Merge pull request #1655 from WordPress-Coding-Standards/feature/295-alternativefunctions-recognizing-more-streams

GaryJones · web-flow · commit 95b904e08e42 · 2019-03-06T23:30:10.000Z
WP/AlternativeFunctions: allow for more input streams with file related functions
diff --git a/WordPress/Sniffs/WP/AlternativeFunctionsSniff.php b/WordPress/Sniffs/WP/AlternativeFunctionsSniff.php
@@ -25,6 +25,47 @@
  */
 class AlternativeFunctionsSniff extends AbstractFunctionRestrictionsSniff {
 
+	/**
+	 * Local input streams which should not be flagged for the file system function checks.
+	 *
+	 * @link http://php.net/manual/en/wrappers.php.php
+	 *
+	 * @var array
+	 */
+	protected $allowed_local_streams = array(
+		'php://input'  => true,
+		'php://output' => true,
+		'php://stdin'  => true,
+		'php://stdout' => true,
+		'php://stderr' => true,
+	);
+
+	/**
+	 * Local input streams which should not be flagged for the file system function checks if
+	 * the $filename starts with them.
+	 *
+	 * @link http://php.net/manual/en/wrappers.php.php
+	 *
+	 * @var array
+	 */
+	protected $allowed_local_stream_partials = array(
+		'php://temp/',
+		'php://fd/',
+	);
+
+	/**
+	 * Local input stream constants which should not be flagged for the file system function checks.
+	 *
+	 * @link http://php.net/manual/en/wrappers.php.php
+	 *
+	 * @var array
+	 */
+	protected $allowed_local_stream_constants = array(
+		'STDIN'  => true,
+		'STDOUT' => true,
+		'STDERR' => true,
+	);
+
 	/**
 	 * Groups of functions to restrict.
 	 *
@@ -83,13 +124,13 @@ public function getGroups() {
 				'since'     => '2.5.0',
 				'functions' => array(
 					'readfile',
-					'fopen',
-					'fsockopen',
-					'pfsockopen',
 					'fclose',
+					'fopen',
 					'fread',
 					'fwrite',
 					'file_put_contents',
+					'fsockopen',
+					'pfsockopen',
 				),
 			),
 
@@ -202,13 +243,34 @@ public function process_matched_token( $stackPtr, $group_name, $matched_content
 					return;
 				}
 
-				$raw_stripped = $this->strip_quotes( $params[1]['raw'] );
-				if ( 'php://input' === $raw_stripped ) {
-					// This is not a file, but the read-only raw data stream from the request body.
+				if ( $this->is_local_data_stream( $params[1]['raw'] ) === true ) {
+					// Local data stream.
 					return;
 				}
 
-				unset( $params, $raw_stripped );
+				unset( $params );
+
+				break;
+
+			case 'readfile':
+			case 'fopen':
+			case 'file_put_contents':
+				/*
+				 * Allow for handling raw data streams from the request body.
+				 */
+				$first_param = $this->get_function_call_parameter( $stackPtr, 1 );
+
+				if ( false === $first_param ) {
+					// If the file to work with is not set, local data streams don't come into play.
+					break;
+				}
+
+				if ( $this->is_local_data_stream( $first_param['raw'] ) === true ) {
+					// Local data stream.
+					return;
+				}
+
+				unset( $first_param );
 
 				break;
 		}
@@ -223,4 +285,29 @@ public function process_matched_token( $stackPtr, $group_name, $matched_content
 		}
 	}
 
+	/**
+	 * Determine based on the "raw" parameter value, whether a file parameter points to
+	 * a local data stream.
+	 *
+	 * @param string $raw_param_value Raw parameter value.
+	 *
+	 * @return bool True if this is a local data stream. False otherwise.
+	 */
+	protected function is_local_data_stream( $raw_param_value ) {
+
+		$raw_stripped = $this->strip_quotes( $raw_param_value );
+		if ( isset( $this->allowed_local_streams[ $raw_stripped ] )
+			|| isset( $this->allowed_local_stream_constants[ $raw_param_value ] )
+		) {
+			return true;
+		}
+
+		foreach ( $this->allowed_local_stream_partials as $partial ) {
+			if ( strpos( $raw_stripped, $partial ) === 0 ) {
+				return true;
+			}
+		}
+
+		return false;
+	}
 }
diff --git a/WordPress/Tests/WP/AlternativeFunctionsUnitTest.inc b/WordPress/Tests/WP/AlternativeFunctionsUnitTest.inc
@@ -51,3 +51,18 @@ file_get_contents( MUPLUGINDIR . 'some-file.xml' ); // OK.
 file_get_contents( plugin_dir_path( __FILE__ ) . 'subfolder/*.conf' ); // OK.
 file_get_contents(WP_Upload_Dir()['path'] . 'subdir/file.inc'); // OK.
 file_get_contents( 'php://input' ); // OK.
+
+// Loosely related to issue 295.
+file_get_contents( 'php://stdin' ); // OK.
+$input_stream = fopen( 'php://stdin', 'w' ); // OK.
+$csv_ar = fopen(STDIN); // OK.
+
+$output_stream = fopen( 'php://output', 'w' ); // OK.
+$output_stream = fopen( 'php://stdout', 'w' ); // OK.
+$output_stream = fopen( 'php://stderr', 'w' ); // OK.
+$output_stream = fopen( STDOUT, 'w' ); // OK.
+$output_stream = fopen( STDERR, 'w' ); // OK.
+$output_stream = fopen( 'php://fd/3', 'w' ); // OK.
+$fp = fopen("php://temp/maxmemory:$fiveMBs", 'r+'); // OK.
+readfile( 'php://filter/resource=http://www.example.com' ); // Warning.
+file_put_contents("php://filter/write=string.rot13/resource=example.txt","Hello World"); // Warning.
diff --git a/WordPress/Tests/WP/AlternativeFunctionsUnitTest.php b/WordPress/Tests/WP/AlternativeFunctionsUnitTest.php
@@ -40,13 +40,9 @@ public function getWarningList() {
 			5  => 1,
 			6  => 1,
 			7  => 1,
-
 			10 => 1,
-
 			12 => 1,
-
 			14 => 1,
-
 			16 => 1,
 			17 => 1,
 			18 => 1,
@@ -60,13 +56,13 @@ public function getWarningList() {
 			26 => 1,
 			27 => 1,
 			28 => 1,
-
 			40 => 1,
-
 			44 => 1,
 			46 => 1,
 			47 => 1,
 			49 => 1,
+			67 => 1,
+			68 => 1,
 		);
 	}
 
