Sniff::is_sanitized(): implement new is_in_function_call() method

This fixes potential false negatives when a method/namespaced function mirroring the name of the WP unslashing/sanitization functions would be used.

Includes unit test.

Author: jrfnl

WordPress/Sniff.php

@@ -1703,9 +1703,16 @@ protected function is_sanitized( $stackPtr, $require_unslash = false ) {
 			return true;
 		}
 
-		// If this isn't a call to a function, it sure isn't a sanitizing function.
-		if ( \T_STRING !== $this->tokens[ $functionPtr ]['code'] ) {
-			if ( $require_unslash ) {
+		$valid_functions               = $this->sanitizingFunctions;
+		$valid_functions              += $this->unslashingSanitizingFunctions;
+		$valid_functions['wp_unslash'] = true;
+		$valid_functions['array_map']  = true;
+
+		$functionPtr = $this->is_in_function_call( $stackPtr, $valid_functions );
+
+		// If this isn't a call to one of the valid functions, it sure isn't a sanitizing function.
+		if ( false === $functionPtr ) {
+			if ( true === $require_unslash ) {
 				$this->add_unslash_error( $stackPtr );
 			}
 
@@ -1717,15 +1724,17 @@ protected function is_sanitized( $stackPtr, $require_unslash = false ) {
 		// Check if wp_unslash() is being used.
 		if ( 'wp_unslash' === $functionName ) {
 
-			$is_unslashed    = true;
-			$function_opener = array_pop( $nested_openers );
+			$is_unslashed = true;
+
+			unset( $valid_functions['wp_unslash'] );
+			$higherFunctionPtr = $this->is_in_function_call( $functionPtr, $valid_functions );
 
-			// If there is no other function being used, this value is unsanitized.
-			if ( ! isset( $function_opener ) ) {
+			// If there is no other valid function being used, this value is unsanitized.
+			if ( false === $higherFunctionPtr ) {
 				return false;
 			}
 
-			$functionPtr  = $this->phpcsFile->findPrevious( Tokens::$emptyTokens, ( $function_opener - 1 ), null, true, null, true );
+			$functionPtr  = $higherFunctionPtr;
 			$functionName = $this->tokens[ $functionPtr ]['content'];
 
 		} else {

WordPress/Tests/Security/ValidatedSanitizedInputUnitTest.inc

@@ -211,3 +211,8 @@ if ( ClassName::array_key_exists( 'my_field5', $_POST ) ) {
 }
 
 echo sanitize_text_field (wp_unslash ($_GET['test'])); // OK.
+
+if ( isset( $_GET['unslash_check'] ) ) {
+	$clean = sanitize_text_field( WP_Faker::wp_unslash( $_GET['unslash_check'] ) ); // Bad x1 - unslash.
+	$clean = WP_Faker\sanitize_text_field( wp_unslash( $_GET['unslash_check'] ) ); // Bad x1 - sanitize.
+}

WordPress/Tests/Security/ValidatedSanitizedInputUnitTest.php

@@ -58,6 +58,8 @@ public function getErrorList() {
 			202 => 1,
 			206 => 1,
 			210 => 1,
+			216 => 1,
+			217 => 1,
 		);
 	}