public function PregSecuritySniff::processFunctionCall in Coder 8.3
Same name and namespace in other branches
- 8.2 coder_sniffer/Drupal/Sniffs/Semantics/PregSecuritySniff.php \Drupal\Sniffs\Semantics\PregSecuritySniff::processFunctionCall()
- 8.3.x coder_sniffer/Drupal/Sniffs/Semantics/PregSecuritySniff.php \Drupal\Sniffs\Semantics\PregSecuritySniff::processFunctionCall()
Processes this function call.
Parameters
\PHP_CodeSniffer\Files\File $phpcsFile The file being scanned.:
int $stackPtr The position of the function call in: the stack.
int $openBracket The position of the opening: parenthesis in the stack.
int $closeBracket The position of the closing: parenthesis in the stack.
Return value
void
File
- coder_sniffer/
Drupal/ Sniffs/ Semantics/ PregSecuritySniff.php, line 59
Class
- PregSecuritySniff
- Check the usage of the preg functions to ensure the insecure /e flag isn't used: https://www.drupal.org/node/750148
Namespace
Drupal\Sniffs\SemanticsCode
public function processFunctionCall(File $phpcsFile, $stackPtr, $openBracket, $closeBracket) {
$tokens = $phpcsFile
->getTokens();
$argument = $this
->getArgument(1);
if ($argument === false) {
return;
}
if ($tokens[$argument['start']]['code'] !== T_CONSTANT_ENCAPSED_STRING) {
// Not a string literal.
// @TODO: Extend code to recognize patterns in variables.
return;
}
$pattern = $tokens[$argument['start']]['content'];
$quote = substr($pattern, 0, 1);
// Check that the pattern is a string.
if ($quote === '"' || $quote === "'") {
// Get the delimiter - first char after the enclosing quotes.
$delimiter = preg_quote(substr($pattern, 1, 1), '/');
// Check if there is the evil e flag.
if (preg_match('/' . $delimiter . '[\\w]{0,}e[\\w]{0,}$/', substr($pattern, 0, -1)) === 1) {
$warn = 'Using the e flag in %s is a possible security risk. For details see https://www.drupal.org/node/750148';
$phpcsFile
->addError($warn, $argument['start'], 'PregEFlag', [
$tokens[$stackPtr]['content'],
]);
return;
}
}
}