Security/StaticStrreplace: handle more "static" tokens

jrfnl · jrfnl · commit b225a93969e0 · 2025-07-18T17:38:53.000+02:00
This commit primarily addresses that the sniff did not take PHP 5.3 nowdocs into account as "static text" tokens.

However, heredocs can also be "static text" if there is no interpolation and there are some other variants of valid code which would still make the code effectively "static text".

Fixed now by checking the code more thoroughly.

The actual checking has been moved to a new `is_parameter_static_text()` method as if the passed parameter is an array, the same checks would need to be done again for each array item. By having the check in a separate method, the method can recursively call itself for array items.

Includes tests.
diff --git a/WordPressVIPMinimum/Sniffs/Security/StaticStrreplaceSniff.php b/WordPressVIPMinimum/Sniffs/Security/StaticStrreplaceSniff.php
@@ -10,9 +10,10 @@
 namespace WordPressVIPMinimum\Sniffs\Security;
 
 use PHP_CodeSniffer\Util\Tokens;
-use PHPCSUtils\Exceptions\UnexpectedTokenType;
 use PHPCSUtils\Tokens\Collections;
+use PHPCSUtils\Utils\Arrays;
 use PHPCSUtils\Utils\PassedParameters;
+use PHPCSUtils\Utils\TextStrings;
 use WordPressCS\WordPress\AbstractFunctionParameterSniff;
 
 /**
@@ -61,40 +62,83 @@ public function process_parameters( $stackPtr, $group_name, $matched_content, $p
 			return;
 		}
 
-		$static_text_tokens                               = Tokens::$emptyTokens;
-		$static_text_tokens[ T_CONSTANT_ENCAPSED_STRING ] = T_CONSTANT_ENCAPSED_STRING;
-
 		foreach ( [ $search_param, $replace_param, $subject_param ] as $param ) {
-			$has_non_static_text = $this->phpcsFile->findNext( $static_text_tokens, $param['start'], ( $param['end'] + 1 ), true );
-			if ( $has_non_static_text === false ) {
+			if ( $this->is_parameter_static_text( $param ) === false ) {
+				// Non-static text token found. Not what we're looking for.
+				return;
+			}
+		}
+
+		$message = 'This code pattern is often used to run a very dangerous shell programs on your server. The code in these files needs to be reviewed, and possibly cleaned.';
+		$this->phpcsFile->addError( $message, $stackPtr, 'StaticStrreplace' );
+	}
+
+	/**
+	 * Check whether the current parameter, or array item, only contains tokens which should be regarded
+	 * as a valid part of a static text string.
+	 *
+	 * @param array<string, int|string> $param_info Array with information about a single parameter or array item.
+	 *                                              Must be an array as returned via the PassedParameters class.
+	 *
+	 * @return bool
+	 */
+	private function is_parameter_static_text( $param_info ) {
+		// List of tokens which can be skipped over without further examination.
+		$static_tokens  = [
+			T_CONSTANT_ENCAPSED_STRING => T_CONSTANT_ENCAPSED_STRING,
+			T_PLUS                     => T_PLUS,
+			T_STRING_CONCAT            => T_STRING_CONCAT,
+		];
+		$static_tokens += Tokens::$emptyTokens;
+
+		for ( $i = $param_info['start']; $i <= $param_info['end']; $i++ ) {
+			$next_to_examine = $this->phpcsFile->findNext( $static_tokens, $i, ( $param_info['end'] + 1 ), true );
+			if ( $next_to_examine === false ) {
 				// The parameter contained only tokens which could be considered static text.
-				continue;
+				return true;
 			}
 
-			if ( isset( Collections::arrayOpenTokensBC()[ $this->tokens[ $has_non_static_text ]['code'] ] ) ) {
-				try {
-					$array_items = PassedParameters::getParameters( $this->phpcsFile, $has_non_static_text );
-				} catch ( UnexpectedTokenType $e ) {
+			if ( isset( Collections::arrayOpenTokensBC()[ $this->tokens[ $next_to_examine ]['code'] ] ) ) {
+				$arrayOpenClose = Arrays::getOpenClose( $this->phpcsFile, $next_to_examine );
+				if ( $arrayOpenClose === false ) {
 					// Short list, parse error or live coding, bow out.
-					return;
+					return false;
 				}
 
