Merge pull request #231 from rebeccahum/rebecca/restrictedfiltersniff

Add a sniff for "Restricted Filters"

WordPress-VIP-Go/ruleset.xml

@@ -104,6 +104,10 @@
 
 
 	<!-- Warnings and other things -->
+	<rule ref="WordPressVIPMinimum.Filters.RestrictedFilter.UploadMimes">
+		<type>warning</type>
+		<severity>10</severity>
+	</rule>
 	<rule ref="WordPressVIPMinimum.VIP.RestrictedFunctions.dbDelta_dbdelta">
 		<type>warning</type>
 		<severity>7</severity>

WordPressVIPMinimum/Sniffs/Filters/RestrictedHookSniff.php

@@ -0,0 +1,103 @@
+<?php
+/**
+ * WordPressVIPMinimum Coding Standard.
+ *
+ * @package VIPCS\WordPressVIPMinimum
+ */
+
+namespace WordPressVIPMinimum\Sniffs\Filters;
+
+use WordPress\AbstractFunctionParameterSniff;
+
+/**
+ * This sniff restricts usage of some action and filter hooks.
+ *
+ * @package VIPCS\WordPressVIPMinimum
+ *
+ * @since 0.4.0
+ */
+class RestrictedHookSniff extends AbstractFunctionParameterSniff {
+
+	/**
+	 * The group name for this group of functions.
+	 *
+	 * @var string
+	 */
+	protected $group_name = 'restricted_hooks';
+
+	/**
+	 * Functions this sniff is looking for.
+	 *
+	 * @var array The only requirement for this array is that the top level
+	 *            array keys are the names of the functions you're looking for.
+	 *            Other than that, the array can have arbitrary content
+	 *            depending on your needs.
+	 */
+	protected $target_functions = [
+		'add_filter' => true,
+		'add_action' => true,
+	];
+
+	/**
+	 * List of restricted filter names.
+	 *
+	 * @var array
+	 */
+	private $restricted_hooks = [
+		'upload_mimes' => [
+			// TODO: This error message needs a link to the VIP Documentation, see https://github.com/Automattic/VIP-Coding-Standards/issues/235.
+			'error'     => 'Please ensure that the mimes being filtered do not include insecure types (i.e. SVG, SWF, etc.). Manual inspection required.',
+			'error_code' => 'UploadMimes',
+		],
+	];
+
+	/**
+	 * Process the parameters of a matched function.
+	 *
+	 * @param int    $stackPtr        The position of the current token in the stack.
+	 * @param array  $group_name      The name of the group which was matched.
+	 * @param string $matched_content The token content (function name) which was matched.
+	 * @param array  $parameters      Array with information about the parameters.
+	 * @return int|void Integer stack pointer to skip forward or void to continue
+	 *                  normal file processing.
+	 */
+	public function process_parameters( $stackPtr, $group_name, $matched_content, $parameters ) {
+		foreach ( $this->restricted_hooks as $restricted_hook => $hook_args ) {
+			if ( $this->normalize_hook_name_from_parameter( $parameters[1] ) === $restricted_hook ) {
+				$this->phpcsFile->addWarning( $hook_args['error'], $stackPtr, $hook_args['error_code'] );
+			}
+		}
+	}
+
+	/**
+	 * Normalize hook name parameter.
+	 *
+	 * @param array $parameter Array with information about a parameter.
+	 * @return string Normalized hook name.
+	 */
+	private function normalize_hook_name_from_parameter( $parameter ) {
+		// If concatenation is found, build hook name.
+		$concat_ptr = $this->phpcsFile->findNext(
+			T_STRING_CONCAT,
+			$parameter['start'],
+			$parameter['end'],
+			false,
+			null,
+			true
+		);
+
+		if ( $concat_ptr ) {
+			$hook_name = '';
+			for ( $i = $parameter['start'] + 1; $i < $parameter['end']; $i++ ) {
+				if ( T_CONSTANT_ENCAPSED_STRING === $this->tokens[ $i ]['code'] ) {
+					$hook_name .= str_replace( [ "'", '"' ], '', $this->tokens[ $i ]['content'] );
+				}
+			}
+		} else {
+			$hook_name = $parameter['raw'];
+		}
+
+		// Remove quotes (double and single), and use lowercase.
+		return strtolower( str_replace( [ "'", '"' ], '', $hook_name ) );
+	}
+}

WordPressVIPMinimum/Tests/Filters/RestrictedHookUnitTest.inc

@@ -0,0 +1,19 @@
+<?php
+
+add_filter( 'upload_mime', 'good_example_function' ); // Ok.
+add_filter( 'upload_mimesX', 'good_example_function' ); // Ok.
+
+// Warnings.
+add_filter( 'upload_mimes', 'bad_example_function' ); // Simple string.
+add_filter('upload_mimes' ,'bad_example_function'); // Incorrect spacing.
+add_filter(  'upload_mimes','bad_example_function'); // Incorrect spacing.
+add_filter( "upload_mimes" ,'bad_example_function'); // Double quotes.
+add_filter( 'upLoad_mimeS' ,'bad_example_function'); // Uppercase characters.
+add_filter( 'upload_' . 'mimes' ,'bad_example_function'); // Single concatenation.
+add_filter( 'upl' . 'oad_' . 'mimes' ,'bad_example_function'); // Multiple concatenation.
+add_filter( "upload_" . 'mimes' ,'bad_example_function'); // Single concatenation with double and single quotes.
+add_filter( 'upl' . "oad_" . "mimes" ,'bad_example_function'); // Multiple concatenation with double and single quotes.
+add_filter( 'upload_mimes', function() { // Anonymous callback.
+	// Do stuff.
+});
+add_action( 'upload_mimes', 'bad_example_function' ); // Check `add_action()`, which is an alias for `add_filter()`.

WordPressVIPMinimum/Tests/Filters/RestrictedHookUnitTest.php

@@ -0,0 +1,50 @@
+<?php
+/**
+ * Unit test class for WordPressVIPMinimum Coding Standard.
+ *
+ * @package VIPCS\WordPressVIPMinimum
+ */
+
+namespace WordPressVIPMinimum\Tests\Filters;
+
+use PHP_CodeSniffer\Tests\Standards\AbstractSniffUnitTest;
+/**
+ * Unit test class for the Filters/RestrictedHook sniff.
+ *
+ * @package VIPCS\WordPressVIPMinimum
+ *
+ * @since 0.4.0
+ */
+class RestrictedHookUnitTest extends AbstractSniffUnitTest {
+
+	/**
+	 * Returns the lines where errors should occur.
+	 *
+	 * @return array <int line number> => <int number of errors>
+	 */
+	public function getErrorList() {
+		return array();
+	}
+
+	/**
+	 * Returns the lines where warnings should occur.
+	 *
+	 * @return array <int line number> => <int number of warnings>
+	 */
+	public function getWarningList() {
+		return array(
+			7 => 1,
+			8 => 1,
+			9 => 1,
+			10 => 1,
+			11 => 1,
+			12 => 1,
+			13 => 1,
+			14 => 1,
+			15 => 1,
+			16 => 1,
+			19 => 1,
+		);
+	}
+
+}