From 788d515e2c9ab23ce8a855cc9edfd2b99df151bc Mon Sep 17 00:00:00 2001 From: Dmitry Khrysev Date: Fri, 15 Jan 2021 12:23:39 +0200 Subject: [PATCH] OIS-417: Upgrade phpstan to 0.12.* for SQL Injection testing - fixed Internal error during checks for ->() checks --- src/Oro/Rules/Methods/QueryBuilderInjectionRule.php | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/Oro/Rules/Methods/QueryBuilderInjectionRule.php b/src/Oro/Rules/Methods/QueryBuilderInjectionRule.php index f892ed3..052e0d4 100644 --- a/src/Oro/Rules/Methods/QueryBuilderInjectionRule.php +++ b/src/Oro/Rules/Methods/QueryBuilderInjectionRule.php @@ -164,6 +164,10 @@ private function isUnsafeStaticMethodCall(Node\Expr $value, Scope $scope): bool if ($className === 'self') { $className = $scope->getClassReflection()->getName(); } + + if ($value->name instanceof \PhpParser\Node\Expr\Variable) { + return false; + } $methodName = \strtolower((string)$value->name); // Whitelisted methods are safe @@ -659,7 +663,8 @@ private function processStaticMethodCall(Node $node, Scope $scope) */ private function checkClearMethodCall($type, $className, Node $value, Scope $scope) { - if (!empty($this->trustedData[$type][$className][\strtolower((string)$value->name)]) + if (!$value->name instanceof \PhpParser\Node\Expr\Variable + && !empty($this->trustedData[$type][$className][\strtolower((string)$value->name)]) && $value->args[0]->value instanceof Node\Expr\Variable ) { $this->trustVariable($value->args[0]->value, $scope);