Add more sniffs

Author: nicwortel

Security/Sniffs/BrokenAccessControl/PathTraversalSniff.php

@@ -0,0 +1,66 @@
+<?php
+
+declare(strict_types=1);
+
+namespace NthRoot\PhpSecuritySniffs\Security\Sniffs\BrokenAccessControl;
+
+use NthRoot\PhpSecuritySniffs\Security\Sniffs\UserInputDetector;
+use PHP_CodeSniffer\Files\File;
+use PHP_CodeSniffer\Sniffs\Sniff;
+
+use function in_array;
+
+use const T_OPEN_PARENTHESIS;
+use const T_STRING;
+
+final class PathTraversalSniff implements Sniff
+{
+    const array DANGEROUS_FUNCTIONS = ['fopen', 'file_get_contents'];
+
+    protected UserInputDetector $userInputDetector;
+
+    public function __construct()
+    {
+        $this->userInputDetector = new UserInputDetector();
+    }
+
+    public function register(): array
+    {
+        return [T_STRING];
+    }
+
+    public function process(File $phpcsFile, $stackPtr): void
+    {
+        $tokens = $phpcsFile->getTokens();
+
+        if (!in_array($tokens[$stackPtr]['content'], self::DANGEROUS_FUNCTIONS, true)) {
+            return;
+        }
+
+        $start = $phpcsFile->findNext(T_OPEN_PARENTHESIS, $stackPtr, null, false, null, true);
+
+        if ($this->userInputDetector->containsUserInput($phpcsFile, $start)) {
+            $phpcsFile->addError(
+                sprintf(
+                    "Passing user input to %s() can lead to path traversal attacks (CWE-22)",
+                    $tokens[$stackPtr]['content']
+                ),
+                $stackPtr,
+                'FoundWithUserInput'
+            );
+
+            return;
+        }
+
+        if ($this->userInputDetector->containsVariableInput($phpcsFile, $start)) {
+            $phpcsFile->addWarning(
+                sprintf(
+                    "Passing variable data to %s() can lead to path traversal attacks (CWE-22) if it contains user input",
+                    $tokens[$stackPtr]['content']
+                ),
+                $stackPtr,
+                'FoundWithVariableInput'
+            );
+        }
+    }
+}

Security/Sniffs/Injection/SqlInjectionSniff.php

@@ -0,0 +1,75 @@
+<?php
+
+declare(strict_types=1);
+
+namespace NthRoot\PhpSecuritySniffs\Security\Sniffs\Injection;
+
+use NthRoot\PhpSecuritySniffs\Security\Sniffs\UserInputDetector;
+use PHP_CodeSniffer\Files\File;
+use PHP_CodeSniffer\Sniffs\Sniff;
+
+use function in_array;
+
+use const T_OBJECT_OPERATOR;
+use const T_OPEN_PARENTHESIS;
+use const T_STRING;
+use const T_VARIABLE;
+
+final class SqlInjectionSniff implements Sniff
+{
+    private const array FUNCTIONS = [
+        'mysqli_query',
+        'mysqli_real_query',
+        'mysqli_multi_query',
+    ];
+
+    private const array METHODS = [
+        'query',
+        'prepare',
+    ];
+
+    private UserInputDetector $userInputDetector;
+
+    public function __construct()
+    {
+        $this->userInputDetector = new UserInputDetector();
+    }
+
+    public function register(): array
+    {
+        return [T_STRING];
+    }
+
+    public function process(File $phpcsFile, $stackPtr): void
+    {
+        $tokens = $phpcsFile->getTokens();
+
+        $function = $tokens[$stackPtr]['content'];
+
+        if ($objectOperator = $phpcsFile->findPrevious(T_OBJECT_OPERATOR, $stackPtr - 1, null, false, null, true)) {
+            $object = $phpcsFile->findPrevious([T_STRING, T_VARIABLE], $objectOperator - 1, null, false, null, true);
+            $object = $tokens[$object]['content'];
+        }
+
+        if ($objectOperator === false && !in_array($function, self::FUNCTIONS, true)) {
+            return;
+        }
+
+        if ($objectOperator !== false && !in_array($function, self::METHODS, true)) {
+            return;
+        }
+
+        $openParenthesis = $phpcsFile->findNext(T_OPEN_PARENTHESIS, $stackPtr, null, false, null, true);
+
+        if ($this->userInputDetector->containsUserInput($phpcsFile, $openParenthesis)) {
+            $phpcsFile->addError(
+                sprintf(
+                    'Passing user input to %s() can lead to SQL injection (CWE-89)',
+                    isset($object) ? $object . '->' . $function : $function
+                ),
+                $stackPtr,
+                'FoundWithUserInput'
+            );
+        }
+    }
+}

