Ideas on how to detect presence of quotes around source in tainted path?

[Kunal-Rex]

Hey,

I am looking to detect the presence of quotes(') around the source in the detected tainted path, specifically in the context of html and sql taint types!

example - https://psalm.dev/r/2e7f6cb7bb

Is there any way of achieving this goal?

I can't find a way of detecting it in the current feature set of psalm(eg. annotations, defining custom source/sinks). I think I might have to dig into the internal codebase for this!
If so, can you recommend the starting point where I can run some checks, to see if the source in the context of the path is enclosed in quotes or not?

Thanks!!!

[AndrolGenhald]

Those quotes don't help you, that's still vulnerable. The string itself needs to be escaped.

eg: https://3v4l.org/0BFcB http://sqlfiddle.com/#!9/f3613d/2

[Kunal-Rex]

That is correct, quotes don't help in sanitization in any way in normal cases. But, they do in the case of magic quotes addition in WordPress. So in a way, I want to detect quotes around the sink to reduce the False-Positive rate.

[AndrolGenhald]

You might be able to make a plugin using RemoveTaintsInterface. The AddRemoveTaintsEvent should give you access to the PhpParser Expr which you could check manually, it won't be trivial though as you'll need to make sure multiple variables are handled correctly.

Whatever you end up doing, if you publish it please document very explicitly that it's only safe due to WordPress's automatic quote escaping. It would be very easy for this to turn a true-positive into a false-negative.