A new security advisory and associated article have recently been published about an attack vector called "Trojan Source" and someone already suggested to me to write a sniff to detect this pattern.
The trick is to use Unicode control characters to reorder tokens in source code at the encoding level.
These visually reordered tokens can be used to display logic that, while semantically correct, diverges from the logic presented by the logical ordering of source code tokens.
Compilers and interpreters adhere to the logical ordering of source code, not the visual order.
A sniff could be written to detect these specific unicode control characters in files and flag these.
The attack has been confirmed to work in JS, but I expect it to also work in PHP, even though PHP is not mentioned in the paper. Will test this, of course, to confirm.
Would this be a sniff which would be acceptable for PHPCS itself (in a new Generic - Security category) or should I prepare it for one of the external standards ?
For the test data, I'd need a combination of both the typical attacks as well as text strings/comments with legitimate uses of those code points to prevent false positives.
That last part will probably be the hardest to handle, so code samples for that would be helpful to receive.
The Security standard was my first thought, unfortunately I know from experience that that standard is not being actively maintained, so chances of the sniff ever getting merged are slim to none.
When I finally have some breathing room again, I may consider taking over that standard or starting a fork which will be actively maintained, but that may be a while yet.
I might just create a sniff for this anyway and pull it to PHPCSExtra for now.
Report from https://github.com/squizlabs/PHP_CodeSniffer/issues/3465: