Conversation
e09be54 to
2895794
Compare
| public string $name { | ||
| get { | ||
| return $this->name; | ||
| } | ||
| set { | ||
| $this->name = strtoupper($value); | ||
| } |
There was a problem hiding this comment.
I recommend to add a tainting test also for this material. Where $value is tainted for example.
| message: Detected first-class callable (desugared to Closure::fromCallable) | ||
| languages: [php] | ||
| severity: INFO | ||
| pattern: Closure::fromCallable(...) |
There was a problem hiding this comment.
We should document that this is the only way to match such constructs.
There was a problem hiding this comment.
will add a php upgrade in wiki
|
Property hooks don't produce correct AST. Example from https://www.php.net/manual/en/language.oop5.property-hooks.php <?php
class Example
{
private bool $modified = false;
public string $foo = 'default value' {
get {
if ($this->modified) {
return $this->foo . ' (modified)';
}
return $this->foo;
}
set(string $value) {
$this->foo = strtolower($value);
$this->modified = true;
}
}
}
$example = new Example();
$example->foo = 'changed';
print $example->foo;
?>The AST for DefStmt(
({
name=EN(
Id(("$foo", ()),
{id_flags=Ref(0);
id_resolved_alternative=Ref([]);
id_resolved=Ref(Some((EnclosedVar, 2)));
id_type=Ref(Some({t_attrs=[];
t=TyN(
Id(("string", ()),
{id_flags=Ref(
2);
id_resolved_alternative=Ref(
[]);
id_resolved=Ref(
None);
id_type=Ref(
None);
id_svalue=Ref(
None); }));
}));
id_svalue=Ref(None); }));
attrs=[KeywordAttr((Public, ()))]; tparams=None; },
VarDef(
{
vinit=Some(ArrayAccess(
L(String(("default value", ()))),
ArrayAccess(
Call(
ArrayAccess(
N(
Id(("get", ()),
{id_flags=Ref(2);
id_resolved_alternative=Ref(
[]); id_resolved=Ref(
None); id_type=Ref(None);
id_svalue=Ref(None); })),
DotAccess(
ArrayAccess(
Call(
N(
Id(("if", ()),
{id_flags=Ref(2);
id_resolved_alternative=Ref(
[]);
id_resolved=Ref(
None);
id_type=Ref(None);
id_svalue=Ref(None); })),
[Arg(
DotAccess(
IdSpecial((This, ())),
(),
FN(
Id(("modified", ()),
{id_flags=Ref(
0);
id_resolved_alternative=Ref(
[]);
id_resolved=Ref(
None);
id_type=Ref(
None);
id_svalue=Ref(
None); }))))]),
Call(
IdSpecial((Op(Concat), ())),
[Arg(
DotAccess(
IdSpecial((This, ())),
(),
FN(
Id(("foo", ()),
{id_flags=Ref(
0);
id_resolved_alternative=Ref(
[]);
id_resolved=Ref(
None);
id_type=Ref(
None);
id_svalue=Ref(
None); }))));
Arg(
L(
String(
(" (modified)", ()))))])),
(),
FN(
Id(("foo", ()),
{id_flags=Ref(0);
id_resolved_alternative=Ref(
[]); id_resolved=Ref(
None); id_type=Ref(
None); id_svalue=Ref(
None); })))),
[Arg(
N(
Id(("$value", ()),
{id_flags=Ref(2);
id_resolved_alternative=Ref(
[]); id_resolved=Ref(
None); id_type=Ref(None);
id_svalue=Ref(None); })))]),
Assign(
DotAccess(IdSpecial((This, ())), (),
FN(
Id(("modified", ()),
{id_flags=Ref(0);
id_resolved_alternative=Ref(
[]); id_resolved=Ref(
None); id_type=Ref(None);
id_svalue=Ref(None); }))),
(), L(Bool((true, ())))))));
vtype=Some({t_attrs=[];
t=TyN(
Id(("string", ()),
{id_flags=Ref(2);
id_resolved_alternative=Ref(
[]); id_resolved=Ref(None);
id_type=Ref(None);
id_svalue=Ref(None); }));
});
vtok=None; })))It seems that things in |
|
a9f9554 to
abec309
Compare
|
For some reason I cannot comment on @maciejpirog comment above. Now the thing parses fine and you can see a tainting test as well |
I think because it was his review comment, but it's possible to "quote reply". |
see #297
class constants visibility multicatch dynamic constant types
7bf6402 to
ffca1c0
Compare
dimitris-m
left a comment
There was a problem hiding this comment.
