Mercurial > hg > isophonics-drupal-site
comparison vendor/drupal/coder/coder_sniffer/Drupal/Sniffs/Semantics/PregSecuritySniff.php @ 0:4c8ae668cc8c
Initial import (non-working)
| author | Chris Cannam |
|---|---|
| date | Wed, 29 Nov 2017 16:09:58 +0000 |
| parents | |
| children | 129ea1e6d783 |
comparison
equal
deleted
inserted
replaced
| -1:000000000000 | 0:4c8ae668cc8c |
|---|---|
| 1 <?php | |
| 2 /** | |
| 3 * Drupal_Sniffs_Semantics_PregSecuritySniff. | |
| 4 * | |
| 5 * @category PHP | |
| 6 * @package PHP_CodeSniffer | |
| 7 * @link http://pear.php.net/package/PHP_CodeSniffer | |
| 8 */ | |
| 9 | |
| 10 /** | |
| 11 * Check the usage of the preg functions to ensure the insecure /e flag isn't | |
| 12 * used: https://www.drupal.org/node/750148 | |
| 13 * | |
| 14 * @category PHP | |
| 15 * @package PHP_CodeSniffer | |
| 16 * @link http://pear.php.net/package/PHP_CodeSniffer | |
| 17 */ | |
| 18 class Drupal_Sniffs_Semantics_PregSecuritySniff extends Drupal_Sniffs_Semantics_FunctionCall | |
| 19 { | |
| 20 | |
| 21 | |
| 22 /** | |
| 23 * Returns an array of function names this test wants to listen for. | |
| 24 * | |
| 25 * @return array | |
| 26 */ | |
| 27 public function registerFunctionNames() | |
| 28 { | |
| 29 return array( | |
| 30 'preg_filter', | |
| 31 'preg_grep', | |
| 32 'preg_match', | |
| 33 'preg_match_all', | |
| 34 'preg_replace', | |
| 35 'preg_replace_callback', | |
| 36 'preg_split', | |
| 37 ); | |
| 38 | |
| 39 }//end registerFunctionNames() | |
| 40 | |
| 41 | |
| 42 /** | |
| 43 * Processes this function call. | |
| 44 * | |
| 45 * @param PHP_CodeSniffer_File $phpcsFile The file being scanned. | |
| 46 * @param int $stackPtr The position of the function call in | |
| 47 * the stack. | |
| 48 * @param int $openBracket The position of the opening | |
| 49 * parenthesis in the stack. | |
| 50 * @param int $closeBracket The position of the closing | |
| 51 * parenthesis in the stack. | |
| 52 * | |
| 53 * @return void | |
| 54 */ | |
| 55 public function processFunctionCall( | |
| 56 PHP_CodeSniffer_File $phpcsFile, | |
| 57 $stackPtr, | |
| 58 $openBracket, | |
| 59 $closeBracket | |
| 60 ) { | |
| 61 $tokens = $phpcsFile->getTokens(); | |
| 62 $argument = $this->getArgument(1); | |
| 63 | |
| 64 if ($argument === false) { | |
| 65 return; | |
| 66 } | |
| 67 | |
| 68 if ($tokens[$argument['start']]['code'] !== T_CONSTANT_ENCAPSED_STRING) { | |
| 69 // Not a string literal. | |
| 70 // @TODO: Extend code to recognize patterns in variables. | |
| 71 return; | |
| 72 } | |
| 73 | |
| 74 $pattern = $tokens[$argument['start']]['content']; | |
| 75 $quote = substr($pattern, 0, 1); | |
| 76 // Check that the pattern is a string. | |
| 77 if ($quote === '"' || $quote === "'") { | |
| 78 // Get the delimiter - first char after the enclosing quotes. | |
| 79 $delimiter = preg_quote(substr($pattern, 1, 1), '/'); | |
| 80 // Check if there is the evil e flag. | |
| 81 if (preg_match('/'.$delimiter.'[\w]{0,}e[\w]{0,}$/', substr($pattern, 0, -1)) === 1) { | |
| 82 $warn = 'Using the e flag in %s is a possible security risk. For details see https://www.drupal.org/node/750148'; | |
| 83 $phpcsFile->addError( | |
| 84 $warn, | |
| 85 $argument['start'], | |
| 86 'PregEFlag', | |
| 87 array($tokens[$stackPtr]['content']) | |
| 88 ); | |
| 89 return; | |
| 90 } | |
| 91 } | |
| 92 | |
| 93 }//end processFunctionCall() | |
| 94 | |
| 95 | |
| 96 }//end class |