You are here

public function PregSecuritySniff::processFunctionCall in Coder 8.2

Same name and namespace in other branches
  1. 8.3 coder_sniffer/Drupal/Sniffs/Semantics/PregSecuritySniff.php \Drupal\Sniffs\Semantics\PregSecuritySniff::processFunctionCall()
  2. 8.3.x coder_sniffer/Drupal/Sniffs/Semantics/PregSecuritySniff.php \Drupal\Sniffs\Semantics\PregSecuritySniff::processFunctionCall()

Processes this function call.

Parameters

\PHP_CodeSniffer\Files\File $phpcsFile The file being scanned.:

int $stackPtr The position of the function call in: the stack.

int $openBracket The position of the opening: parenthesis in the stack.

int $closeBracket The position of the closing: parenthesis in the stack.

Return value

void

File

coder_sniffer/Drupal/Sniffs/Semantics/PregSecuritySniff.php, line 60

Class

PregSecuritySniff
Check the usage of the preg functions to ensure the insecure /e flag isn't used: https://www.drupal.org/node/750148

Namespace

Drupal\Sniffs\Semantics

Code

public function processFunctionCall(File $phpcsFile, $stackPtr, $openBracket, $closeBracket) {
  $tokens = $phpcsFile
    ->getTokens();
  $argument = $this
    ->getArgument(1);
  if ($argument === false) {
    return;
  }
  if ($tokens[$argument['start']]['code'] !== T_CONSTANT_ENCAPSED_STRING) {

    // Not a string literal.
    // @TODO: Extend code to recognize patterns in variables.
    return;
  }
  $pattern = $tokens[$argument['start']]['content'];
  $quote = substr($pattern, 0, 1);

  // Check that the pattern is a string.
  if ($quote === '"' || $quote === "'") {

    // Get the delimiter - first char after the enclosing quotes.
    $delimiter = preg_quote(substr($pattern, 1, 1), '/');

    // Check if there is the evil e flag.
    if (preg_match('/' . $delimiter . '[\\w]{0,}e[\\w]{0,}$/', substr($pattern, 0, -1)) === 1) {
      $warn = 'Using the e flag in %s is a possible security risk. For details see https://www.drupal.org/node/750148';
      $phpcsFile
        ->addError($warn, $argument['start'], 'PregEFlag', array(
        $tokens[$stackPtr]['content'],
      ));
      return;
    }
  }
}