Mercurial > hg > isophonics-drupal-site
view vendor/drupal/coder/coder_sniffer/Drupal/Sniffs/Semantics/PregSecuritySniff.php @ 19:fa3358dc1485 tip
Add ndrum files
author | Chris Cannam |
---|---|
date | Wed, 28 Aug 2019 13:14:47 +0100 |
parents | 129ea1e6d783 |
children |
line wrap: on
line source
<?php /** * \Drupal\Sniffs\Semantics\PregSecuritySniff. * * @category PHP * @package PHP_CodeSniffer * @link http://pear.php.net/package/PHP_CodeSniffer */ namespace Drupal\Sniffs\Semantics; use Drupal\Sniffs\Semantics\FunctionCall; use PHP_CodeSniffer\Files\File; /** * Check the usage of the preg functions to ensure the insecure /e flag isn't * used: https://www.drupal.org/node/750148 * * @category PHP * @package PHP_CodeSniffer * @link http://pear.php.net/package/PHP_CodeSniffer */ class PregSecuritySniff extends FunctionCall { /** * Returns an array of function names this test wants to listen for. * * @return array */ public function registerFunctionNames() { return array( 'preg_filter', 'preg_grep', 'preg_match', 'preg_match_all', 'preg_replace', 'preg_replace_callback', 'preg_split', ); }//end registerFunctionNames() /** * Processes this function call. * * @param \PHP_CodeSniffer\Files\File $phpcsFile The file being scanned. * @param int $stackPtr The position of the function call in * the stack. * @param int $openBracket The position of the opening * parenthesis in the stack. * @param int $closeBracket The position of the closing * parenthesis in the stack. * * @return void */ public function processFunctionCall( File $phpcsFile, $stackPtr, $openBracket, $closeBracket ) { $tokens = $phpcsFile->getTokens(); $argument = $this->getArgument(1); if ($argument === false) { return; } if ($tokens[$argument['start']]['code'] !== T_CONSTANT_ENCAPSED_STRING) { // Not a string literal. // @TODO: Extend code to recognize patterns in variables. return; } $pattern = $tokens[$argument['start']]['content']; $quote = substr($pattern, 0, 1); // Check that the pattern is a string. if ($quote === '"' || $quote === "'") { // Get the delimiter - first char after the enclosing quotes. $delimiter = preg_quote(substr($pattern, 1, 1), '/'); // Check if there is the evil e flag. if (preg_match('/'.$delimiter.'[\w]{0,}e[\w]{0,}$/', substr($pattern, 0, -1)) === 1) { $warn = 'Using the e flag in %s is a possible security risk. For details see https://www.drupal.org/node/750148'; $phpcsFile->addError( $warn, $argument['start'], 'PregEFlag', array($tokens[$stackPtr]['content']) ); return; } } }//end processFunctionCall() }//end class