From 84e7423175f5e52d90c2dc4f255f2aa67af2eb0f Mon Sep 17 00:00:00 2001
From: cgocast <c.gouttebroze@castsoftware.com>
Date: Wed, 6 Sep 2023 13:52:55 +0200
Subject: [PATCH 1/2] Detect DoS by sleep vimeo#10178

---
 UPGRADING.md                                  |  2 +-
 config.xsd                                    |  1 +
 docs/running_psalm/error_levels.md            |  1 +
 docs/running_psalm/issues.md                  |  1 +
 docs/running_psalm/issues/TaintedSleep.md     |  9 +++++
 .../Internal/Codebase/TaintFlowGraph.php      | 10 +++++
 src/Psalm/Issue/TaintedSleep.php              |  8 ++++
 src/Psalm/Type/TaintKind.php                  |  1 +
 src/Psalm/Type/TaintKindGroup.php             |  1 +
 stubs/CoreGenericFunctions.phpstub            | 22 +++++++++++
 tests/TaintTest.php                           | 37 ++++++++++++++++++-
 11 files changed, 91 insertions(+), 2 deletions(-)
 create mode 100644 docs/running_psalm/issues/TaintedSleep.md
 create mode 100644 src/Psalm/Issue/TaintedSleep.php

diff --git a/UPGRADING.md b/UPGRADING.md
index 82ca1b2ed52..d7c70b165fa 100644
--- a/UPGRADING.md
+++ b/UPGRADING.md
@@ -11,7 +11,7 @@
 
 - [BC] The `TDependentListKey` type was removed and replaced with an optional property of the `TIntRange` type.
 
-- [BC] Value of constant `Psalm\Type\TaintKindGroup::ALL_INPUT` changed to reflect a new `TaintKind::INPUT_XPATH` have been added. Accordingly, default values for `$taint` parameters of `Psalm\Codebase::addTaintSource()` and `Psalm\Codebase::addTaintSink()` have been changed as well.
+- [BC] Value of constant `Psalm\Type\TaintKindGroup::ALL_INPUT` changed to reflect new `TaintKind::INPUT_SLEEP` and `TaintKind::INPUT_XPATH` have been added. Accordingly, default values for `$taint` parameters of `Psalm\Codebase::addTaintSource()` and `Psalm\Codebase::addTaintSink()` have been changed as well.
 
 - [BC] Property `Config::$shepherd_host` was replaced with `Config::$shepherd_endpoint`
 
