-
Notifications
You must be signed in to change notification settings - Fork 41
/
Copy pathWindowSniff.php
128 lines (109 loc) · 3.77 KB
/
WindowSniff.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
<?php
/**
* WordPressVIPMinimum_Sniffs_JS_WindowSniff.
*
* @package VIPCS\WordPressVIPMinimum
*/
namespace WordPressVIPMinimum\Sniffs\JS;
use PHP_CodeSniffer\Util\Tokens;
use WordPressVIPMinimum\Sniffs\Sniff;
/**
* WordPressVIPMinimum_Sniffs_JS_WindowSniff.
*
* Looks for instances of window properties that should be flagged.
*/
class WindowSniff extends Sniff {
/**
* A list of tokenizers this sniff supports.
*
* @var string[]
*/
public $supportedTokenizers = [ 'JS' ];
/**
* Returns an array of tokens this test wants to listen for.
*
* @return array<int|string>
*/
public function register() {
return [
T_STRING,
];
}
/**
* List of window properties that need to be flagged.
*
* @var array<string, bool|array<string, bool>>
*/
private $windowProperties = [
'location' => [
'href' => true,
'protocol' => true,
'host' => true,
'hostname' => true,
'pathname' => true,
'search' => true,
'hash' => true,
'username' => true,
'port' => true,
'password' => true,
],
'name' => true,
'status' => true,
];
/**
* Processes this test, when one of its tokens is encountered.
*
* @param int $stackPtr The position of the current token in the stack passed in $tokens.
*
* @return void
*/
public function process_token( $stackPtr ) {
if ( $this->tokens[ $stackPtr ]['content'] !== 'window' ) {
// Doesn't begin with 'window', bail.
return;
}
$nextTokenPtr = $this->phpcsFile->findNext( Tokens::$emptyTokens, $stackPtr + 1, null, true, null, true );
$nextToken = $this->tokens[ $nextTokenPtr ]['code'];
if ( $nextToken !== T_OBJECT_OPERATOR && $nextToken !== T_OPEN_SQUARE_BRACKET ) {
// No . or [' next, bail.
return;
}
$nextNextTokenPtr = $this->phpcsFile->findNext( Tokens::$emptyTokens, $nextTokenPtr + 1, null, true, null, true );
if ( $nextNextTokenPtr === false ) {
// Something went wrong, bail.
return;
}
$nextNextToken = str_replace( [ '"', "'" ], '', $this->tokens[ $nextNextTokenPtr ]['content'] );
if ( ! isset( $this->windowProperties[ $nextNextToken ] ) ) {
// Not in $windowProperties, bail.
return;
}
$nextNextNextTokenPtr = $this->phpcsFile->findNext( array_merge( [ T_CLOSE_SQUARE_BRACKET ], Tokens::$emptyTokens ), $nextNextTokenPtr + 1, null, true, null, true );
$nextNextNextToken = $this->tokens[ $nextNextNextTokenPtr ]['code'];
$nextNextNextNextToken = false;
if ( $nextNextNextToken === T_OBJECT_OPERATOR || $nextNextNextToken === T_OPEN_SQUARE_BRACKET ) {
$nextNextNextNextTokenPtr = $this->phpcsFile->findNext( Tokens::$emptyTokens, $nextNextNextTokenPtr + 1, null, true, null, true );
if ( $nextNextNextNextTokenPtr === false ) {
// Something went wrong, bail.
return;
}
$nextNextNextNextToken = str_replace( [ '"', "'" ], '', $this->tokens[ $nextNextNextNextTokenPtr ]['content'] );
if ( ! isset( $this->windowProperties[ $nextNextToken ][ $nextNextNextNextToken ] ) ) {
// Not in $windowProperties, bail.
return;
}
}
$windowProperty = 'window.';
$windowProperty .= $nextNextNextNextToken ? $nextNextToken . '.' . $nextNextNextNextToken : $nextNextToken;
$data = [ $windowProperty ];
$prevTokenPtr = $this->phpcsFile->findPrevious( Tokens::$emptyTokens, $stackPtr - 1, null, true, null, true );
if ( $this->tokens[ $prevTokenPtr ]['code'] === T_EQUAL ) {
// Variable assignment.
$message = 'Data from JS global "%s" may contain user-supplied values and should be checked.';
$this->phpcsFile->addWarning( $message, $stackPtr, 'VarAssignment', $data );
return;
}
$message = 'Data from JS global "%s" may contain user-supplied values and should be sanitized before output to prevent XSS.';
$this->phpcsFile->addError( $message, $stackPtr, $nextNextToken, $data );
}
}