annotate vendor/drupal/coder/coder_sniffer/Drupal/Sniffs/Semantics/PregSecuritySniff.php @ 19:fa3358dc1485 tip

Add ndrum files
author Chris Cannam
date Wed, 28 Aug 2019 13:14:47 +0100
parents 129ea1e6d783
children
rev   line source
Chris@0 1 <?php
Chris@0 2 /**
Chris@17 3 * \Drupal\Sniffs\Semantics\PregSecuritySniff.
Chris@0 4 *
Chris@0 5 * @category PHP
Chris@0 6 * @package PHP_CodeSniffer
Chris@0 7 * @link http://pear.php.net/package/PHP_CodeSniffer
Chris@0 8 */
Chris@0 9
Chris@17 10 namespace Drupal\Sniffs\Semantics;
Chris@17 11
Chris@17 12 use Drupal\Sniffs\Semantics\FunctionCall;
Chris@17 13 use PHP_CodeSniffer\Files\File;
Chris@17 14
Chris@0 15 /**
Chris@0 16 * Check the usage of the preg functions to ensure the insecure /e flag isn't
Chris@0 17 * used: https://www.drupal.org/node/750148
Chris@0 18 *
Chris@0 19 * @category PHP
Chris@0 20 * @package PHP_CodeSniffer
Chris@0 21 * @link http://pear.php.net/package/PHP_CodeSniffer
Chris@0 22 */
Chris@17 23 class PregSecuritySniff extends FunctionCall
Chris@0 24 {
Chris@0 25
Chris@0 26
Chris@0 27 /**
Chris@0 28 * Returns an array of function names this test wants to listen for.
Chris@0 29 *
Chris@0 30 * @return array
Chris@0 31 */
Chris@0 32 public function registerFunctionNames()
Chris@0 33 {
Chris@0 34 return array(
Chris@0 35 'preg_filter',
Chris@0 36 'preg_grep',
Chris@0 37 'preg_match',
Chris@0 38 'preg_match_all',
Chris@0 39 'preg_replace',
Chris@0 40 'preg_replace_callback',
Chris@0 41 'preg_split',
Chris@0 42 );
Chris@0 43
Chris@0 44 }//end registerFunctionNames()
Chris@0 45
Chris@0 46
Chris@0 47 /**
Chris@0 48 * Processes this function call.
Chris@0 49 *
Chris@17 50 * @param \PHP_CodeSniffer\Files\File $phpcsFile The file being scanned.
Chris@17 51 * @param int $stackPtr The position of the function call in
Chris@17 52 * the stack.
Chris@17 53 * @param int $openBracket The position of the opening
Chris@17 54 * parenthesis in the stack.
Chris@17 55 * @param int $closeBracket The position of the closing
Chris@17 56 * parenthesis in the stack.
Chris@0 57 *
Chris@0 58 * @return void
Chris@0 59 */
Chris@0 60 public function processFunctionCall(
Chris@17 61 File $phpcsFile,
Chris@0 62 $stackPtr,
Chris@0 63 $openBracket,
Chris@0 64 $closeBracket
Chris@0 65 ) {
Chris@0 66 $tokens = $phpcsFile->getTokens();
Chris@0 67 $argument = $this->getArgument(1);
Chris@0 68
Chris@0 69 if ($argument === false) {
Chris@0 70 return;
Chris@0 71 }
Chris@0 72
Chris@0 73 if ($tokens[$argument['start']]['code'] !== T_CONSTANT_ENCAPSED_STRING) {
Chris@0 74 // Not a string literal.
Chris@0 75 // @TODO: Extend code to recognize patterns in variables.
Chris@0 76 return;
Chris@0 77 }
Chris@0 78
Chris@0 79 $pattern = $tokens[$argument['start']]['content'];
Chris@0 80 $quote = substr($pattern, 0, 1);
Chris@0 81 // Check that the pattern is a string.
Chris@0 82 if ($quote === '"' || $quote === "'") {
Chris@0 83 // Get the delimiter - first char after the enclosing quotes.
Chris@0 84 $delimiter = preg_quote(substr($pattern, 1, 1), '/');
Chris@0 85 // Check if there is the evil e flag.
Chris@0 86 if (preg_match('/'.$delimiter.'[\w]{0,}e[\w]{0,}$/', substr($pattern, 0, -1)) === 1) {
Chris@0 87 $warn = 'Using the e flag in %s is a possible security risk. For details see https://www.drupal.org/node/750148';
Chris@0 88 $phpcsFile->addError(
Chris@0 89 $warn,
Chris@0 90 $argument['start'],
Chris@0 91 'PregEFlag',
Chris@0 92 array($tokens[$stackPtr]['content'])
Chris@0 93 );
Chris@0 94 return;
Chris@0 95 }
Chris@0 96 }
Chris@0 97
Chris@0 98 }//end processFunctionCall()
Chris@0 99
Chris@0 100
Chris@0 101 }//end class