diff --git a/config.xsd b/config.xsd
index eb5f11e2c21..32801507cbb 100644
--- a/config.xsd
+++ b/config.xsd
@@ -438,6 +438,7 @@
             <xs:element name="TaintedInput" type="IssueHandlerType" minOccurs="0" />
             <xs:element name="TaintedLdap" type="IssueHandlerType" minOccurs="0" />
             <xs:element name="TaintedShell" type="IssueHandlerType" minOccurs="0" />
+            <xs:element name="TaintedSleep" type="IssueHandlerType" minOccurs="0" />
             <xs:element name="TaintedSql" type="IssueHandlerType" minOccurs="0" />
             <xs:element name="TaintedSSRF" type="IssueHandlerType" minOccurs="0" />
             <xs:element name="TaintedSystemSecret" type="IssueHandlerType" minOccurs="0" />
diff --git a/docs/running_psalm/error_levels.md b/docs/running_psalm/error_levels.md
index 90b5d5351b3..25f08d77fa6 100644
--- a/docs/running_psalm/error_levels.md
+++ b/docs/running_psalm/error_levels.md
@@ -292,6 +292,7 @@ Level 5 and above allows a more non-verifiable code, and higher levels are even
  - [TaintedInput](issues/TaintedInput.md)
  - [TaintedLdap](issues/TaintedLdap.md)
  - [TaintedShell](issues/TaintedShell.md)
+ - [TaintedSleep](issues/TaintedSleep.md)
  - [TaintedSql](issues/TaintedSql.md)
  - [TaintedSSRF](issues/TaintedSSRF.md)
  - [TaintedSystemSecret](issues/TaintedSystemSecret.md)
diff --git a/docs/running_psalm/issues.md b/docs/running_psalm/issues.md
index 592225002e7..06c67302d4e 100644
--- a/docs/running_psalm/issues.md
+++ b/docs/running_psalm/issues.md
@@ -240,6 +240,7 @@
  - [TaintedInput](issues/TaintedInput.md)
  - [TaintedLdap](issues/TaintedLdap.md)
  - [TaintedShell](issues/TaintedShell.md)
+ - [TaintedSleep](issues/TaintedSleep.md)
  - [TaintedSql](issues/TaintedSql.md)
  - [TaintedSSRF](issues/TaintedSSRF.md)
  - [TaintedSystemSecret](issues/TaintedSystemSecret.md)
diff --git a/docs/running_psalm/issues/TaintedSleep.md b/docs/running_psalm/issues/TaintedSleep.md
new file mode 100644
index 00000000000..181cf045c89
--- /dev/null
+++ b/docs/running_psalm/issues/TaintedSleep.md
@@ -0,0 +1,9 @@
+# TaintedSleep
+
+Emitted when user-controlled input can be passed into a `sleep` call or similar.
+
+```php
+<?php
+
+sleep($_GET["seconds"]);
+```
diff --git a/src/Psalm/Internal/Codebase/TaintFlowGraph.php b/src/Psalm/Internal/Codebase/TaintFlowGraph.php
index ba4f20fcc53..548e95cf50e 100644
--- a/src/Psalm/Internal/Codebase/TaintFlowGraph.php
+++ b/src/Psalm/Internal/Codebase/TaintFlowGraph.php
@@ -19,6 +19,7 @@
 use Psalm\Issue\TaintedLdap;
 use Psalm\Issue\TaintedSSRF;
 use Psalm\Issue\TaintedShell;
+use Psalm\Issue\TaintedSleep;
 use Psalm\Issue\TaintedSql;
 use Psalm\Issue\TaintedSystemSecret;
 use Psalm\Issue\TaintedTextWithQuotes;
@@ -459,6 +460,15 @@ private function getChildNodes(
                                 );
                                 break;
 
+                            case TaintKind::INPUT_SLEEP:
+                                $issue = new TaintedSleep(
+                                    'Detected tainted sleep',
+                                    $issue_location,
+                                    $issue_trace,
+                                    $path,
+                                );
+                                break;
+
                             default:
                                 $issue = new TaintedCustom(
                                     'Detected tainted ' . $matching_taint,
diff --git a/src/Psalm/Issue/TaintedSleep.php b/src/Psalm/Issue/TaintedSleep.php
new file mode 100644
index 00000000000..4f2160ae1a1
--- /dev/null
+++ b/src/Psalm/Issue/TaintedSleep.php
@@ -0,0 +1,8 @@
+<?php
+
+namespace Psalm\Issue;
+
+final class TaintedSleep extends TaintedInput
+{
+    public const SHORTCODE = 323;
+}
diff --git a/src/Psalm/Type/TaintKind.php b/src/Psalm/Type/TaintKind.php
index e0f9f815ee5..c8f5af5a3bb 100644
--- a/src/Psalm/Type/TaintKind.php
+++ b/src/Psalm/Type/TaintKind.php
@@ -21,6 +21,7 @@ final class TaintKind
     public const INPUT_COOKIE = 'cookie';
     public const INPUT_HEADER = 'header';
     public const INPUT_XPATH = 'xpath';
+    public const INPUT_SLEEP = 'sleep';
     public const USER_SECRET = 'user_secret';
     public const SYSTEM_SECRET = 'system_secret';
 }
diff --git a/src/Psalm/Type/TaintKindGroup.php b/src/Psalm/Type/TaintKindGroup.php
index 2aa1256fd57..b37e3414e6d 100644
--- a/src/Psalm/Type/TaintKindGroup.php
+++ b/src/Psalm/Type/TaintKindGroup.php
@@ -22,5 +22,6 @@ final class TaintKindGroup
         TaintKind::INPUT_HEADER,
         TaintKind::INPUT_COOKIE,
         TaintKind::INPUT_XPATH,
+        TaintKind::INPUT_SLEEP,
     ];
 }
diff --git a/stubs/CoreGenericFunctions.phpstub b/stubs/CoreGenericFunctions.phpstub
index 89b18d0a444..026e90c65cb 100644
--- a/stubs/CoreGenericFunctions.phpstub
+++ b/stubs/CoreGenericFunctions.phpstub
@@ -1797,3 +1797,25 @@ if (defined('GLOB_BRACE')) {
  * @psalm-taint-sink shell $command
  */
 function exec(string $command, &$output = null, int &$result_code = null): string|false {}
+
+/**
+ * @psalm-taint-specialize
+ * @psalm-taint-sink sleep $seconds
+ */
+function sleep(int $seconds): int {}
+
+/**
+ * @psalm-taint-sink sleep $microseconds
+ */
+function usleep(int $microseconds): void {}
+
+/**
+ * @psalm-taint-sink sleep $seconds
+ * @psalm-taint-sink sleep $nanoseconds
+ */
+function time_nanosleep(int $seconds, int $nanoseconds): array|bool {}
+
+/**
+ * @psalm-taint-sink sleep $timestamp
+ */
+function time_sleep_until(float $timestamp): bool {}
diff --git a/tests/TaintTest.php b/tests/TaintTest.php
index 7efd9dae9c0..4a847bd4bb0 100644
--- a/tests/TaintTest.php
+++ b/tests/TaintTest.php
@@ -755,7 +755,7 @@ function bar(array $arr): void {
                     /**
                      * @psalm-taint-escape xpath
                      */
-                    function my_escaping_function_for_xpath(string input) : string {};
+                    function my_escaping_function_for_xpath(string $input) : string {};
 
