Merge pull request #1679 from WordPress-Coding-Standards/feature/1660-1618-validatedsanitizedinput-recognize-more-array-walking-functions

Sniff::is_sanitized(): allow for map_deep() to sanitize arrays

Author: GaryJones

WordPress/Sniff.php

@@ -361,6 +361,25 @@ abstract class Sniff implements PHPCS_Sniff {
 		\T_BOOL_CAST   => true,
 	);
 
+	/**
+	 * List of array functions which apply a callback to the array.
+	 *
+	 * These are often used for sanitization/escaping an array variable.
+	 *
+	 * Note: functions which alter the array by reference are not listed here on purpose.
+	 * These cannot easily be used for sanitization as they can't be combined with unslashing.
+	 * Similarly, they cannot be used for late escaping as the return value is a boolean, not
+	 * the altered array.
+	 *
+	 * @since 2.1.0
+	 *
+	 * @var array <string function name> => <int parameter position of the callback parameter>
+	 */
+	protected $arrayWalkingFunctions = array(
+		'array_map' => 1,
+		'map_deep'  => 2,
+	);
+
 	/**
 	 * Functions that format strings.
 	 *
@@ -1789,8 +1808,8 @@ protected function is_sanitized( $stackPtr, $require_unslash = false ) {
 
 		$valid_functions               = $this->sanitizingFunctions;
 		$valid_functions              += $this->unslashingSanitizingFunctions;
+		$valid_functions              += $this->arrayWalkingFunctions;
 		$valid_functions['wp_unslash'] = true;
-		$valid_functions['array_map']  = true;
 
 		$functionPtr = $this->is_in_function_call( $stackPtr, $valid_functions );
 
@@ -1825,11 +1844,11 @@ protected function is_sanitized( $stackPtr, $require_unslash = false ) {
 			$is_unslashed = false;
 		}
 
-		// Arrays might be sanitized via array_map().
-		if ( 'array_map' === $functionName ) {
+		// Arrays might be sanitized via an array walking function using a callback.
+		if ( isset( $this->arrayWalkingFunctions[ $functionName ] ) ) {
 
-			// Get the first parameter.
-			$callback = $this->get_function_call_parameter( $functionPtr, 1 );
+			// Get the callback parameter.
+			$callback = $this->get_function_call_parameter( $functionPtr, $this->arrayWalkingFunctions[ $functionName ] );
 
 			if ( ! empty( $callback ) ) {
 				/*

WordPress/Tests/Security/ValidatedSanitizedInputUnitTest.inc

@@ -267,3 +267,12 @@ function test_ignoring_is_type_function_calls() {
 	if ( array_key_exists( 'null', $_GET ) && ! is_null( $_GET['null'] ) ) {} // OK.
 	if ( array_key_exists( 'null', $_POST ) && $_POST['null'] !== null ) {} // OK.
 }
+
+function test_additional_array_walking_functions() {
+	if ( ! isset( $_GET['test'] ) ) {
+		return;
+	}
+
+	$sane = map_deep( wp_unslash( $_GET['test'] ), 'sanitize_text_field' ); // Ok.
+	$sane = map_deep( wp_unslash( $_GET['test'] ), 'foo' ); // Bad.
+}

WordPress/Tests/Security/ValidatedSanitizedInputUnitTest.php

@@ -66,6 +66,7 @@ public function getErrorList() {
 			251 => 1,
 			257 => 1,
 			266 => 1,
+			277 => 1,
 		);
 	}