Psalm's taint analysis does not work for magic properties with no phpdoc declaration

[TysonAndre]

https://psalm.dev/r/22857fa662

Expected: If a property with name foo is set to an unsafe value, then psalm should warn about reads from foo being tainted, but not properties with other names such as other, whether or not there is an @property tag
Observed: No TaintedInput warning is emitted if the @property tag is absent. The example would also properly emit a warning if __get/__set are removed

[psalm-github-bot]

I found these snippets:

https://psalm.dev/r/22857fa662

<?php // --taint-analysis

// Adding an (at)property string $taint would make psalm properly warn about this.
class Magic {
    private $_params = [];
    public function __set(string $a, $value) {
        $this->_params[$a] = $value;
    }
    public function __get(string $a) {
        return $this->_params[$a];
    }
}
$m = new Magic();
$m->taint = $_GET['input'];
echo $m->taint;
// There is no edge from Magic::$taint to echo. There's an edge from magic::__get to echo, though

Psalm output (using commit de85e7c):

No issues!

[TysonAndre]

Expected: If a property with name foo is set to an unsafe value, then psalm should warn about reads from foo being tainted, but not properties with other names such as other, whether or not there is an @property tag

ERROR: TaintedInput - src/dynamic.php:15:10 - Detected tainted html (see https://psalm.dev/205)
  $_GET
    <no known location>

  $_GET['unsafe'] - src/dynamic.php:14:13
    $a->x = $_GET['unsafe'];

  call to X::__set - src/dynamic.php:14:13
    $a->x = $_GET['unsafe'];

  X::__set#2 - src/dynamic.php:9:41
    public function __set(string $name, $value): void {

  $this->params[$name] - src/dynamic.php:10:9
        $this->params[$name] = $value;

  X::$params - src/dynamic.php:10:9
        $this->params[$name] = $value;

  X::$params
    <no known location>

  X::$params - src/dynamic.php:7:23
        return $this->params[$name];

  $this->params[$name] - src/dynamic.php:7:16
        return $this->params[$name];

  X::__get - src/dynamic.php:6:21
    public function __get(string $name) {

  call to echo - src/dynamic.php:15:10
    echo $b->y;

<?php
class X {
    private $params = [];

    /** @return mixed */
    public function __get(string $name) {
        return $this->params[$name];
    }
    public function __set(string $name, $value): void {
        $this->params[$name] = $value;
    }
}
function test(X $a, X $b) {
    $a->x = $_GET['unsafe'];
    echo $b->y;
}

I'd been hoping for a way to track taintedness of individual magic properties, even with an annotation or a stub class - here, it seems like $this->params is marked as tainted, so tainting a single property marks other properties as tainted.

Would automatically creating entries for dynamic properties be possible through a plugin/config setting/annotation at runtime before the taintedness is added? Would that conflict with psalm's threading(multiprocessing) support?

[TysonAndre]

- `PropertyExistenceProviderInterface` - can be used to override Psalm's builtin property existence checks for one or more classes.

That might be what I want

[TysonAndre]

It's possible to do this in a plugin, basing it on tests/Config/Plugin/Hook/FooPropertyProvider.php, if the __get and __set are deliberately no-op stubs in a stub class

    /**
     * @return ?bool
     * @override
     */
    public static function doesPropertyExist(
        string $fq_classlike_name,
        string $property_name,
        bool $read_mode,
        StatementsSource $source = null,
        Context $context = null,
        CodeLocation $code_location = null
    ) {
        // Pretending all magic properties exist and are declared so that individual property names taintedness will be checked separately.
        return true;
    }

    /**
     * @return ?bool
     * @override
     */
    public static function isPropertyVisible(
        StatementsSource $source,
        string $fq_classlike_name,
        string $property_name,
        bool $read_mode,
        Context $context = null,
        CodeLocation $code_location = null
    ) {
        return true;
    }

    /**
     * @return ?Type\Union
     * @override
     */
    public static function getPropertyType(
        string $fq_classlike_name,
        string $property_name,
        bool $read_mode,
        StatementsSource $source = null,
        Context $context = null
    ) {
        return Type::getMixed();
    }