Add base taint-check annotations to Delete- and UpdateQueryBuilder

Bug: T253380
Change-Id: I398a65e22b154702f6ec42bfff2676f4720b99ea

includes/libs/rdbms/querybuilder/DeleteQueryBuilder.php

@@ -93,6 +93,7 @@ class DeleteQueryBuilder {
 	 * Manually set the table name to be passed to IDatabase::delete()
 	 *
 	 * @param string $table The table name
+	 * @param-taint $table exec_sql
 	 * @return $this
 	 */
 	public function table( string $table ): DeleteQueryBuilder {
@@ -104,6 +105,7 @@ class DeleteQueryBuilder {
 	 * Set table for the query. Alias for table().
 	 *
 	 * @param string $table The table name
+	 * @param-taint $table exec_sql
 	 * @return $this
 	 */
 	public function deleteFrom( string $table ): DeleteQueryBuilder {
@@ -114,6 +116,7 @@ class DeleteQueryBuilder {
 	 * Set table for the query. Alias for table().
 	 *
 	 * @param string $table The table name
+	 * @param-taint $table exec_sql
 	 * @return $this
 	 */
 	public function delete( string $table ): DeleteQueryBuilder {
@@ -125,6 +128,7 @@ class DeleteQueryBuilder {
 	 * to the existing conditions, separated by AND.
 	 *
 	 * @param string|array $conds
+	 * @param-taint $conds exec_sql_numkey
 	 *
 	 * May be either a string containing a single condition, or an array of
 	 * conditions. If an array is given, the conditions constructed from each
@@ -180,6 +184,7 @@ class DeleteQueryBuilder {
 	 * Add conditions to the query. Alias for where().
 	 *
 	 * @param string|array $conds
+	 * @param-taint $conds exec_sql_numkey
 	 * @return $this
 	 */
 	public function andWhere( $conds ): DeleteQueryBuilder {
@@ -190,6 +195,7 @@ class DeleteQueryBuilder {
 	 * Add conditions to the query. Alias for where().
 	 *
 	 * @param string|array $conds
+	 * @param-taint $conds exec_sql_numkey
 	 * @return $this
 	 */
 	public function conds( $conds ): DeleteQueryBuilder {
@@ -200,6 +206,7 @@ class DeleteQueryBuilder {
 	 * Set the method name to be included in an SQL comment.
 	 *
 	 * @param string $fname
+	 * @param-taint $fname exec_sql
 	 * @return $this
 	 */
 	public function caller( string $fname ): DeleteQueryBuilder {

includes/libs/rdbms/querybuilder/UpdateQueryBuilder.php

@@ -113,6 +113,7 @@ class UpdateQueryBuilder {
 	 * Manually set the table name to be passed to IDatabase::update()
 	 *
 	 * @param string $table The table name
+	 * @param-taint $table exec_sql
 	 * @return $this
 	 */
 	public function table( $table ) {
@@ -124,6 +125,7 @@ class UpdateQueryBuilder {
 	 * Set table for the query. Alias for table().
 	 *
 	 * @param string $table The table name
+	 * @param-taint $table exec_sql
 	 * @return $this
 	 */
 	public function update( string $table ) {
@@ -164,6 +166,7 @@ class UpdateQueryBuilder {
 	 * to the existing conditions, separated by AND.
 	 *
 	 * @param string|array $conds
+	 * @param-taint $conds exec_sql_numkey
 	 *
 	 * May be either a string containing a single condition, or an array of
 	 * conditions. If an array is given, the conditions constructed from each
@@ -219,6 +222,7 @@ class UpdateQueryBuilder {
 	 * Add conditions to the query. Alias for where().
 	 *
 	 * @param string|array $conds
+	 * @param-taint $conds exec_sql_numkey
 	 * @return $this
 	 */
 	public function andWhere( $conds ) {
@@ -229,6 +233,7 @@ class UpdateQueryBuilder {
 	 * Add conditions to the query. Alias for where().
 	 *
 	 * @param string|array $conds
+	 * @param-taint $conds exec_sql_numkey
 	 * @return $this
 	 */
 	public function conds( $conds ) {
@@ -240,6 +245,7 @@ class UpdateQueryBuilder {
 	 * the set values.
 	 *
 	 * @param string|array $set
+	 * @param-taint $set exec_sql_numkey
 	 *
 	 * Combination map/list where each string-keyed entry maps a column
 	 * to a literal assigned value and each integer-keyed value is a SQL expression in the
@@ -275,6 +281,7 @@ class UpdateQueryBuilder {
 	 * Add set values to the query. Alias for set().
 	 *
 	 * @param string|array $set
+	 * @param-taint $set exec_sql_numkey
 	 * @return $this
 	 */
 	public function andSet( $set ) {
@@ -298,6 +305,7 @@ class UpdateQueryBuilder {
 	 * Set the method name to be included in an SQL comment.
 	 *
 	 * @param string $fname
+	 * @param-taint $fname exec_sql
 	 * @return $this
 	 */
 	public function caller( $fname ) {

