Modularizing the discouraged functions

WordPress-Extra/ruleset.xml

@@ -29,7 +29,12 @@
 
 	<rule ref="WordPress.XSS.EscapeOutput"/>
 	<rule ref="WordPress.CSRF.NonceVerification" />
+	<rule ref="WordPress.PHP.DevelopmentFunctions"/>
 	<rule ref="WordPress.PHP.DiscouragedFunctions"/>
+	<rule ref="WordPress.PHP.RestrictedFunctions"/>
+	<rule ref="WordPress.WP.DeprecatedFunctions"/>
+	<rule ref="WordPress.WP.AlternativeFunctions"/>
+	<rule ref="WordPress.WP.DiscouragedFunctions"/>
 	<rule ref="WordPress.WP.EnqueuedResources"/>
 	<rule ref="WordPress.Variables.GlobalVariables"/>
 	<rule ref="WordPress.PHP.StrictComparisons" />

WordPress-VIP/ruleset.xml

@@ -14,6 +14,27 @@
 	<!-- https://vip.wordpress.com/documentation/code-review-what-we-look-for/#commented-out-code-debug-code-or-output -->
 	<rule ref="Squiz.PHP.CommentedOutCode" />
 
+	<!-- https://vip.wordpress.com/documentation/vip/code-review-what-we-look-for/#eval-and-create_function -->
+	<!--https://vip.wordpress.com/documentation/vip/code-review-what-we-look-for/#settings-alteration -->
+	<rule ref="WordPress.PHP.RestrictedFunctions" />
+
+	<!-- https://vip.wordpress.com/documentation/vip/code-review-what-we-look-for/#eval-and-create_function -->
+	<!-- https://vip.wordpress.com/documentation/vip/code-review-what-we-look-for/#serializing-data -->
+	<!-- https://vip.wordpress.com/documentation/vip/code-review-what-we-look-for/#encoding-values-used-when-creating-a-url-or-passed-to-add_query_arg -->
+	<rule ref="WordPress.PHP.DiscouragedFunctions" />
+
+	<!-- https://vip.wordpress.com/documentation/code-review-what-we-look-for/#commented-out-code-debug-code-or-output -->
+	<rule ref="WordPress.PHP.DevelopmentFunctions" />
+
 	<!-- https://vip.wordpress.com/documentation/code-review-what-we-look-for/#using-in_array-without-strict-parameter -->
 	<rule ref="WordPress.PHP.StrictInArray" />
+
+	<!-- https://vip.wordpress.com/documentation/vip/code-review-what-we-look-for/#use-wp_parse_url-instead-of-parse_url -->
+	<!-- https://vip.wordpress.com/documentation/vip/code-review-what-we-look-for/#use-wp_json_encode-over-json_encode -->
+	<rule ref="WordPress.WP.AlternativeFunctions">
+		<properties>
+			<!-- VIP recommends other functions -->
+			<property name="exclude" value="curl,file_get_contents"/>
+		</properties>
+	</rule>
 </ruleset>

WordPress/Sniffs/PHP/DevelopmentFunctionsSniff.php

@@ -0,0 +1,62 @@
+<?php
+/**
+ * WordPress Coding Standard.
+ *
+ * @package WPCS\WordPressCodingStandards
+ * @link    https://github.com/WordPress-Coding-Standards/WordPress-Coding-Standards
+ * @license https://opensource.org/licenses/MIT MIT
+ */
+
+/**
+ * Restrict the use of various development functions.
+ *
+ * @package WPCS\WordPressCodingStandards
+ *
+ * @since   0.11.0
+ */
+class WordPress_Sniffs_PHP_DevelopmentFunctionsSniff extends WordPress_AbstractFunctionRestrictionsSniff {
+
+	/**
+	 * Groups of functions to restrict.
+	 *
+	 * Example: groups => array(
+	 * 	'lambda' => array(
+	 * 		'type'      => 'error' | 'warning',
+	 * 		'message'   => 'Use anonymous functions instead please!',
+	 * 		'functions' => array( 'eval', 'create_function' ),
+	 * 	)
+	 * )
+	 *
+	 * @return array
+	 */
+	public function getGroups() {
+		return array(
+			'error_log' => array(
+				'type'      => 'error',
+				'message'   => '%s() Debug code is not to be used in Production',
+				'functions' => array(
+					'error_log',
+					'var_dump',
+					'var_export',
+					'print_r',
+					'trigger_error',
+					'set_error_handler',
+					'debug_backtrace',
+					'debug_print_backtrace',
+					'wp_debug_backtrace_summary',
+				),
+			),
+
+			'prevent_path_disclosure' => array(
+				'type'      => 'error',
+				'message'   => '%s() is prohibited as it can lead to full path disclosure.',
+				'functions' => array(
+					'error_reporting',
+					'phpinfo',
+				),
+			),
+
+		);
+	} // end getGroups()
+
+} // end class

