Help with tainted cookie

[molbi]

Hello to all, we've enabled gitbuh action to check for tainted code in our codebase. We got a lot of errors and iam trying to fix them but i cant find out how to do it for one specific case.

We ahve this method where $referrer string is coming from $_GET attribute

    public static function setCookie(string $referrer): void
    {
        $cookieExpire = time() + 24 * 3600 * 30;
        $cookieValue = 'referrer=' . $referrer;
        $_COOKIE[self::COOKIE_NAME] = $cookieValue;
        setcookie(self::COOKIE_NAME, $cookieValue, $cookieExpire, '/', Config::get('tracking.cookiedomain'));
    }

Here is code where we call method above.

 $referrer = trim($_GET["ref"] ?? $_GET["referrer"] ?? '');

    if (!empty($referrer) && $_pond_rvar_page != 'xml_search') {
        \Pond\Affiliate\Referral::setCookie($referrer);
....

I understand that $_GET has to be sanitized or escaped. I tried used filter_var with SANITIZE_STRING everywhere. Directly in for each $_GET, then also added in that setCookie method for each variable and stil iam getting Tainted cookie.

Can anyone help me to understand when the Psalm is happy? I kind of have feeling that string needs to be handled differently?

Thanks