Merge pull request #172 from Automattic/fix-171/file_get_contents_mods

Fix 171/file get contents mods

Author: david-binda

WordPressVIPMinimum/Sniffs/Files/IncludingNonPHPFileSniff.php

@@ -0,0 +1,76 @@
+<?php
+/**
+ * WordPressVIPMinimum_Sniffs_Files_IncludingNonPHPFileSniff.
+ *
+ * @package VIPCS\WordPressVIPMinimum
+ */
+
+namespace WordPressVIPMinimum\Sniffs\Files;
+
+use PHP_CodeSniffer_File as File;
+use PHP_CodeSniffer_Tokens as Tokens;
+
+/**
+ * WordPressVIPMinimum_Sniffs_Files_IncludingNonPHPFileSniff.
+ *
+ * Checks that __DIR__, dirname( __FILE__ ) or plugin_dir_path( __FILE__ )
+ * is used when including or requiring files.
+ *
+ * @package VIPCS\WordPressVIPMinimum
+ */
+class IncludingNonPHPFileSniff implements \PHP_CodeSniffer_Sniff {
+
+	/**
+	 * Returns an array of tokens this test wants to listen for.
+	 *
+	 * @return array
+	 */
+	public function register() {
+		return Tokens::$includeTokens;
+
+	}//end register()
+
+
+	/**
+	 * Processes this test, when one of its tokens is encountered.
+	 *
+	 * @param \PHP_CodeSniffer\Files\File $phpcsFile The file being scanned.
+	 * @param int                         $stackPtr  The position of the current token in the
+	 *                                               stack passed in $tokens.
+	 *
+	 * @return void
+	 */
+	public function process( File $phpcsFile, $stackPtr ) {
+		$tokens = $phpcsFile->getTokens();
+
+		$curStackPtr = $stackPtr;
+		while ( $curStackPtr = $phpcsFile->findNext( Tokens::$stringTokens, ( $curStackPtr + 1 ), null, false, null, true ) ) {
+
+			if ( T_CONSTANT_ENCAPSED_STRING === $tokens[ $curStackPtr ]['code'] ) {
+				$stringWithoutEnclosingQuotationMarks = trim( $tokens[ $curStackPtr ]['content'], "\"'" );
+			} else {
+				$stringWithoutEnclosingQuotationMarks = $tokens[ $curStackPtr ]['content'];
+			}
+
+			$isFileName = preg_match( '/.*(\.[a-z]{2,})$/i', $stringWithoutEnclosingQuotationMarks, $regexMatches );
+
+			if ( false === $isFileName || 0 === $isFileName ) {
+				continue;
+			}
+
+			$extension = $regexMatches[1];
+			if ( true === in_array( $extension, array( '.php', '.inc' ), true ) ) {
+				return;
+			}
+
+			if ( true === in_array( $extension, array( '.svg', '.css' ), true ) ) {
+				$phpcsFile->addError( sprintf( 'Local SVG and CSS files should be loaded via `get_file_contents` rather than via `%s`.', $tokens[ $stackPtr ]['content'] ), $curStackPtr, 'IncludingSVGCSSFile' );
+			} else {
+				$phpcsFile->addError( sprintf( 'Local non-PHP file should be loaded via `get_file_contents` rather than via `%s`', $tokens[ $stackPtr ]['content'] ), $curStackPtr, 'IncludingNonPHPFile' );
+			}
+		}
+
+	}//end process()
+
+
+}//end class

