Merge pull request #1675 from WordPress-Coding-Standards/feature/validatedsanitizedinput-allow-validate-using-key-exists

GaryJones · web-flow · commit 1a2b77755933 · 2019-04-01T05:36:43.000+01:00
ValidatedSanitizedInput: allow for validation using key_exists()
diff --git a/WordPress/Sniff.php b/WordPress/Sniff.php
@@ -252,7 +252,6 @@ abstract class Sniff implements PHPCS_Sniff {
 	 */
 	protected $sanitizingFunctions = array(
 		'_wp_handle_upload'          => true,
-		'array_key_exists'           => true,
 		'esc_url_raw'                => true,
 		'filter_input'               => true,
 		'filter_var'                 => true,
@@ -1437,8 +1436,8 @@ protected function has_nonce_check( $stackPtr ) {
 	 * Check if a token is inside of an isset(), empty() or array_key_exists() statement.
 	 *
 	 * @since 0.5.0
-	 * @since 2.0.1 Now checks for the token being used as the array parameter
-	 *              in function calls to array_key_exists() as well.
+	 * @since 2.1.0 Now checks for the token being used as the array parameter
+	 *              in function calls to array_key_exists() and key_exists() as well.
 	 *
 	 * @param int $stackPtr The index of the token in the stack.
 	 *
@@ -1465,7 +1464,12 @@ protected function is_in_isset_or_empty( $stackPtr ) {
 			return true;
 		}
 
-		$functionPtr = $this->is_in_function_call( $stackPtr, array( 'array_key_exists' => true ) );
+		$valid_functions = array(
+			'array_key_exists' => true,
+			'key_exists'       => true, // Alias.
+		);
+
+		$functionPtr = $this->is_in_function_call( $stackPtr, $valid_functions );
 		if ( false !== $functionPtr ) {
 			$second_param = $this->get_function_call_parameter( $functionPtr, 2 );
 			if ( $stackPtr >= $second_param['start'] && $stackPtr <= $second_param['end'] ) {
@@ -1845,7 +1849,8 @@ protected function get_array_access_key( $stackPtr ) {
 	}
 
 	/**
-	 * Check if the existence of a variable is validated with isset(), empty() or array_key_exists().
+	 * Check if the existence of a variable is validated with isset(), empty(), array_key_exists()
+	 * or key_exists().
 	 *
 	 * When $in_condition_only is false, (which is the default), this is considered
 	 * valid:
@@ -1868,7 +1873,7 @@ protected function get_array_access_key( $stackPtr ) {
 	 * ```
 	 *
 	 * @since 0.5.0
-	 * @since 2.0.1 Now recognizes array_key_exists() as a validation function.
+	 * @since 2.1.0 Now recognizes array_key_exists() and key_exists() as validation functions.
 	 *
 	 * @param int    $stackPtr          The index of this token in the stack.
 	 * @param string $array_key         An array key to check for ("bar" in $foo['bar']).
@@ -1982,8 +1987,10 @@ protected function is_validated( $stackPtr, $array_key = null, $in_condition_onl
 					break;
 
 				case 'function_call':
-					// Only check calls to array_key_exists().
-					if ( 'array_key_exists' !== $this->tokens[ $i ]['content'] ) {
+					// Only check calls to array_key_exists() and key_exists().
+					if ( 'array_key_exists' !== $this->tokens[ $i ]['content']
+						&& 'key_exists' !== $this->tokens[ $i ]['content']
+					) {
 						continue 2;
 					}
 
diff --git a/WordPress/Tests/Security/ValidatedSanitizedInputUnitTest.inc b/WordPress/Tests/Security/ValidatedSanitizedInputUnitTest.inc
@@ -225,3 +225,8 @@ function test_more_safe_functions() {
 	$float = doubleval( $_GET['test'] ); // OK.
 	$count = count( $_GET['test'] ); // Issue #1659; OK.
 }
+
+function test_allow_array_key_exists_alias() {
+	if ( key_exists( 'my_field1', $_POST ) ) {
+	$id = (int) $_POST['my_field1']; // OK.
+}

Original file line number	Diff line number	Diff line change
`@@ -225,3 +225,8 @@ function test_more_safe_functions() {`
`225`	`225`	`$float = doubleval( $_GET['test'] ); // OK.`
`226`	`226`	`$count = count( $_GET['test'] ); // Issue #1659; OK.`
`227`	`227`	`}`
	`228`	`+`
	`229`	`+function test_allow_array_key_exists_alias() {`
	`230`	`+ if ( key_exists( 'my_field1', $_POST ) ) {`
	`231`	`+ $id = (int) $_POST['my_field1']; // OK.`
	`232`	`+}`