class InsecureUnserializeSniff

Check that unserialize() limits classes that may be unserialized.

@category PHP @package PHP_CodeSniffer @link http://pear.php.net/package/PHP_CodeSniffer

Hierarchy

class \Drupal\Sniffs\Semantics\FunctionCall implements \PHP_CodeSniffer\Sniffs\Sniff
- class \DrupalPractice\Sniffs\FunctionCalls\InsecureUnserializeSniff extends \Drupal\Sniffs\Semantics\FunctionCall

Expanded class hierarchy of InsecureUnserializeSniff

File

vendor/drupal/coder/coder_sniffer/DrupalPractice/Sniffs/FunctionCalls/InsecureUnserializeSniff.php, line 22

Namespace

DrupalPractice\Sniffs\FunctionCalls

View source

class InsecureUnserializeSniff extends FunctionCall {
    
    /**
     * Returns an array of function names this test wants to listen for.
     *
     * @return array<string>
     */
    public function registerFunctionNames() {
        return [
            'unserialize',
        ];
    }
    
    //end registerFunctionNames()
    
    /**
     * Processes this function call.
     *
     * @param \PHP_CodeSniffer\Files\File $phpcsFile    The file being scanned.
     * @param int                         $stackPtr     The position of the function call in
     *                                                  the stack.
     * @param int                         $openBracket  The position of the opening
     *                                                  parenthesis in the stack.
     * @param int                         $closeBracket The position of the closing
     *                                                  parenthesis in the stack.
     *
     * @return void
     */
    public function processFunctionCall(File $phpcsFile, $stackPtr, $openBracket, $closeBracket) {
        $tokens = $phpcsFile->getTokens();
        $argument = $this->getArgument(2);
        if ($argument === false) {
            $this->fail($phpcsFile, $closeBracket);
            return;
        }
        $allowedClassesKeyStart = $phpcsFile->findNext(T_CONSTANT_ENCAPSED_STRING, $argument['start'], $argument['end'], false, '\'allowed_classes\'');
        if ($allowedClassesKeyStart === false) {
            $allowedClassesKeyStart = $phpcsFile->findNext(T_CONSTANT_ENCAPSED_STRING, $argument['start'], $argument['end'], false, '"allowed_classes"');
        }
        if ($allowedClassesKeyStart === false) {
            $this->fail($phpcsFile, $argument['end']);
            return;
        }
        $allowedClassesArrow = $phpcsFile->findNext(T_DOUBLE_ARROW, $allowedClassesKeyStart, $argument['end'], false);
        if ($allowedClassesArrow === false) {
            $this->fail($phpcsFile, $argument['end']);
            return;
        }
        $allowedClassesValue = $phpcsFile->findNext(T_WHITESPACE, $allowedClassesArrow + 1, $argument['end'], true);
        if ($tokens[$allowedClassesValue]['code'] === T_TRUE) {
            $this->fail($phpcsFile, $allowedClassesValue);
        }
    }
    
    //end processFunctionCall()
    
    /**
     * Record a violation of the standard.
     *
     * @param \PHP_CodeSniffer\Files\File $phpcsFile The file being scanned.
     * @param int                         $position  The stack position of the violation.
     *
     * @return void
     */
    protected function fail(File $phpcsFile, int $position) {
        $phpcsFile->addError('unserialize() is insecure unless allowed classes are limited. Use a safe format like JSON or use the allowed_classes option.', $position, 'InsecureUnserialize');
    }
    
    //end fail()

}

Members

Title Sort descending	Modifiers	Object type	Summary	Overriden Title	Overrides
FunctionCall::$arguments	protected	property	Internal cache to save the calculated arguments of the function call.
FunctionCall::$closeBracket	protected	property	The token position of the closing bracket of the function call.
FunctionCall::$functionCall	protected	property	The token position of the function call.
FunctionCall::$includeMethodCalls	protected	property	Whether method invocations with the same function name should be processed, too.		1
FunctionCall::$openBracket	protected	property	The token position of the opening bracket of the function call.
FunctionCall::$phpcsFile	protected	property	The currently processed file.
FunctionCall::getArgument	public	function	Returns start and end token for a given argument number.
FunctionCall::isFunctionCall	protected	function	Checks if this is a function call.
FunctionCall::process	public	function	Processes this test, when one of its tokens is encountered.	Overrides Sniff::process	2
FunctionCall::register	public	function	Returns an array of tokens this test wants to listen for.	Overrides Sniff::register
InsecureUnserializeSniff::fail	protected	function	Record a violation of the standard.
InsecureUnserializeSniff::processFunctionCall	public	function	Processes this function call.
InsecureUnserializeSniff::registerFunctionNames	public	function	Returns an array of function names this test wants to listen for.