WordPressVIPMinimum/Sniffs/VIP/FetchingRemoteDataSniff.php

@@ -0,0 +1,60 @@
+<?php
+/**
+ * WordPress-VIP-Minimum Coding Standard.
+ *
+ * @package VIPCS\WordPressVIPMinimum
+ * @link https://github.com/Automattic/VIP-Coding-Standards
+ */
+
+namespace WordPressVIPMinimum\Sniffs\VIP;
+
+use PHP_CodeSniffer_File as File;
+use PHP_CodeSniffer_Tokens as Tokens;
+
+/**
+ * Restricts usage of rewrite rules flushing
+ *
+ *  @package VIPCS\WordPressVIPMinimum
+ */
+class FetchingRemoteDataSniff implements \PHP_CodeSniffer_Sniff {
+
+	/**
+	 * Returns an array of tokens this test wants to listen for.
+	 *
+	 * @return array
+	 */
+	public function register() {
+		return Tokens::$functionNameTokens;
+	}
+
+	/**
+	 * Process this test when one of its tokens is encountered.
+	 *
+	 * @param \PHP_CodeSniffer\Files\File $phpcsFile  The file being scanned.
+	 * @param int                         $stackPtr   The position of the current token in the stack passed in $tokens.
+	 *
+	 * @return void
+	 */
+	public function process( File $phpcsFile, $stackPtr ) {
+
+		$tokens = $phpcsFile->getTokens();
+
+		$functionName = $tokens[ $stackPtr ]['content'];
+		if ( 'file_get_contents' !== $functionName ) {
+			return;
+		}
+
+		$fileNameStackPtr = $phpcsFile->findNext( Tokens::$stringTokens, ( $stackPtr + 1 ), null, false, null, true );
+		if ( false === $fileNameStackPtr ) {
+			$phpcsFile->addWarning( sprintf( '`%s()` is highly discouraged for remote requests, please use `wpcom_vip_file_get_contents()` or `vip_safe_wp_remote_get()` instead.', $tokens[ $stackPtr ]['content'] ), $stackPtr, 'fileGetContentsUknown' );
+		}
+
+		$fileName = $tokens[ $fileNameStackPtr ]['content'];
+
+		$isRemoteFile = ( false !== strpos( $fileName, '://' ) );
+		if ( true === $isRemoteFile ) {
+			$phpcsFile->addWarning( sprintf( '`%s()` is highly discouraged for remote requests, please use `wpcom_vip_file_get_contents()` or `vip_safe_wp_remote_get()` instead.', $tokens[ $stackPtr ]['content'] ), $stackPtr, 'fileGetContentsRemoteFile' );
+		}
+	}
+
+}

WordPressVIPMinimum/Sniffs/VIP/RestrictedFunctionsSniff.php

@@ -102,6 +102,8 @@ public function getGroups() {
 			unset( $original_groups[ $restricted ] );
 		}
 
+		unset( $original_groups['file_get_contents'] );
+
 		return array_merge( $original_groups, $new_groups );
 
 	} // end getGroups().

WordPressVIPMinimum/Tests/Files/IncludingNonPHPFileUnitTest.inc

@@ -0,0 +1,53 @@
+<?php
+
+require_once __DIR__ . "/my_file.php"; // OK.
+
+require_once "my_file.php"; // OK.
+
+include( __DIR__ . "/my_file.php" ); // OK.
+
+include ( MY_CONSTANT . "my_file.php" ); // OK.
+
+require_once ( MY_CONSTANT . "my_file.php" ); // OK.
+
+include( locate_template('index-loop.php') ); // OK.
+
+require_once __DIR__ . "/my_file.svg"; // NOK.
+
+require_once "my_file.svg"; // NOK.
+
+include( __DIR__ . "/my_file.svg" ); // NOK.
+
+include ( MY_CONSTANT . "my_file.svg" ); // NOK.
+
+require_once ( MY_CONSTANT . "my_file.svg" ); // NOK.
+
+include( locate_template('index-loop.svg') ); // NOK.
+
+require_once __DIR__ . "/my_file.css"; // NOK.
+
+require_once "my_file.css"; // NOK.
+
+include( __DIR__ . "/my_file.css" ); // NOK.
+
+include ( MY_CONSTANT . "my_file.css" ); // NOK.
+
+require_once ( MY_CONSTANT . "my_file.css" ); // NOK.
+
+include( locate_template('index-loop.css') ); // NOK.
+
+require_once __DIR__ . "/my_file.csv"; // NOK.
+
+require_once "my_file.inc"; // OK.
+
+include( __DIR__ . "/my_file.csv" ); // NOK.
+
+include ( MY_CONSTANT . "my_file.csv" ); // NOK.
+
+require_once ( MY_CONSTANT . "my_file.csv" ); // NOK.
+
+include( locate_template('index-loop.csv') ); // NOK.
+
+echo file_get_contents( 'index-loop.svg' ); // XSS OK.
+
+echo file_get_contents( 'index-loop.css' ); // XSS OK.

WordPressVIPMinimum/Tests/Files/IncludingNonPHPFileUnitTest.php

@@ -0,0 +1,54 @@
+<?php
+/**
+ * Unit test class for WordPressVIPMinimum Coding Standard.
+ *
+ * @package VIPCS\WordPressVIPMinimum
+ */
+
+namespace WordPressVIPMinimum\Tests\Files;
+
+use PHP_CodeSniffer\Tests\Standards\AbstractSniffUnitTest;
+/**
+ * Unit test class for the IncludingFile sniff.
+ *
+ * @package VIPCS\WordPressVIPMinimum
+ */
+class IncludingNonPHPFileUnitTest extends AbstractSniffUnitTest {
+
+	/**
+	 * Returns the lines where errors should occur.
+	 *
+	 * @return array <int line number> => <int number of errors>
+	 */
+	public function getErrorList() {
+		return array(
+			15 => 1,
+			17 => 1,
+			19 => 1,
+			21 => 1,
+			23 => 1,
+			25 => 1,
+			27 => 1,
+			29 => 1,
+			31 => 1,
+			33 => 1,
+			35 => 1,
+			37 => 1,
+			39 => 1,
+			43 => 1,
+			45 => 1,
+			47 => 1,
+			49 => 1,
+		);
+	}
+
+	/**
+	 * Returns the lines where warnings should occur.
+	 *
+	 * @return array <int line number> => <int number of warnings>
+	 */
+	public function getWarningList() {
+		return array();
+	}
+
+} // End class.

