Security/EscapingVoidReturnFunctions: add support for PHP 8.0+ named parameters

To allow support for named parameters, we need to know the position and name of the parameter to examine within a function call.

Previously, this sniff used "wildcard" matching for `esc_*` and `wp_kses*` functions.

While the parameter position is the same for all of these, the parameter name is not, so we can no longer use wildcard matching if we want the sniff to support PHP 8.0+ function calls using named parameters.

To this end:

1. Change the `$target_functions` property to be explicit about the functions the sniff is targetting.
    Notes:
    - I've included all WP native `esc_*` functions with the exception of `esc_sql()` which doesn't feel like it belongs in this list. Please let me know if you prefer that `esc_sql()` is still included.
    - I've included all WP native `wp_kses_*` functions with the exception of `wp_kses_allowed_html()` which is not an escaping function.
    - Also take note that this also means that custom/user defined `esc_*`/`wp_kses*` functions wrapping printing functions will no longer be flagged.
2. Changed the `$target_functions` property to contain information about the target parameter name and position.
3. Adjusted the logic in the sniff to allow for named parameters using the new PHPCSUtils 1.0.0-alpha4 `PassedParameters::getParameterFromStack()` method.

Includes additional unit tests.

Author: jrfnl

WordPressVIPMinimum/Sniffs/Security/EscapingVoidReturnFunctionsSniff.php

@@ -10,6 +10,7 @@
 namespace WordPressVIPMinimum\Sniffs\Security;
 
 use PHP_CodeSniffer\Util\Tokens;
+use PHPCSUtils\Utils\PassedParameters;
 use WordPressCS\WordPress\AbstractFunctionParameterSniff;
 use WordPressCS\WordPress\Helpers\PrintingFunctionsTrait;
 
@@ -34,12 +35,82 @@ class EscapingVoidReturnFunctionsSniff extends AbstractFunctionParameterSniff {
 	/**
 	 * Functions this sniff is looking for.
 	 *
-	 * @var array<string, true> Keys are target functions, value irrelevant.
+	 * @var array<string, array{param_position: int, param_name: string}> Keys are the target functions,
+	 *                                                                    value, the name and position of the target parameter.
 	 */
 	protected $target_functions = [
-		'esc_*'      => true,
-		'tag_escape' => true,
-		'wp_kses*'   => true,
+		'esc_attr' => [
+			'param_position' => 1,
+			'param_name'     => 'text',
+		],
+		'esc_attr__' => [
+			'param_position' => 1,
+			'param_name'     => 'text',
+		],
+		'esc_attr_e' => [
+			'param_position' => 1,
+			'param_name'     => 'text',
+		],
+		'esc_attr_x' => [
+			'param_position' => 1,
+			'param_name'     => 'text',
+		],
+		'esc_html' => [
+			'param_position' => 1,
+			'param_name'     => 'text',
+		],
+		'esc_html__' => [
+			'param_position' => 1,
+			'param_name'     => 'text',
+		],
+		'esc_html_e' => [
+			'param_position' => 1,
+			'param_name'     => 'text',
+		],
+		'esc_html_x' => [
+			'param_position' => 1,
+			'param_name'     => 'text',
+		],
+		'esc_js' => [
+			'param_position' => 1,
+			'param_name'     => 'text',
+		],
+		'esc_textarea' => [
+			'param_position' => 1,
+			'param_name'     => 'text',
+		],
+		'esc_url' => [
+			'param_position' => 1,
+			'param_name'     => 'url',
+		],
+		'esc_url_raw' => [
+			'param_position' => 1,
+			'param_name'     => 'url',
+		],
+		'esc_xml' => [
+			'param_position' => 1,
+			'param_name'     => 'text',
+		],
+		'tag_escape' => [
+			'param_position' => 1,
+			'param_name'     => 'tag_name',
+		],
+		'wp_kses' => [
+			'param_position' => 1,
+			'param_name'     => 'content',
+		],
+		'wp_kses_data' => [
+			'param_position' => 1,
+			'param_name'     => 'data',
+		],
+		'wp_kses_one_attr' => [
+			'param_position' => 1,
+			'param_name'     => 'attr',
+		],
+		'wp_kses_post' => [
+			'param_position' => 1,
+			'param_name'     => 'data',
+		],
 	];
 