LGTM - modulo small comments
ffca1c0 to
7ab6373
Compare
|
The AST looks good now! One thing to consider in future is the naming of the functions that represent setters and getters. They are now always called I don't think it's urgent, because, as I understand it, at the moment we don't use properties in intrafile tainting, and whenever we have |
Maybe open an issue for this? So we don't forget. |
This MR contains the following updates: | Package | Update | Change | |---|---|---| | [opengrep/opengrep](https://github.com/opengrep/opengrep) | minor | `v1.14.1` → `v1.15.1` | MR created with the help of [el-capitano/tools/renovate-bot](https://gitlab.com/el-capitano/tools/renovate-bot). **Proposed changes to behavior should be submitted there as MRs.** --- ### Release Notes <details> <summary>opengrep/opengrep (opengrep/opengrep)</summary> ### [`v1.15.1`](https://github.com/opengrep/opengrep/releases/tag/v1.15.1): Opengrep 1.15.1 [Compare Source](opengrep/opengrep@v1.15.0...v1.15.1) #### Bug fixes - Clojure translation improvements by [@​dimitris-m](https://github.com/dimitris-m) in [#​534](opengrep/opengrep#534) **Full Changelog**: <opengrep/opengrep@v1.15.0...v1.15.1> ### [`v1.15.0`](https://github.com/opengrep/opengrep/releases/tag/v1.15.0): Opengrep 1.15.0 [Compare Source](opengrep/opengrep@v1.14.1...v1.15.0) #### What's Changed - Clojure translation part III by [@​dimitris-m](https://github.com/dimitris-m) in [#​527](opengrep/opengrep#527) - Php modernisation by [@​corneliuhoffman](https://github.com/corneliuhoffman) in [#​529](opengrep/opengrep#529) - Intrafile tainting with variadic functions by [@​maciejpirog](https://github.com/maciejpirog) in [#​538](opengrep/opengrep#538) - C#: The `field` implicit parameter can be skipped in a pattern by [@​maciejpirog](https://github.com/maciejpirog) in [#​525](opengrep/opengrep#525) - C#: Add conditional array access (`?[...]`) to l-values by [@​maciejpirog](https://github.com/maciejpirog) in [#​535](opengrep/opengrep#535) - C#: Collection expressions vs attributes with targets (parser fix) by [@​maciejpirog](https://github.com/maciejpirog) in [#​539](opengrep/opengrep#539) - Add `noopengrep` to the default nosem patterns by [@​dimitris-m](https://github.com/dimitris-m) in [#​533](opengrep/opengrep#533) **Full Changelog**: <opengrep/opengrep@v1.14.1...v1.15.0> </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this MR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box --- This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi44MS4yIiwidXBkYXRlZEluVmVyIjoiNDIuODIuMyIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiUmVub3ZhdGUgQm90IiwiYXV0b21hdGlvbjpib3QtYXV0aG9yZWQiLCJkZXBlbmRlbmN5LXR5cGU6Om1pbm9yIl19-->
PHP 7.1 - 8.4 Syntax Support
Adds comprehensive PHP syntax support to the Menhir parser. Closes #297.
b0529bc - added tests
Initial test files for PHP 8.x features.
d3da661 - readonly fix
PHP 8.2: Readonly Classes
18aa6ce - Union and Intersection DNF
PHP 8.2: DNF Types (Disjunctive Normal Form)
b59447d - property hooks
PHP 8.4: Property Hooks
aaed1fb - asymmetric visibility private(set) and protected(set)
PHP 8.4: Asymmetric Visibility
19e3d19 - few others
PHP 7.1: Class Constant Visibility
PHP 7.1: Multi-Catch Exception Handling
PHP 8.3: Dynamic Class Constant Fetch
e09be54 - first-class callable syntax
PHP 8.1: First-Class Callable Syntax