Security/PHPFilterFunctions: improve the tests

* Test against false positives for calls to methods or namespaced function calls.
* Test against false positives for attribute class using the same name as the function.
* Ensure function import `use` statements are not flagged. We're not interested in those.
* Document that if the filter is passed in dynamically (via a variable or function call), the sniff will stay silent.
* Add some more variations to the pre-existing tests:
    - Non-lowercase function call(s).
    - Fully qualified function calls.
    - Use PHP 7.3+ trailing comma's in a few function calls.

Author: jrfnl

WordPressVIPMinimum/Tests/Security/PHPFilterFunctionsUnitTest.inc

@@ -1,29 +1,58 @@
 <?php
 
-$url = 'http://www.google.ca';
-$_GET['foo'] = 'bar';
-$array = [ 'something_something', 'https://www.google.com', '6' ];
+/*
+ * Not the sniff target.
+ */
+use filter_var;
 
-// Ok.
+my\ns\filter_input($a, $b);
+$this->filter_var_array($a, $b);
+$this?->filter_input_array($a, $b);
+MyClass::filter_var($a, $b);
+echo FILTER_INPUT;
+namespace\filter_var_array($a, $b);
+
+// Looks like a function call, but is a PHP 8.0+ class instantiation via an attribute.
+#[Filter_Input('text')]
+function foo() {}
+
+// PHP 8.1 first class callable.
+// As we have no knowledge about what parameters will be passed, we shouldn't flag this.
+add_filter('my_filter', filter_var(...));
+
+
+/*
+ * These should all be okay.
+ */
 filter_var( $url, FILTER_SANITIZE_URL );
-filter_var( 'test', FILTER_SANITIZE_STRING );
-filter_var(  "test", FILTER_SANITIZE_STRING );
-filter_input( INPUT_GET, 'foo', FILTER_SANITIZE_STRING );
+\filter_var( 'test', FILTER_SANITIZE_STRING );
+FILTER_INPUT( INPUT_GET, 'foo', FILTER_SANITIZE_STRING, );
 filter_input( INPUT_GET,  "foo"   , FILTER_SANITIZE_STRING );
-filter_var_array( $array, FILTER_SANITIZE_STRING );
 filter_input_array( $array, FILTER_SANITIZE_STRING );
-filter_input_array( $array,FILTER_SANITIZE_STRING      );
 
-// Bad.
+// Ignore as undetermined.
+filter_var(  "test", get_filter() );
+\Filter_Var_Array( $array, $filterName );
+filter_input_array( $array,$obj->get_filter()     , );
+
+// Incomplete function call, should be ignored by the sniff.
+$incorrect_but_ok = filter_input();
+
+/*
+ * These should all be flagged with a warning.
+ */
 filter_input( INPUT_GET, 'foo' ); // Missing third parameter.
-filter_input( INPUT_GET, 'foo', FILTER_DEFAULT ); // This filter ID does nothing.
-filter_input( INPUT_GET, "foo", FILTER_UNSAFE_RAW  ); // This filter ID does nothing.
+\filter_input( INPUT_GET, 'foo', FILTER_DEFAULT ); // This filter ID does nothing.
+filter_input( INPUT_GET, "foo", FILTER_UNSAFE_RAW  ,); // This filter ID does nothing.
+
 filter_var( $url ); // Missing second parameter.
-filter_var( $url, FILTER_DEFAULT ); // This filter ID does nothing.
+Filter_Var( $url, FILTER_DEFAULT ); // This filter ID does nothing.
 filter_var( 'https://google.com', FILTER_UNSAFE_RAW ); // This filter ID does nothing.
-filter_var_array( $array ); // Missing second parameter.
+
+filter_var_array( $array, ); // Missing second parameter.
 filter_var_array( $array, FILTER_DEFAULT ); // This filter ID does nothing.
 filter_var_array( $array, FILTER_UNSAFE_RAW ); // This filter ID does nothing.
+
 filter_input_array( $array ); // Missing second parameter.
-filter_input_array( $array, FILTER_DEFAULT ); // This filter ID does nothing.
-filter_input_array( $array, FILTER_UNSAFE_RAW ); // This filter ID does nothing.
+\FILTER_INPUT_ARRAY( $array, FILTER_DEFAULT ); // This filter ID does nothing.
+filter_input_array( $array, FILTER_UNSAFE_RAW, ); // This filter ID does nothing.

WordPressVIPMinimum/Tests/Security/PHPFilterFunctionsUnitTest.php

@@ -32,18 +32,18 @@ public function getErrorList() {
 	 */
 	public function getWarningList() {
 		return [
-			18 => 1,
-			19 => 1,
-			20 => 1,
-			21 => 1,
-			22 => 1,
-			23 => 1,
-			24 => 1,
-			25 => 1,
-			26 => 1,
-			27 => 1,
-			28 => 1,
-			29 => 1,
+			44 => 1,
+			45 => 1,
+			46 => 1,
+			48 => 1,
+			49 => 1,
+			50 => 1,
+			52 => 1,
+			53 => 1,
+			54 => 1,
+			56 => 1,
+			57 => 1,
+			58 => 1,
 		];
 	}
 }