Merge pull request #107 from Automattic/flag-batcache-whitelisted-get-params

Adding sniff for flagging Batcache whitelisted GET params, which woul…

Author: david-binda

WordPressVIPMinimum/Sniffs/Cache/BatcacheWhitelistedParamsSniff.php

@@ -0,0 +1,113 @@
+<?php
+/**
+ * WordPress-VIP-Minimum Coding Standard.
+ *
+ * @package VIPCS\WordPressVIPMinimum
+ * @link https://github.com/Automattic/VIP-Coding-Standards
+ */
+
+namespace WordPressVIPMinimum\Sniffs\Cache;
+
+use PHP_CodeSniffer_File as File;
+use PHP_CodeSniffer_Tokens as Tokens;
+
+/**
+ * Checks whether proper escaping function is used.
+ *
+ *  @package VIPCS\WordPressVIPMinimum
+ */
+class BatcacheWhitelistedParamsSniff implements \PHP_CodeSniffer_Sniff {
+
+	/**
+	 * List of whitelisted batcache params.
+	 *
+	 * @var array
+	 */
+	public $whitelistes_batcache_params = array(
+		'hpt',
+		'eref',
+		'iref',
+		'fbid',
+		'om_rid',
+		'utm',
+		'utm_source',
+		'utm_content',
+		'utm_medium',
+		'utm_campaign',
+		'utm_term',
+		'fb_xd_bust',
+		'fb_xd_fragment',
+		'npt',
+		'module',
+		'iid',
+		'cid',
+		'icid',
+		'ncid',
+		'snapid',
+		'_',
+		'fb_ref',
+		'fb_source',
+		'omcamp',
+		'affiliate',
+		'utm_affiliate',
+		'utm_subid',
+		'utm_keyword',
+		'migAgencyId',
+		'migSource',
+		'migTrackDataExt',
+		'migRandom',
+		'migTrackFmtExt',
+		'bust',
+		'linkId',
+		'_ga',
+		'xid',
+		'hootPostID',
+		'pretty',
+		'__lsa',
+		'rpx_response',
+		'__rmid',
+		'sr_share',
+		'ia_share_url',
+	);
+
+	/**
+	 * Returns an array of tokens this test wants to listen for.
+	 *
+	 * @return array
+	 */
+	public function register() {
+		return array( T_VARIABLE );
+	}
+
+	/**
+	 * Process this test when one of its tokens is encountered
+	 *
+	 * @param \PHP_CodeSniffer\Files\File $phpcsFile The file being scanned.
+	 * @param int                         $stackPtr  The position of the current token in the stack passed in $tokens.
+	 *
+	 * @return void
+	 */
+	public function process( File $phpcsFile, $stackPtr ) {
+
+		$tokens = $phpcsFile->getTokens();
+
+		if ( '$_GET' !== $tokens[ $stackPtr ]['content'] ) {
+			return;
+		}
+
+		$key = $phpcsFile->findNext( array_merge( Tokens::$emptyTokens, array( T_OPEN_SQUARE_BRACKET ) ), ( $stackPtr + 1 ), null, true );
+
+		if ( T_CONSTANT_ENCAPSED_STRING !== $tokens[ $key ]['code'] ) {
+			return;
+		}
+
+		$variable_name = $tokens[ $key ]['content'];
+
+		$variable_name = substr( $variable_name, 1, -1 );
+
+		if ( true === in_array( $variable_name, $this->whitelistes_batcache_params, true ) ) {
+			$phpcsFile->addWarning( sprintf( 'Batcache whitelisted GET param, %s, found. Batcache whitelisted parameters get stripped and are not available in PHP.', $variable_name ), $stackPtr, 'strippedGetParam' );
+			return;
+		}
+	}//end process()
+}

WordPressVIPMinimum/Tests/Cache/BatcacheWhitelistedParamsUnitTest.inc

@@ -0,0 +1,9 @@
+<?php
+
+if ( isset( $_GET['utm_medium'] ) && 'email' === $_GET["utm_medium"] ) { // 2 warnings.
+
+}
+
+$hello = $_GET['migSource']; // Warning.
+
+$hey = $_GET['ThisIsOkay']; // OK.

WordPressVIPMinimum/Tests/Cache/BatcacheWhitelistedParamsUnitTest.php

@@ -0,0 +1,41 @@
+<?php
+/**
+ * Unit test class for WordPressVIPMinimum Coding Standard.
+ *
+ * @package VIPCS\WordPressVIPMinimum
+ */
+
+namespace WordPressVIPMinimum\Tests\Cache;
+
+use PHP_CodeSniffer\Tests\Standards\AbstractSniffUnitTest;
+
+/**
+ * Unit test class for the BatcacheWhitelistedParams sniff.
+ *
+ * @package VIPCS\WordPressVIPMinimum
+ */
+class BatcacheWhitelistedParamsUnitTest extends AbstractSniffUnitTest {
+
+	/**
+	 * Returns the lines where errors should occur.
+	 *
+	 * @return array <int line number> => <int number of errors>
+	 */
+	public function getErrorList() {
+		return array();
+	}
+
+	/**
+	 * Returns the lines where warnings should occur.
+	 *
+	 * @return array <int line number> => <int number of warnings>
+	 */
+	public function getWarningList() {
+		return array(
+			3 => 2,
+			7 => 1,
+		);
+
+	}
+
+} // End class.

ruleset_test.inc

@@ -165,5 +165,7 @@ add_option( 'taxonomy_rating_' . $obj->term_id ); // Bad. Warning.
 
 echo "<a href='" . esc_attr( $some_var ) . "'></a>"; // NOK. Error.
 
+$hello = true === isset( $_GET['utm_medium'] ) ? true : false; // NOK. Warning 3 times.
+
 ?>
 

ruleset_test.php

@@ -49,7 +49,7 @@
 		133 => 1,
 		157 => 1,
 		166 => 1,
-		168 => 1, // Error on the end of the file. When any code is added, bounce this.
+		170 => 1, // Error on the end of the file. When any code is added, bounce this.
 	),
 	'warnings' => array(
 		9   => 1,
@@ -73,6 +73,7 @@
 		160 => 1,
 		162 => 1,
 		164 => 1,
+		168 => 1,
 	),
 	'messages' => array(
 		129 => array(