fix: Move config.php taint trust upstream directly in OC\Config class

This solves some false-positive psalm taint errors

Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>

build/psalm-baseline-security.xml

@@ -11,32 +11,11 @@
       <code><![CDATA[$imageFile]]></code>
     </TaintedFile>
   </file>
-  <file src="lib/base.php">
-    <TaintedHeader>
-      <code><![CDATA['Location: ' . $url]]></code>
-      <code><![CDATA['Location: ' . \OC::$WEBROOT . '/']]></code>
-    </TaintedHeader>
-  </file>
   <file src="lib/private/Config.php">
     <TaintedHtml>
       <code><![CDATA[$this->cache]]></code>
     </TaintedHtml>
   </file>
-  <file src="lib/private/EventSource.php">
-    <TaintedHeader>
-      <code><![CDATA['Location: ' . \OC::$WEBROOT]]></code>
-    </TaintedHeader>
-  </file>
-  <file src="lib/private/Http/CookieHelper.php">
-    <TaintedHeader>
-      <code><![CDATA[$header]]></code>
-    </TaintedHeader>
-  </file>
-  <file src="lib/private/Installer.php">
-    <TaintedFile>
-      <code><![CDATA[$baseDir]]></code>
-    </TaintedFile>
-  </file>
   <file src="lib/private/OCS/ApiHelper.php">
     <TaintedHtml>
       <code><![CDATA[$body]]></code>
@@ -65,19 +44,6 @@
       <code><![CDATA[$sqliteFile]]></code>
     </TaintedFile>
   </file>
-  <file src="lib/private/legacy/OC_Helper.php">
-    <TaintedFile>
-      <code><![CDATA[$dest]]></code>
-      <code><![CDATA[$dest]]></code>
-      <code><![CDATA[$dir]]></code>
-      <code><![CDATA[$dir]]></code>
-    </TaintedFile>
-  </file>
-  <file src="lib/private/legacy/OC_JSON.php">
-    <TaintedHeader>
-      <code><![CDATA['Location: ' . \OC::$WEBROOT]]></code>
-    </TaintedHeader>
-  </file>
   <file src="lib/private/legacy/OC_Template.php">
     <TaintedHtml>
       <code><![CDATA[$exception->getTraceAsString()]]></code>

lib/private/Config.php

@@ -65,16 +65,36 @@ class Config {
 	 */
 	public function getValue($key, $default = null) {
 		if (isset($this->envCache[$key])) {
-			return $this->envCache[$key];
+			return self::trustSystemConfig($this->envCache[$key]);
 		}
 
 		if (isset($this->cache[$key])) {
-			return $this->cache[$key];
+			return self::trustSystemConfig($this->cache[$key]);
 		}
 
 		return $default;
 	}
 
+	/**
+	 * Since system config is admin controlled, we can tell psalm to ignore any taint
+	 *
+	 * @psalm-taint-escape callable
+	 * @psalm-taint-escape cookie
+	 * @psalm-taint-escape file
+	 * @psalm-taint-escape has_quotes
+	 * @psalm-taint-escape header
+	 * @psalm-taint-escape html
+	 * @psalm-taint-escape include
+	 * @psalm-taint-escape ldap
+	 * @psalm-taint-escape shell
+	 * @psalm-taint-escape sql
+	 * @psalm-taint-escape unserialize
+	 * @psalm-pure
+	 */
+	public static function trustSystemConfig(mixed $value): mixed {
+		return $value;
+	}
+
 	/**
 	 * Sets and deletes values and writes the config.php
 	 *

lib/private/SystemConfig.php

@@ -116,24 +116,6 @@ class SystemConfig {
 	) {
 	}
 
-	/**
-	 * Since system config is admin controlled, we can tell psalm to ignore any taint
-	 *
-	 * @psalm-taint-escape sql
-	 * @psalm-taint-escape html
-	 * @psalm-taint-escape ldap
-	 * @psalm-taint-escape callable
-	 * @psalm-taint-escape file
-	 * @psalm-taint-escape ssrf
-	 * @psalm-taint-escape cookie
-	 * @psalm-taint-escape header
-	 * @psalm-taint-escape has_quotes
-	 * @psalm-pure
-	 */
-	public static function trustSystemConfig(mixed $value): mixed {
-		return $value;
-	}
-
 	/**
 	 * Lists all available config keys
 	 * @return array an array of key names
@@ -170,7 +152,7 @@ class SystemConfig {
 	 * @return mixed the value or $default
 	 */
 	public function getValue($key, $default = '') {
-		return $this->trustSystemConfig($this->config->getValue($key, $default));
+		return $this->config->getValue($key, $default);
 	}
 
 	/**