Mercurial > hg > isophonics-drupal-site

annotate vendor/drupal/coder/coder_sniffer/Drupal/Sniffs/Semantics/PregSecuritySniff.php @ 12:7a779792577d

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Update Drupal core to v8.4.5 (via Composer)
author Chris Cannam
date Fri, 23 Feb 2018 15:52:07 +0000
parents 4c8ae668cc8c
children 129ea1e6d783
rev   line source
Chris@0 1 <?php
Chris@0 2 /**
Chris@0 3 * Drupal_Sniffs_Semantics_PregSecuritySniff.
Chris@0 4 *
Chris@0 5 * @category PHP
Chris@0 6 * @package PHP_CodeSniffer
Chris@0 7 * @link http://pear.php.net/package/PHP_CodeSniffer
Chris@0 8 */
Chris@0 9
Chris@0 10 /**
Chris@0 11 * Check the usage of the preg functions to ensure the insecure /e flag isn't
Chris@0 12 * used: https://www.drupal.org/node/750148
Chris@0 13 *
Chris@0 14 * @category PHP
Chris@0 15 * @package PHP_CodeSniffer
Chris@0 16 * @link http://pear.php.net/package/PHP_CodeSniffer
Chris@0 17 */
Chris@0 18 class Drupal_Sniffs_Semantics_PregSecuritySniff extends Drupal_Sniffs_Semantics_FunctionCall
Chris@0 19 {
Chris@0 20
Chris@0 21
Chris@0 22 /**
Chris@0 23 * Returns an array of function names this test wants to listen for.
Chris@0 24 *
Chris@0 25 * @return array
Chris@0 26 */
Chris@0 27 public function registerFunctionNames()
Chris@0 28 {
Chris@0 29 return array(
Chris@0 30 'preg_filter',
Chris@0 31 'preg_grep',
Chris@0 32 'preg_match',
Chris@0 33 'preg_match_all',
Chris@0 34 'preg_replace',
Chris@0 35 'preg_replace_callback',
Chris@0 36 'preg_split',
Chris@0 37 );
Chris@0 38
Chris@0 39 }//end registerFunctionNames()
Chris@0 40
Chris@0 41
Chris@0 42 /**
Chris@0 43 * Processes this function call.
Chris@0 44 *
Chris@0 45 * @param PHP_CodeSniffer_File $phpcsFile The file being scanned.
Chris@0 46 * @param int $stackPtr The position of the function call in
Chris@0 47 * the stack.
Chris@0 48 * @param int $openBracket The position of the opening
Chris@0 49 * parenthesis in the stack.
Chris@0 50 * @param int $closeBracket The position of the closing
Chris@0 51 * parenthesis in the stack.
Chris@0 52 *
Chris@0 53 * @return void
Chris@0 54 */
Chris@0 55 public function processFunctionCall(
Chris@0 56 PHP_CodeSniffer_File $phpcsFile,
Chris@0 57 $stackPtr,
Chris@0 58 $openBracket,
Chris@0 59 $closeBracket
Chris@0 60 ) {
Chris@0 61 $tokens = $phpcsFile->getTokens();
Chris@0 62 $argument = $this->getArgument(1);
Chris@0 63
Chris@0 64 if ($argument === false) {
Chris@0 65 return;
Chris@0 66 }
Chris@0 67
Chris@0 68 if ($tokens[$argument['start']]['code'] !== T_CONSTANT_ENCAPSED_STRING) {
Chris@0 69 // Not a string literal.
Chris@0 70 // @TODO: Extend code to recognize patterns in variables.
Chris@0 71 return;
Chris@0 72 }
Chris@0 73
Chris@0 74 $pattern = $tokens[$argument['start']]['content'];
Chris@0 75 $quote = substr($pattern, 0, 1);
Chris@0 76 // Check that the pattern is a string.
Chris@0 77 if ($quote === '"' || $quote === "'") {
Chris@0 78 // Get the delimiter - first char after the enclosing quotes.
Chris@0 79 $delimiter = preg_quote(substr($pattern, 1, 1), '/');
Chris@0 80 // Check if there is the evil e flag.
Chris@0 81 if (preg_match('/'.$delimiter.'[\w]{0,}e[\w]{0,}$/', substr($pattern, 0, -1)) === 1) {
Chris@0 82 $warn = 'Using the e flag in %s is a possible security risk. For details see https://www.drupal.org/node/750148';
Chris@0 83 $phpcsFile->addError(
Chris@0 84 $warn,
Chris@0 85 $argument['start'],
Chris@0 86 'PregEFlag',
Chris@0 87 array($tokens[$stackPtr]['content'])
Chris@0 88 );
Chris@0 89 return;
Chris@0 90 }
Chris@0 91 }
Chris@0 92
Chris@0 93 }//end processFunctionCall()
Chris@0 94
Chris@0 95
Chris@0 96 }//end class