jared
132098bee3
- tainted-filename: filenames in upload_attachment.php and user_avatar.php are derived exclusively from (int)-cast integers; no user string reaches the filesystem path. Semgrep's taint engine tracks all use-sites of the variable, producing findings on every file_exists/readfile/unlink call. - tainted-callable: index.php audit-log query passes \$sql to prepare(); \$sql is assembled from hardcoded SQL fragments with ? placeholders and explicit (int) LIMIT/OFFSET casts. User values are bound via bind_param, never interpolated. Semgrep cannot see through the WHERE-builder logic. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>