Chris@0
|
1 <?php
|
Chris@0
|
2 /**
|
Chris@17
|
3 * \Drupal\Sniffs\Semantics\PregSecuritySniff.
|
Chris@0
|
4 *
|
Chris@0
|
5 * @category PHP
|
Chris@0
|
6 * @package PHP_CodeSniffer
|
Chris@0
|
7 * @link http://pear.php.net/package/PHP_CodeSniffer
|
Chris@0
|
8 */
|
Chris@0
|
9
|
Chris@17
|
10 namespace Drupal\Sniffs\Semantics;
|
Chris@17
|
11
|
Chris@17
|
12 use Drupal\Sniffs\Semantics\FunctionCall;
|
Chris@17
|
13 use PHP_CodeSniffer\Files\File;
|
Chris@17
|
14
|
Chris@0
|
15 /**
|
Chris@0
|
16 * Check the usage of the preg functions to ensure the insecure /e flag isn't
|
Chris@0
|
17 * used: https://www.drupal.org/node/750148
|
Chris@0
|
18 *
|
Chris@0
|
19 * @category PHP
|
Chris@0
|
20 * @package PHP_CodeSniffer
|
Chris@0
|
21 * @link http://pear.php.net/package/PHP_CodeSniffer
|
Chris@0
|
22 */
|
Chris@17
|
23 class PregSecuritySniff extends FunctionCall
|
Chris@0
|
24 {
|
Chris@0
|
25
|
Chris@0
|
26
|
Chris@0
|
27 /**
|
Chris@0
|
28 * Returns an array of function names this test wants to listen for.
|
Chris@0
|
29 *
|
Chris@0
|
30 * @return array
|
Chris@0
|
31 */
|
Chris@0
|
32 public function registerFunctionNames()
|
Chris@0
|
33 {
|
Chris@0
|
34 return array(
|
Chris@0
|
35 'preg_filter',
|
Chris@0
|
36 'preg_grep',
|
Chris@0
|
37 'preg_match',
|
Chris@0
|
38 'preg_match_all',
|
Chris@0
|
39 'preg_replace',
|
Chris@0
|
40 'preg_replace_callback',
|
Chris@0
|
41 'preg_split',
|
Chris@0
|
42 );
|
Chris@0
|
43
|
Chris@0
|
44 }//end registerFunctionNames()
|
Chris@0
|
45
|
Chris@0
|
46
|
Chris@0
|
47 /**
|
Chris@0
|
48 * Processes this function call.
|
Chris@0
|
49 *
|
Chris@17
|
50 * @param \PHP_CodeSniffer\Files\File $phpcsFile The file being scanned.
|
Chris@17
|
51 * @param int $stackPtr The position of the function call in
|
Chris@17
|
52 * the stack.
|
Chris@17
|
53 * @param int $openBracket The position of the opening
|
Chris@17
|
54 * parenthesis in the stack.
|
Chris@17
|
55 * @param int $closeBracket The position of the closing
|
Chris@17
|
56 * parenthesis in the stack.
|
Chris@0
|
57 *
|
Chris@0
|
58 * @return void
|
Chris@0
|
59 */
|
Chris@0
|
60 public function processFunctionCall(
|
Chris@17
|
61 File $phpcsFile,
|
Chris@0
|
62 $stackPtr,
|
Chris@0
|
63 $openBracket,
|
Chris@0
|
64 $closeBracket
|
Chris@0
|
65 ) {
|
Chris@0
|
66 $tokens = $phpcsFile->getTokens();
|
Chris@0
|
67 $argument = $this->getArgument(1);
|
Chris@0
|
68
|
Chris@0
|
69 if ($argument === false) {
|
Chris@0
|
70 return;
|
Chris@0
|
71 }
|
Chris@0
|
72
|
Chris@0
|
73 if ($tokens[$argument['start']]['code'] !== T_CONSTANT_ENCAPSED_STRING) {
|
Chris@0
|
74 // Not a string literal.
|
Chris@0
|
75 // @TODO: Extend code to recognize patterns in variables.
|
Chris@0
|
76 return;
|
Chris@0
|
77 }
|
Chris@0
|
78
|
Chris@0
|
79 $pattern = $tokens[$argument['start']]['content'];
|
Chris@0
|
80 $quote = substr($pattern, 0, 1);
|
Chris@0
|
81 // Check that the pattern is a string.
|
Chris@0
|
82 if ($quote === '"' || $quote === "'") {
|
Chris@0
|
83 // Get the delimiter - first char after the enclosing quotes.
|
Chris@0
|
84 $delimiter = preg_quote(substr($pattern, 1, 1), '/');
|
Chris@0
|
85 // Check if there is the evil e flag.
|
Chris@0
|
86 if (preg_match('/'.$delimiter.'[\w]{0,}e[\w]{0,}$/', substr($pattern, 0, -1)) === 1) {
|
Chris@0
|
87 $warn = 'Using the e flag in %s is a possible security risk. For details see https://www.drupal.org/node/750148';
|
Chris@0
|
88 $phpcsFile->addError(
|
Chris@0
|
89 $warn,
|
Chris@0
|
90 $argument['start'],
|
Chris@0
|
91 'PregEFlag',
|
Chris@0
|
92 array($tokens[$stackPtr]['content'])
|
Chris@0
|
93 );
|
Chris@0
|
94 return;
|
Chris@0
|
95 }
|
Chris@0
|
96 }
|
Chris@0
|
97
|
Chris@0
|
98 }//end processFunctionCall()
|
Chris@0
|
99
|
Chris@0
|
100
|
Chris@0
|
101 }//end class
|