$utils::is_token_false_positive is fiddly and unstable

FloeDesignTechnologies / phpcs-security-audit

phpcs-security-audit is a set of PHP_CodeSniffer rules that finds vulnerabilities and weaknesses related to security in PHP code

GNU General Public License v3.0

712 stars 85 forks source link

$utils::is_token_false_positive is fiddly and unstable #68

Open jrfnl opened 4 years ago

jrfnl commented 4 years ago

The Utils::is_token_false_positive() method required sniffs to pass two tokens. The second token is calculated, not retrieved via token walking and may therefore be incorrect.

The method basically expects code to be written like so:

$_SERVER['key'];

... but all of the below are valid PHP and would fail the check because of the token calculation:

$_SERVER ['key'];
$_SERVER[ 'key' ];
$_SERVER[/*comment*/ 'key' ];
... etc...

jrfnl commented 4 years ago

I have a fix ready for this, but would like to pull it accompanied by unit tests - see #57.