Security/Sniffs/SensitiveInformationExposure/DebuggingFunctionSniff.php

@@ -0,0 +1,41 @@
+<?php
+
+declare(strict_types=1);
+
+namespace NthRoot\PhpSecuritySniffs\Security\Sniffs\SensitiveInformationExposure;
+
+use PHP_CodeSniffer\Files\File;
+use PHP_CodeSniffer\Sniffs\Sniff;
+
+use function in_array;
+use function sprintf;
+
+use const T_STRING;
+
+final class DebuggingFunctionSniff implements Sniff
+{
+    private const array DEBUGGING_FUNCTIONS = ['var_dump', 'dump', 'dd', 'print_r'];
+
+    public function register(): array
+    {
+        return [T_STRING];
+    }
+
+    public function process(File $phpcsFile, $stackPtr): void
+    {
+        $tokens = $phpcsFile->getTokens();
+
+        if (!in_array($tokens[$stackPtr]['content'], self::DEBUGGING_FUNCTIONS, true)) {
+            return;
+        }
+
+        $phpcsFile->addWarning(
+            sprintf(
+                'Leaving debugging functions such as %s() in the code might lead to sensitive data exposure (CWE-489)',
+                $tokens[$stackPtr]['content']
+            ),
+            $stackPtr,
+            'Found'
+        );
+    }
+}

Security/Tests/BrokenAccessControl/PathTraversalUnitTest.inc

@@ -0,0 +1,5 @@
+<?php
+
+$file = $_GET['file'];
+
+$contents = file_get_contents($file);

Security/Tests/BrokenAccessControl/PathTraversalUnitTest.php

@@ -0,0 +1,22 @@
+<?php
+
+declare(strict_types=1);
+
+namespace NthRoot\PhpSecuritySniffs\Security\Tests\BrokenAccessControl;
+
+use NthRoot\PhpSecuritySniffs\Security\Tests\SecuritySniffTestCase;
+
+final class PathTraversalUnitTest extends SecuritySniffTestCase
+{
+    protected function getErrorList(): array
+    {
+        return [
+            5 => 1,
+        ];
+    }
+
+    protected function getWarningList(): array
+    {
+        return [];
+    }
+}

Security/Tests/Injection/SqlInjectionUnitTest.inc

@@ -0,0 +1,12 @@
+<?php
+
+$id = $_GET['id'];
+
+$query = 'SELECT * FROM users WHERE id = ' . $id;
+
+mysqli_query($query);
+
+$pdo = new PDO('');
+
+$statement = $pdo->prepare($query);
+$statement = $pdo->query($query);

Security/Tests/Injection/SqlInjectionUnitTest.php

@@ -0,0 +1,24 @@
+<?php
+
+declare(strict_types=1);
+
+namespace NthRoot\PhpSecuritySniffs\Security\Tests\Injection;
+
+use NthRoot\PhpSecuritySniffs\Security\Tests\SecuritySniffTestCase;
+
+final class SqlInjectionUnitTest extends SecuritySniffTestCase
+{
+    protected function getErrorList(): array
+    {
+        return [
+            7 => 1,
+            11 => 1,
+            12 => 1,
+        ];
+    }
+
+    protected function getWarningList(): array
+    {
+        return [];
+    }
+}

Security/Tests/SensitiveInformationExposure/DebuggingFunctionUnitTest.inc

@@ -0,0 +1,6 @@
+<?php
+
+print_r('foo');
+var_dump($user);
+dump($user);
+dd($user);

Security/Tests/SensitiveInformationExposure/DebuggingFunctionUnitTest.php

@@ -0,0 +1,25 @@
+<?php
+
+declare(strict_types=1);
+
+namespace NthRoot\PhpSecuritySniffs\Security\Tests\SensitiveInformationExposure;
+
+use NthRoot\PhpSecuritySniffs\Security\Tests\SecuritySniffTestCase;
+
+final class DebuggingFunctionUnitTest extends SecuritySniffTestCase
+{
+    protected function getErrorList(): array
+    {
+        return [];
+    }
+
+    protected function getWarningList(): array
+    {
+        return [
+            3 => 1,
+            4 => 1,
+            5 => 1,
+            6 => 1,
+        ];
+    }
+}