 }
866
867 function testStatusValue() {
868 echo StatusValue::newGood( $_GET['a'] );// Safe
869 echo StatusValue::newGood( $_GET['a'] )->getValue();// Safe
870 echo StatusValue::newGood( $_GET['a'] )->setResult( true, $_GET['a'] );// Safe
871 }
872
873 function testStatus() {
874 echo Status::newGood( $_GET['a'] );// Safe
875 echo Status::newGood( $_GET['a'] )->getValue();// Safe
876 echo Status::newGood( $_GET['a'] )->setResult( true, $_GET['a'] );// Safe
877 }
878
879 function testStatusFormatter( StatusFormatter $f, StatusValue $sv ) {
880 echo $f->getWikiText( $sv ); // @phan-suppress-current-line SecurityCheck-XSS
881 echo $f->getHTML( $sv ); // Safe
882 echo $f->getMessage( $sv )->plain(); // @phan-suppress-current-line SecurityCheck-XSS
883 echo $f->getMessage( $sv )->parse(); // Safe
884
885 // Legacy deprecated methods
886 $status = Status::wrap( $sv );
887 echo $status->getWikiText(); // @phan-suppress-current-line SecurityCheck-XSS
888 echo $status->getHTML(); // Safe
889 echo $status->getMessage()->plain(); // @phan-suppress-current-line SecurityCheck-XSS
890 echo $status->getMessage()->parse(); // Safe
891 }
892
893 /**
894 * Non-namespaced alias of the Status class.
895 */
896 function testStatusAlias() {
897 echo \Status::newGood( $_GET['a'] );// Safe
898 echo \Status::newGood( $_GET['a'] )->getValue();// Safe
899 echo \Status::newGood( $_GET['a'] )->setResult( true, $_GET['a'] );// Safe
900 }
901
902 function testParserOutput( ParserOutput $po ) {
903 $po->setIndicator( 'foo', $_GET['a'] ); //@phan-suppress-current-line SecurityCheck-XSS
904 $po->setRawText( $_GET['a'] ); //@phan-suppress-current-line SecurityCheck-XSS
905 }
906 }
MediaWiki Core