DoS by sleep

[cgocast]

The following piece of code is vulnerable to Denial of Service attacks

<?php

sleep($_GET["seconds"]);

Psalm returns no issue when run with --taint-analysis.

I'll write a PR in 6.x that raises a new issue named TaintedSleep

[kkmuffme]

I think this isn't an issue specific with sleep, but an overall issue in TaintAnalysis that is should always give an error when we pass $_GET to a function, unless it is specifically declared as a sanitizing function for that param.

[cgocast]

I am not sure to understand you. Do you mean that if we pass $_GET to max, then psalm should raise an error ?

[kkmuffme]

No. The current model of taint-sink isn't very robust in terms of security. If you forget to annotate an unsafe function or use a lib function that you cannot annotate, you suddenly opened up an security issue.
But alas this goes far beyond the this issues's request, so nvm :-)

[weirdan]

https://psalm.dev/r/fd07c5e482

Fixed in #10183

[psalm-github-bot]

I found these snippets:

https://psalm.dev/r/fd07c5e482

<?php // --taint-analysis
sleep($_GET["seconds"]);

Psalm output (using commit 6b27a6d):

ERROR: TaintedSleep - 2:7 - Detected tainted sleep