Merge pull request #842 from Automattic/feature/security-mustache-sniff-improvements

Author: GaryJones

WordPressVIPMinimum/Sniffs/Security/MustacheSniff.php

@@ -8,6 +8,7 @@
 
 namespace WordPressVIPMinimum\Sniffs\Security;
 
+use PHP_CodeSniffer\Util\Tokens;
 use WordPressVIPMinimum\Sniffs\Sniff;
 
 /**
@@ -28,12 +29,10 @@ class MustacheSniff extends Sniff {
 	 * @return array<int|string>
 	 */
 	public function register() {
-		return [
-			T_CONSTANT_ENCAPSED_STRING,
-			T_STRING,
-			T_INLINE_HTML,
-			T_HEREDOC,
-		];
+		$targets             = Tokens::$textStringTokens;
+		$targets[ T_STRING ] = T_STRING;
+
+		return $targets;
 	}
 
 	/**
@@ -57,15 +56,22 @@ public function process_token( $stackPtr ) {
 			$this->phpcsFile->addWarning( $message, $stackPtr, 'VariableNotation' );
 		}
 
-		if ( strpos( $this->tokens[ $stackPtr ]['content'], '{{=' ) !== false ) {
+		$start_delimiter_change = strpos( $this->tokens[ $stackPtr ]['content'], '{{=' );
+		if ( $start_delimiter_change !== false ) {
 			// Mustache delimiter change.
-			$new_delimiter = trim( str_replace( [ '{{=', '=}}' ], '', substr( $this->tokens[ $stackPtr ]['content'], 0, strpos( $this->tokens[ $stackPtr ]['content'], '=}}' ) + 3 ) ) );
-			$message       = 'Found Mustache delimiter change notation. New delimiter is: %s.';
-			$data          = [ $new_delimiter ];
-			$this->phpcsFile->addWarning( $message, $stackPtr, 'DelimiterChange', $data );
+			$end_delimiter_change = strpos( $this->tokens[ $stackPtr ]['content'], '=}}' );
+			if ( $end_delimiter_change !== false && $start_delimiter_change < $end_delimiter_change ) {
+				$start_new_delimiter  = $start_delimiter_change + 3;
+				$new_delimiter_length = $end_delimiter_change - ( $start_delimiter_change + 3 );
+				$new_delimiter        = substr( $this->tokens[ $stackPtr ]['content'], $start_new_delimiter, $new_delimiter_length );
+
+				$message = 'Found Mustache delimiter change notation. New delimiter is: %s.';
+				$data    = [ $new_delimiter ];
+				$this->phpcsFile->addWarning( $message, $stackPtr, 'DelimiterChange', $data );
+			}
 		}
 
-		if ( strpos( $this->tokens[ $stackPtr ]['content'], 'SafeString' ) !== false ) {
+		if ( strpos( $this->tokens[ $stackPtr ]['content'], '.SafeString' ) !== false ) {
 			// Handlebars.js Handlebars.SafeString does not get escaped.
 			$message = 'Found Handlebars.SafeString call which does not get escaped.';
 			$this->phpcsFile->addWarning( $message, $stackPtr, 'SafeString' );

WordPressVIPMinimum/Tests/Security/MustacheUnitTest.inc

@@ -21,3 +21,34 @@ echo '<a href="{{href}}">{{&data}}</div></a>'; // NOK: data.
 
 // Issue 541#issuecomment-1692323177: don't flag GB syntax.
 <div class="wp-block-group"><!-- wp:heading {"textAlign":"center","style":{"spacing":{"margin":{"top":"0","right":"0","bottom":"var:preset|spacing|medium","left":"0"}}}} --><!-- OK. -->
+
+<?php
+echo "<a href='${foo->{$baz}}'>{{{data}}}</div></a>"; // NOK: data.
+
+echo <<<HERE
+<script type="text/html" id="tmpl-example">
+<a href="${(href)}">{{{data}}}</div></a><!-- NOK: data. -->
+<a href="{{href}}">{{&data}}</div></a><!-- NOK: data. -->
+HERE;
+echo <<<"HERE"
+{{=<% %>=}} <!-- NOK: delimiter change -->
+</script>
+HERE;
+
+echo <<<'NOW'
+<script type="text/html" id="tmpl-example">
+<a href="{{href}}">{{{data}}}</div></a><!-- NOK: data. -->
+<a href="{{href}}">{{&data}}</div></a><!-- NOK: data. -->
+{{=<% %>=}} <!-- NOK: delimiter change -->
+</script>
+NOW;
+
+// Don't throw false positives on incorrect/incomplete mustache delimiter change.
+$m = '{{=<%'; // Missing end of delimiter change.
+$m = '%>=}} {{=<%'; // Incorrect order, not a delimiter change.
+
+// Correctly recognize mid-line delimiter change.
+$m = '{{default_tags}} {{=<% %>=}} <% erb_style_tags %> <%={{ }}=%> {{ default_tags_again }}'; // NOK: delimiter change.
+
+// Prevent false positives on SafeString being a partial name.
+echo 'MySafeString';

WordPressVIPMinimum/Tests/Security/MustacheUnitTest.php

@@ -38,6 +38,14 @@ public function getWarningList() {
 			7  => 1,
 			8  => 1,
 			18 => 1,
+			26 => 1,
+			30 => 1,
+			31 => 1,
+			34 => 1,
+			40 => 1,
+			41 => 1,
+			42 => 1,
+			51 => 1,
 		];
 	}
 }