WordPressVIPMinimum/Tests/VIP/FetchingRemoteDataUnitTest.inc

@@ -0,0 +1,7 @@
+<?php
+
+$file_content = file_get_contents( 'my-file.css' ); // OK.
+
+$file_content = file_get_contents( 'my-file.svg' ); // OK.
+
+$external_resource = file_get_contents( 'https://example.com' ); // NOK.

WordPressVIPMinimum/Tests/VIP/FetchingRemoteDataUnitTest.php

@@ -0,0 +1,40 @@
+<?php
+/**
+ * Unit test class for WordPressVIPMinimum Coding Standard.
+ *
+ * @package VIPCS\WordPressVIPMinimum
+ */
+
+namespace WordPressVIPMinimum\Tests\VIP;
+
+use PHP_CodeSniffer\Tests\Standards\AbstractSniffUnitTest;
+
+/**
+ * Unit test class for the ExitAfterRedirect sniff.
+ *
+ * @package VIPCS\WordPressVIPMinimum
+ */
+class FetchingRemoteDataUnitTest extends AbstractSniffUnitTest {
+
+	/**
+	 * Returns the lines where errors should occur.
+	 *
+	 * @return array <int line number> => <int number of errors>
+	 */
+	public function getErrorList() {
+		return array();
+	}
+
+	/**
+	 * Returns the lines where warnings should occur.
+	 *
+	 * @return array <int line number> => <int number of warnings>
+	 */
+	public function getWarningList() {
+		return array(
+			7 => 1,
+		);
+
+	}
+
+} // End class.

WordPressVIPMinimum/ruleset.xml

@@ -105,7 +105,9 @@
 	<!-- https://vip.wordpress.com/documentation/vip/code-review-what-we-look-for/#use-wp_json_encode-over-json_encode -->
 	<!-- https://vip.wordpress.com/documentation/vip/code-review-what-we-look-for/#filesystem-writes -->
 	<!-- https://vip.wordpress.com/documentation/vip/code-review-what-we-look-for/#remote-calls -->
-	<rule ref="WordPress.WP.AlternativeFunctions"/>
+	<rule ref="WordPress.WP.AlternativeFunctions">
+		<exclude name="WordPress.WP.AlternativeFunctions.file_get_contents_file_get_contents"/>
+	</rule>
 	<!-- VIP recommends other functions -->
 	<rule ref="WordPress.WP.AlternativeFunctions.curl">
 		<message>Using cURL functions is highly discouraged within VIP context. Check (Fetching Remote Data) on VIP Documentation.</message>
@@ -118,4 +120,4 @@
 		<type>error</type>
 		<message>`%1$s()` performs a no-LIMIT query by default, make sure to set a reasonable `posts_per_page`. `%1$s()` will do a -1 query by default, a maximum of 100 should be used.</message>
 	</rule>
-</ruleset>
+</ruleset>

ruleset_test.inc

@@ -171,5 +171,8 @@ wp_safe_redirect( 'https.//vip.wordpress.com' ); // NOK. Error.
 
 is_multi_author(); // NOK. Warning.
 
-?>
+include( 'non-php-file.svg' ); // NOK. Error. Including non-php file.
+
+echo file_get_contents( 'non-php-file.svg' ); // XSS OK. Preferred way of including SVG/CSS file. WP_Filesystem Warning.
 
+?> <!-- closing PHP tag should be omitted -->

ruleset_test.php

@@ -50,7 +50,7 @@
 		157 => 1,
 		166 => 1,
 		170 => 1,
-		174 => 1, // Error on the end of the file. When any code is added, bounce this.
+		174 => 1,
 	),
 	'warnings' => array(
 		9   => 1,
@@ -76,10 +76,11 @@
 		164 => 1,
 		168 => 1,
 		172 => 1,
+		176 => 1,
 	),
 	'messages' => array(
 		129 => array(
-			'get_children() performs a no-LIMIT query by default, make sure to set a reasonable posts_per_page. get_children() will do a -1 query by default, a maximum of 100 should be used.',
+			'`get_children()` performs a no-LIMIT query by default, make sure to set a reasonable `posts_per_page`. `get_children()` will do a -1 query by default, a maximum of 100 should be used.',
 		),
 	),
 );