Security/StaticStrreplace: use PHPCSUtils for array parsing

jrfnl · jrfnl · commit 3cff6936fce8 · 2025-07-18T17:38:53.000+02:00
As things were, the sniff walked the tokens in an array and expected a comma to always belong to the array, i.e. `[ 'text', 'text' ]`.
This falls foul as soon as the code being walked gets slightly more complex, like using nested arrays or dynamic values in the array: `[ 'text', [ $a, $b ], fnc( 'text', 'next' ) ]`.

Now, at this time, this is not strictly problematic for this sniff as it will bow out for any token which is not a `T_CONSTANT_ENCAPSED_STRING`, so would bow out for nested arrays and dynamic values.

Having said this, using the PHPCSUtils `PassedParameters::getParameters()` for parsing an array to it's individual items should still make the code more stable and also benefits from the PHPCSUtils build-in caching.
diff --git a/WordPressVIPMinimum/Sniffs/Security/StaticStrreplaceSniff.php b/WordPressVIPMinimum/Sniffs/Security/StaticStrreplaceSniff.php
@@ -12,6 +12,7 @@
 use PHP_CodeSniffer\Util\Tokens;
 use PHPCSUtils\Tokens\Collections;
 use PHPCSUtils\Utils\Arrays;
+use PHPCSUtils\Utils\PassedParameters;
 use WordPressCS\WordPress\AbstractFunctionParameterSniff;
 
 /**
@@ -54,6 +55,9 @@ public function process_parameters( $stackPtr, $group_name, $matched_content, $p
 			return;
 		}
 
+		$static_text_tokens                               = Tokens::$emptyTokens;
+		$static_text_tokens[ T_CONSTANT_ENCAPSED_STRING ] = T_CONSTANT_ENCAPSED_STRING;
+
 		$next_start_ptr = $openBracket + 1;
 		for ( $i = 0; $i < 3; $i++ ) {
 			$param_ptr = $this->phpcsFile->findNext( array_merge( Tokens::$emptyTokens, [ T_COMMA ] ), $next_start_ptr, null, true );
@@ -69,21 +73,16 @@ public function process_parameters( $stackPtr, $group_name, $matched_content, $p
 					return;
 				}
 
-				$openBracket  = $arrayOpenClose['opener'];
-				$closeBracket = $arrayOpenClose['closer'];
-
-				$array_item_ptr = $this->phpcsFile->findNext( array_merge( Tokens::$emptyTokens, [ T_COMMA ] ), $openBracket + 1, $closeBracket, true );
-				while ( $array_item_ptr !== false ) {
-
-					if ( $this->tokens[ $array_item_ptr ]['code'] !== T_CONSTANT_ENCAPSED_STRING ) {
+				$array_items = PassedParameters::getParameters( $this->phpcsFile, $param_ptr );
+				foreach ( $array_items as $array_item ) {
+					$has_non_static_text = $this->phpcsFile->findNext( $static_text_tokens, $array_item['start'], $array_item['end'], true );
+					if ( $has_non_static_text !== false ) {
 						return;
 					}
-					$array_item_ptr = $this->phpcsFile->findNext( array_merge( Tokens::$emptyTokens, [ T_COMMA ] ), $array_item_ptr + 1, $closeBracket, true );
 				}
 
-				$next_start_ptr = $closeBracket + 1;
+				$next_start_ptr = $arrayOpenClose['closer'] + 1;
 				continue;
-
 			}
 
 			if ( $this->tokens[ $param_ptr ]['code'] !== T_CONSTANT_ENCAPSED_STRING ) {
