Taint analysis
Taint analysis is the process of assessing the flow of untrusted user input throughout the body of a function or a method. If you have a taint in your code, hackers can execute these code fragments to cause SQL injection, arithmetic overflow, cross-site scripting, path traversal, etc.
The core goal of the taint analysis is to determine if unanticipated input can affect program execution in malicious ways.
Taint analysis is supported only by the Qodana for PHP linter starting from version 2023.1 of Qodana. This feature is available under the Ultimate Plus license.
How it works
Tainted data are called a Source, while a vulnerable function that may contain such data is a Sink. In this case, tainted data travel from sources to Sinks via propagators, such as function calls or assignments.
To prevent such propagation, the following approaches are applied by the Qodana for PHP inspections:
Data sanitization, i.e. data transformation to the safe state. Here, tags are removed to resolve the taint:
<?php $taint = $_GET['some_key']; $taint = strip_tags($taint);Data validation, i.e. checking the data conforms with a required pattern. In this sample, validation for the
$email
variable is enabled:<?php $email = $_GET['email']; if (filter_var($email, FILTER_VALIDATE_EMAIL)) { echo $email; }
Running the taint analysis
In the qodana.yaml
file, include the PhpVulnerablePathsInspection
inspection into the analysis scope:
Alternatively, you can use the inspections
section of qodana.yaml
: