Skip to content

Commit b10aaeb

Browse files
jrfnljrfnl
committed
Security/Twig: bug fix - prevent false positives on interpolated expressions
Double quoted strings and heredocs may contain interpolated expressions, which could lead to false positives. Fixed now. Includes unit tests proving the bug.
1 parent b451c89 commit b10aaeb

File tree

2 files changed

+12
-4
lines changed

2 files changed

+12
-4
lines changed

WordPressVIPMinimum/Sniffs/Security/TwigSniff.php

Lines changed: 10 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,7 @@
99
namespace WordPressVIPMinimum\Sniffs\Security;
1010

1111
use PHP_CodeSniffer\Util\Tokens;
12+
use PHPCSUtils\Utils\TextStrings;
1213
use WordPressVIPMinimum\Sniffs\Sniff;
1314

1415
/**
@@ -40,14 +41,21 @@ public function register() {
4041
* @return void
4142
*/
4243
public function process_token( $stackPtr ) {
44+
// Strip any potentially interpolated expressions.
45+
$only_text = $this->tokens[ $stackPtr ]['content'];
46+
if ( $this->tokens[ $stackPtr ]['code'] === T_DOUBLE_QUOTED_STRING
47+
|| $this->tokens[ $stackPtr ]['code'] === T_HEREDOC
48+
) {
49+
$only_text = TextStrings::stripEmbeds( $only_text );
50+
}
4351

44-
if ( preg_match( '/autoescape\s+false/', $this->tokens[ $stackPtr ]['content'] ) === 1 ) {
52+
if ( preg_match( '/autoescape\s+false/', $only_text ) === 1 ) {
4553
// Twig autoescape disabled.
4654
$message = 'Found Twig autoescape disabling notation.';
4755
$this->phpcsFile->addWarning( $message, $stackPtr, 'AutoescapeFalse' );
4856
}
4957

50-
if ( preg_match( '/\|\s*raw/', $this->tokens[ $stackPtr ]['content'] ) === 1 ) {
58+
if ( preg_match( '/\|\s*raw/', $only_text ) === 1 ) {
5159
// Twig default unescape filter.
5260
$message = 'Found Twig default unescape filter: "|raw".';
5361
$this->phpcsFile->addWarning( $message, $stackPtr, 'RawFound' );

WordPressVIPMinimum/Tests/Security/TwigUnitTest.inc

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -25,7 +25,7 @@ echo '<script>
2525

2626
echo "<script>
2727
{% autoescape false %}
28-
Everything will be $outputted as is in this block
28+
Everything will be $outputted as is in this {${$object->getBlock( SOME_FLAG | raw )}}
2929
{% endautoescape %}
3030
3131
{% autoescape %}
@@ -49,7 +49,7 @@ EOD;
4949
echo <<<EOD
5050
<script>
5151
{% autoescape false %}
52-
Everything will be $outputted as is in this block
52+
Everything will be $outputted as is in this {$obj->blocks[SOME_FLAG | raw]->name}
5353
{% endautoescape %}
5454
EOD;
5555
echo <<<"EOD"

0 commit comments

Comments
 (0)