+				$array_items = PassedParameters::getParameters( $this->phpcsFile, $next_to_examine );
 				foreach ( $array_items as $array_item ) {
-					$has_non_static_text = $this->phpcsFile->findNext( $static_text_tokens, $array_item['start'], $array_item['end'], true );
-					if ( $has_non_static_text !== false ) {
-						return;
+					if ( $this->is_parameter_static_text( $array_item ) === false ) {
+						return false;
 					}
 				}
 
 				// The array only contained items with tokens which could be considered static text.
+				$i = $arrayOpenClose['closer'];
 				continue;
 			}
 
-			// Non-static text token found. Not what we're looking for.
-			return;
+			if ( $this->tokens[ $next_to_examine ]['code'] === T_START_HEREDOC ) {
+				$heredoc_text  = TextStrings::getCompleteTextString( $this->phpcsFile, $next_to_examine );
+				$stripped_text = TextStrings::stripEmbeds( $heredoc_text );
+				if ( $heredoc_text !== $stripped_text ) {
+					// Heredoc with interpolated expression(s). Not a static text.
+					return false;
+				}
+			}
+
+			if ( ( $this->tokens[ $next_to_examine ]['code'] === T_START_HEREDOC
+				|| $this->tokens[ $next_to_examine ]['code'] === T_START_NOWDOC )
+				&& isset( $this->tokens[ $next_to_examine ]['scope_closer'] )
+			) {
+				// No interpolation. Skip to end of a heredoc/nowdoc.
+				$i = $this->tokens[ $next_to_examine ]['scope_closer'];
+				continue;
+			}
+
+			// Any other token means this parameter should be regarded as non-static text. Not what we're looking for.
+			return false;
 		}
 
-		$message = 'This code pattern is often used to run a very dangerous shell programs on your server. The code in these files needs to be reviewed, and possibly cleaned.';
-		$this->phpcsFile->addError( $message, $stackPtr, 'StaticStrreplace' );
+		return true;
 	}
 }
diff --git a/WordPressVIPMinimum/Tests/Security/StaticStrreplaceUnitTest.inc b/WordPressVIPMinimum/Tests/Security/StaticStrreplaceUnitTest.inc
@@ -69,3 +69,33 @@ str_replace( subject: $subject, count: $count, replace: 'baz', search: 'foo', );
 
 str_replace( count: $count, subject: [ 'foobar', 'foobar' ], search: 'foo', replace: 'baz', ); // Bad with different parameter order.
 str_replace( [ 'foo', 'bar' ], 'baz', count: $count, subject: 'foobar' ); // Bad, with mixed named and unnamed params.
+
+// Make sure some variations of how plain strings can be passed are handled.
+str_replace( 'fo' . 'o', 'bar', 'foobar' ); // Bad.
+str_replace( array( 'foo', 'bar' ) + array( 'baz', 'fop' ), array( 'bar', 'foo' ), 'foobar' ); // Bad.
+
+// Safeguard correct handling of PHP 5.3+ nowdocs.
+str_replace(
+	'foo',
+	'bar',
+	<<<'EOD'
+foobar
+EOD
+); // Bad.
+
+// Safeguard correct handling of heredocs without interpolation.
+str_replace( array(<<<EOD
+foo
+EOD
+	),
+	'bar',
+	<<<"EOD"
+foobar
+EOD
+); // Bad.
+
+// Ensure heredocs with interpolation are ignored.
+str_replace( 'foo', 'bar', <<<EOD
+Some text and $foobar
+EOD
+); // OK.
diff --git a/WordPressVIPMinimum/Tests/Security/StaticStrreplaceUnitTest.php b/WordPressVIPMinimum/Tests/Security/StaticStrreplaceUnitTest.php
@@ -30,6 +30,10 @@ public function getErrorList() {
 			60 => 1,
 			70 => 1,
 			71 => 1,
+			74 => 1,
+			75 => 1,
+			78 => 1,
+			87 => 1,
 		];
 	}
 
