phpstan-safe-rule/src/Rules/UseSafeFunctionsRule.php at 9d145a412aee2a5ed61206c2d8b0fdc6496a6c32 · thecodingmachine/phpstan-safe-rule · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
<?php

namespace TheCodingMachine\Safe\PHPStan\Rules;

use PhpParser\Node;
use PhpParser\Node\Arg;
use PhpParser\Node\Expr;
use PhpParser\Node\Scalar;
use PHPStan\Analyser\Scope;
use PHPStan\Rules\Rule;
use TheCodingMachine\Safe\PHPStan\Rules\Error\SafeFunctionRuleError;
use TheCodingMachine\Safe\PHPStan\Utils\FunctionListLoader;

/**
 * This rule checks that no "unsafe" functions are used in code.
 *
 * @implements Rule<Node\Expr\FuncCall>
 */
class UseSafeFunctionsRule implements Rule
{
    /**
     * @see JSON_THROW_ON_ERROR
     */
    const JSON_THROW_ON_ERROR = 4194304;

    public function getNodeType(): string
    {
        return Node\Expr\FuncCall::class;
    }

    public function processNode(Node $node, Scope $scope): array
    {
        $nodeName = $node->name;
        if (!$nodeName instanceof Node\Name) {
            return [];
        }
        $functionName = $nodeName->toString();
        $unsafeFunctions = FunctionListLoader::getFunctionList();

        if (isset($unsafeFunctions[$functionName])) {
            if ($functionName === "json_decode" || $functionName === "json_encode") {
                foreach ($node->args as $arg) {
                    if ($arg instanceof Node\Arg &&
                        $arg->name instanceof Node\Identifier &&
                        $arg->name->toLowerString() === "flags"
                    ) {
                        if ($this->argValueIncludeJSONTHROWONERROR($arg)) {
                            return [];
                        }
                    }
                }
            }

            if ($functionName === "json_decode"
                && $this->argValueIncludeJSONTHROWONERROR($node->getArgs()[3] ?? null)
            ) {
                return [];
            }

            if ($functionName === "json_encode"
                && $this->argValueIncludeJSONTHROWONERROR($node->getArgs()[1] ?? null)
            ) {
                return [];
            }

            return [new SafeFunctionRuleError($nodeName, $node->getStartLine())];
        }

        return [];
    }

    private function argValueIncludeJSONTHROWONERROR(?Arg $arg): bool
    {
        if ($arg === null) {
            return false;
        }

        $parseValue = static function ($expr, array $options) use (&$parseValue): array {
            if ($expr instanceof Expr\BinaryOp\BitwiseOr) {
                return array_merge($parseValue($expr->left, $options), $parseValue($expr->right, $options));
            } elseif ($expr instanceof Expr\ConstFetch) {
                return array_merge($options, $expr->name->getParts());
            } elseif ($expr instanceof Scalar\Int_) {
                return array_merge($options, [$expr->value]);
            } else {
                return $options;
            }
        };
        $options = $parseValue($arg->value, []);

        if (in_array("JSON_THROW_ON_ERROR", $options, true)) {
            return true;
        }

        $intOptions = array_filter($options, function (mixed $option): bool {
            return is_int($option);
        });

        foreach ($intOptions as $option) {
            if (($option & self::JSON_THROW_ON_ERROR) === self::JSON_THROW_ON_ERROR) {
                return true;
            }
        }

        return false;
    }
}