tests/phan/TaintCheckAnnotationsTest.php

@@ -29,8 +29,10 @@ use MediaWiki\Status\Status;
 use MediaWiki\Title\TitleValue;
 use Shellbox\Command\UnboxedResult;
 use Shellbox\Shellbox;
+use Wikimedia\Rdbms\DeleteQueryBuilder;
 use Wikimedia\Rdbms\InsertQueryBuilder;
 use Wikimedia\Rdbms\SelectQueryBuilder;
+use Wikimedia\Rdbms\UpdateQueryBuilder;
 
 die( 'This file should never be loaded' );
 
@@ -383,6 +385,48 @@ class TaintCheckAnnotationsTest {
 		$iqb->caller( $_GET['a'] );// @phan-suppress-current-line SecurityCheck-SQLInjection
 	}
 
+	function testUpdateQueryBuilder( UpdateQueryBuilder $uqb ) {
+		$uqb->table( $_GET['a'] );// @phan-suppress-current-line SecurityCheck-SQLInjection
+		$uqb->update( $_GET['a'] );// @phan-suppress-current-line SecurityCheck-SQLInjection
+
+		$uqb->where( [ $_GET['a'] ] );// @phan-suppress-current-line SecurityCheck-SQLInjection
+		$uqb->where( $_GET['a'] );// @phan-suppress-current-line SecurityCheck-SQLInjection
+		$uqb->where( [ 'foo' => $_GET['a'] ] );// Safe
+		$uqb->andWhere( [ $_GET['a'] ] );// @phan-suppress-current-line SecurityCheck-SQLInjection
+		$uqb->andWhere( $_GET['a'] );// @phan-suppress-current-line SecurityCheck-SQLInjection
+		$uqb->andWhere( [ 'foo' => $_GET['a'] ] );// Safe
+		$uqb->conds( [ $_GET['a'] ] );// @phan-suppress-current-line SecurityCheck-SQLInjection
+		$uqb->conds( $_GET['a'] );// @phan-suppress-current-line SecurityCheck-SQLInjection
+		$uqb->conds( [ 'foo' => $_GET['a'] ] );// Safe
+
+		$uqb->set( $_GET['a'] );// @phan-suppress-current-line SecurityCheck-SQLInjection
+		$uqb->set( [ $_GET['a'] ] );// @phan-suppress-current-line SecurityCheck-SQLInjection
+		$uqb->set( [ 'x' => $_GET['a'] ] );// Safe
+		$uqb->andSet( $_GET['a'] );// @phan-suppress-current-line SecurityCheck-SQLInjection
+		$uqb->andSet( [ $_GET['a'] ] );// @phan-suppress-current-line SecurityCheck-SQLInjection
+		$uqb->andSet( [ 'x' => $_GET['a'] ] );// Safe
+
+		$uqb->caller( $_GET['a'] );// @phan-suppress-current-line SecurityCheck-SQLInjection
+	}
+
+	function testDeleteQueryBuilder( DeleteQueryBuilder $dqb ) {
+		$dqb->table( $_GET['a'] );// @phan-suppress-current-line SecurityCheck-SQLInjection
+		$dqb->deleteFrom( $_GET['a'] );// @phan-suppress-current-line SecurityCheck-SQLInjection
+		$dqb->delete( $_GET['a'] );// @phan-suppress-current-line SecurityCheck-SQLInjection
+
+		$dqb->where( [ $_GET['a'] ] );// @phan-suppress-current-line SecurityCheck-SQLInjection
+		$dqb->where( $_GET['a'] );// @phan-suppress-current-line SecurityCheck-SQLInjection
+		$dqb->where( [ 'foo' => $_GET['a'] ] );// Safe
+		$dqb->andWhere( [ $_GET['a'] ] );// @phan-suppress-current-line SecurityCheck-SQLInjection
+		$dqb->andWhere( $_GET['a'] );// @phan-suppress-current-line SecurityCheck-SQLInjection
+		$dqb->andWhere( [ 'foo' => $_GET['a'] ] );// Safe
+		$dqb->conds( [ $_GET['a'] ] );// @phan-suppress-current-line SecurityCheck-SQLInjection
+		$dqb->conds( $_GET['a'] );// @phan-suppress-current-line SecurityCheck-SQLInjection
+		$dqb->conds( [ 'foo' => $_GET['a'] ] );// Safe
+
+		$dqb->caller( $_GET['a'] );// @phan-suppress-current-line SecurityCheck-SQLInjection
+	}
+
 	function testMessage( Message $msg ) {
 		echo $msg->plain();// @phan-suppress-current-line SecurityCheck-XSS
 		echo $msg->text();// @phan-suppress-current-line SecurityCheck-XSS