 	/**
@@ -54,23 +125,26 @@ class EscapingVoidReturnFunctionsSniff extends AbstractFunctionParameterSniff {
 	 * @return void
 	 */
 	public function process_parameters( $stackPtr, $group_name, $matched_content, $parameters ) {
-		$next_token = $this->phpcsFile->findNext( Tokens::$emptyTokens, $stackPtr + 1, null, true );
-		if ( $this->tokens[ $next_token ]['code'] !== T_OPEN_PARENTHESIS ) {
-			// Not a function call.
+		$param_position = $this->target_functions[ $matched_content ]['param_position'];
+		$param_name     = $this->target_functions[ $matched_content ]['param_name'];
+
+		$target_param = PassedParameters::getParameterFromStack( $parameters, $param_position, $param_name );
+		if ( $target_param === false ) {
+			// Missing (required) target parameter. Probably live coding, nothing to examine (yet). Bow out.
 			return;
 		}
 
 		$ignore                   = Tokens::$emptyTokens;
 		$ignore[ T_NS_SEPARATOR ] = T_NS_SEPARATOR;
 
-		$next_token = $this->phpcsFile->findNext( $ignore, $next_token + 1, null, true );
-		if ( $this->tokens[ $next_token ]['code'] !== T_STRING ) {
+		$next_token = $this->phpcsFile->findNext( $ignore, $target_param['start'], ( $target_param['end'] + 1 ), true );
+		if ( $next_token === false || $this->tokens[ $next_token ]['code'] !== T_STRING ) {
 			// Not what we are looking for.
 			return;
 		}
 
-		$next_after = $this->phpcsFile->findNext(Tokens::$emptyTokens, $next_token + 1, null, true );
-		if ( $this->tokens[ $next_after ]['code'] !== T_OPEN_PARENTHESIS ) {
+		$next_after = $this->phpcsFile->findNext( Tokens::$emptyTokens, $next_token + 1, ( $target_param['end'] + 1 ), true );
+		if ( $next_after === false || $this->tokens[ $next_after ]['code'] !== T_OPEN_PARENTHESIS ) {
 			// Not a function call inside the escaping function.
 			return;
 		}

WordPressVIPMinimum/Tests/Security/EscapingVoidReturnFunctionsUnitTest.inc

@@ -79,3 +79,22 @@ tag_escape( _e() ); // Bad.
 // Bug: these are not function calls inside.
 esc_attr__( User_Error::CONSTANT_NAME, ); // OK.
 esc_js( _doing_it_wrong::class ); // OK, PHP 5.5 ::class resolution.
+
+// Safeguard handling of function calls using PHP 8.0+ named parameters.
+esc_attr_x( context: get_context(), domain: _e(),); // OK, well, not really, missing required $text param, but that's not the concern of this sniff.
+esc_url_raw(protocols: $protocols, url: $url); // OK.
+wp_kses_one_attr(element: $element, att: trigger_error( $foo ) ); // OK, well, not really, typo in param name, but that's not the concern of the sniff.
+wp_kses( content: \not_deprecated_function( $fn ) ); // OK.
+wp_kses( content: /*comment*/ ); // OK, well, not really, invalid function call, but that's not the concern of the sniff.
+
+esc_html_x(context: $c, text: _doing_it_wrong() ); // Bad.
+wp_kses(allowed_html: $allowed_html, content: printf() ); // Bad.
+esc_url(protocols: $protocols, url: vprintf()); // Bad.
+
+// These are no longer flagged as they are not "escaping" functions for the purpose of this sniff.
+esc_sql( trigger_error( $foo ) ); // OK.
+wp_kses_allowed_html( _deprecated_function() ); // OK.
+
+// These are no longer flagged as these are not the WP native escaping functions, so we don't know what parameter to check.
+esc_something( trigger_error( $foo ) ); // OK.
+wp_kses_page( _deprecated_function() ); // OK.

WordPressVIPMinimum/Tests/Security/EscapingVoidReturnFunctionsUnitTest.php

@@ -43,6 +43,9 @@ public function getErrorList() {
 			72 => 1,
 			73 => 1,
 			77 => 1,
+			90 => 1,
+			91 => 1,
+			92 => 1,
 		];
 	}