                     function queryExpression(SimpleXMLElement $xml) : array|false|null {
                         $expression = $_GET["expression"];
@@ -763,6 +763,16 @@ function queryExpression(SimpleXMLElement $xml) : array|false|null {
                         return $xml->xpath($expression);
                     }',
             ],
+            'escapeSeconds' => [
+                'code' => '<?php
+                    /**
+                     * @psalm-taint-escape sleep
+                     */
+                    function my_escaping_function_for_seconds(mixed $input) : int {};
+
+                    $seconds = my_escaping_function_for_seconds($_GET["seconds"]);
+                    sleep($seconds);',
+            ],
         ];
     }
 
@@ -2540,6 +2550,31 @@ function evaluateExpression(DOMXPath $xpath) : mixed {
                     }',
                 'error_message' => 'TaintedXpath',
             ],
+            'taintedSleep' => [
+                'code' => '<?php
+                    sleep($_GET["seconds"]);',
+                'error_message' => 'TaintedSleep',
+            ],
+            'taintedUsleep' => [
+                'code' => '<?php
+                    usleep($_GET["microseconds"]);',
+                'error_message' => 'TaintedSleep',
+            ],
+            'taintedTimeNanosleepSeconds' => [
+                'code' => '<?php
+                    time_nanosleep($_GET["seconds"], 42);',
+                'error_message' => 'TaintedSleep',
+            ],
+            'taintedTimeNanosleepNanoseconds' => [
+                'code' => '<?php
+                    time_nanosleep(42, $_GET["nanoseconds"]);',
+                'error_message' => 'TaintedSleep',
+            ],
+            'taintedTimeSleepUntil' => [
+                'code' => '<?php
+                    time_sleep_until($_GET["timestamp"]);',
+                'error_message' => 'TaintedSleep',
+            ],
         ];
     }
 

From b706d38d54e04d923a31faec1dd8d36ca5a2699d Mon Sep 17 00:00:00 2001
From: cgocast <c.gouttebroze@castsoftware.com>
Date: Fri, 29 Sep 2023 09:32:19 +0200
Subject: [PATCH 2/2] Update shortcode

---
 src/Psalm/Issue/TaintedSleep.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Psalm/Issue/TaintedSleep.php b/src/Psalm/Issue/TaintedSleep.php
index 4f2160ae1a1..77c8b3f5ece 100644
--- a/src/Psalm/Issue/TaintedSleep.php
+++ b/src/Psalm/Issue/TaintedSleep.php
@@ -4,5 +4,5 @@
 
 final class TaintedSleep extends TaintedInput
 {
-    public const SHORTCODE = 323;
+    public const SHORTCODE = 324;
 }