Security/StaticStrreplace: bug fix - false negatives for PHP 5.4+ short array parameters

Fixed now. Includes tests.
Note: some of the "should not be flagged" tests already use short arrays since the tests were expanded.

Author: jrfnl

WordPressVIPMinimum/Sniffs/Security/StaticStrreplaceSniff.php

@@ -10,6 +10,8 @@
 namespace WordPressVIPMinimum\Sniffs\Security;
 
 use PHP_CodeSniffer\Util\Tokens;
+use PHPCSUtils\Tokens\Collections;
+use PHPCSUtils\Utils\Arrays;
 use WordPressCS\WordPress\AbstractFunctionParameterSniff;
 
 /**
@@ -55,15 +57,20 @@ public function process_parameters( $stackPtr, $group_name, $matched_content, $p
 		$next_start_ptr = $openBracket + 1;
 		for ( $i = 0; $i < 3; $i++ ) {
 			$param_ptr = $this->phpcsFile->findNext( array_merge( Tokens::$emptyTokens, [ T_COMMA ] ), $next_start_ptr, null, true );
+			if ( $param_ptr === false ) {
+				// Live coding or parse error. Ignore.
+				return;
+			}
 
-			if ( $this->tokens[ $param_ptr ]['code'] === T_ARRAY ) {
-				$openBracket = $this->phpcsFile->findNext( Tokens::$emptyTokens, $param_ptr + 1, null, true );
-				if ( $this->tokens[ $openBracket ]['code'] !== T_OPEN_PARENTHESIS ) {
+			if ( isset( Collections::arrayOpenTokensBC()[ $this->tokens[ $param_ptr ]['code'] ] ) ) {
+				$arrayOpenClose = Arrays::getOpenClose( $this->phpcsFile, $param_ptr );
+				if ( $arrayOpenClose === false ) {
+					// Short list, parse error or live coding, bow out.
 					return;
 				}
 
-				// Find the closing bracket.
-				$closeBracket = $this->tokens[ $openBracket ]['parenthesis_closer'];
+				$openBracket  = $arrayOpenClose['opener'];
+				$closeBracket = $arrayOpenClose['closer'];
 
 				$array_item_ptr = $this->phpcsFile->findNext( array_merge( Tokens::$emptyTokens, [ T_COMMA ] ), $openBracket + 1, $closeBracket, true );
 				while ( $array_item_ptr !== false ) {

WordPressVIPMinimum/Tests/Security/StaticStrreplaceUnitTest.inc

@@ -55,3 +55,9 @@ Str_replace(
 ); // Bad.
 str_replace( array( 'foo', 'bar' ), array( 'bar', 'foo' ), array( 'foobar', 'foobar' ) ); // Bad.
 str_replace( 'foo', 'bar', 'foobar', $count ); // Bad.
+
+// Handle PHP 5.4+ short array syntax correctly.
+\str_replace( [ 'foo', 'bar' ], [ 'bar', 'foo' ], [ 'foobar', 'foobar' ], ); // Bad.
+
+// Don't confuse PHP 7.1+ short list with short array.
+str_replace( [ $a, $b ] = $search, [ 'bar', 'foo' ], 'foobar', ); // OK.

WordPressVIPMinimum/Tests/Security/StaticStrreplaceUnitTest.php

@@ -27,6 +27,7 @@ public function getErrorList() {
 			51 => 1,
 			56 => 1,
 			57 => 1,
+			60 => 1,
 		];
 	}