WordPress/Sniffs/PHP/DiscouragedFunctionsSniff.php

@@ -7,65 +7,69 @@
  * @license https://opensource.org/licenses/MIT MIT
  */
 
-if ( ! class_exists( 'Generic_Sniffs_PHP_ForbiddenFunctionsSniff', true ) ) {
-	throw new PHP_CodeSniffer_Exception( 'Class Generic_Sniffs_PHP_ForbiddenFunctionsSniff not found' );
-}
-
 /**
- * Discourages the use of various functions and suggests (WordPress) alternatives.
+ * Discourages the use of various functions and suggests alternatives.
  *
  * @package WPCS\WordPressCodingStandards
  *
  * @since   0.1.0
  * @since   0.10.0 The checks for the POSIX functions have been replaced by the stand-alone
  *                 sniff WordPress_Sniffs_PHP_POSIXFunctionsSniff.
+ * @since   0.11.0 The checks for the PHP development functions have been replaced by the
+ *                 stand-alone sniff WordPress_Sniffs_PHP_DevelopmentFunctionsSniff.
+ *                 The check for the `register_globals` has been removed as there is no such
+ *                 function. To check for `register_globals` ini directive use
+ *                 PHPCompatibility_Sniffs_PHP_DeprecatedIniDirectivesSniff.
+ *                 The checks for the WP deprecated functions have been replaced by the
+ *                 stand-alone sniff WordPress_Sniffs_WP_DeprecatedFunctionsSniff.
+ *                 The checks for the PHP functions which have a WP alternative has been replaced
+ *                 by the stand-alone sniff WordPress_Sniffs_WP_AlternativeFunctionsSniff.
+ *                 The checks for the WP discouraged functions have been replaced by the
+ *                 stand-alone sniff WordPress_Sniffs_WP_DiscouragedFunctionsSniff.
  */
-class WordPress_Sniffs_PHP_DiscouragedFunctionsSniff extends Generic_Sniffs_PHP_ForbiddenFunctionsSniff {
+class WordPress_Sniffs_PHP_DiscouragedFunctionsSniff extends WordPress_AbstractFunctionRestrictionsSniff {
 
 	/**
-	 * A list of forbidden functions with their alternatives.
+	 * Groups of functions to discourage.
 	 *
-	 * The value is NULL if no alternative exists. I.e. the
-	 * function should just not be used.
+	 * Example: groups => array(
+	 * 	'lambda' => array(
+	 * 		'type'      => 'error' | 'warning',
+	 * 		'message'   => 'Use anonymous functions instead please!',
+	 * 		'functions' => array( 'eval', 'create_function' ),
+	 * 	)
+	 * )
 	 *
-	 * @var array(string => string|null)
+	 * @return array
 	 */
-	public $forbiddenFunctions = array(
-		// Development.
-		'print_r'                  => null,
-		'debug_print_backtrace'    => null,
-		'var_dump'                 => null,
-		'var_export'               => null,
-
-		// Discouraged.
-		'json_encode'              => 'wp_json_encode',
+	public function getGroups() {
+		return array(
+			'create_function' => array(
+				'type'      => 'warning',
+				'message'   => '%s() is discouraged, please use anonymous functions instead.',
+				'functions' => array(
+					'create_function',
+				),
+			),
 
-		// WordPress deprecated.
-		'find_base_dir'            => 'WP_Filesystem::abspath',
-		'get_base_dir'             => 'WP_Filesystem::abspath',
-		'dropdown_categories'      => 'wp_link_category_checklist',
-		'dropdown_link_categories' => 'wp_link_category_checklist',
-		'get_link'                 => 'get_bookmark',
-		'get_catname'              => 'get_cat_name',
-		'register_globals'         => null,
-		'wp_setcookie'             => 'wp_set_auth_cookie',
-		'wp_get_cookie_login'      => null,
-		'wp_login'                 => 'wp_signon',
-		'get_the_attachment_link'  => 'wp_get_attachment_link',
-		'get_attachment_icon_src'  => 'wp_get_attachment_image_src',
-		'get_attachment_icon'      => 'wp_get_attachment_image',
-		'get_attachment_innerHTML' => 'wp_get_attachment_image',
+			'serialize' => array(
+				'type'      => 'warning',
+				'message'   => '%s() Serialized data has <a href=\'https://www.owasp.org/index.php/PHP_Object_Injection\'>known vulnerability problems</a> with Object Injection. JSON is generally a better approach for serializing data.',
+				'functions' => array(
+					'serialize',
+					'unserialize',
+				),
+			),
 
-		// WordPress discouraged.
-		'query_posts'              => 'WP_Query',
-		'wp_reset_query'           => 'wp_reset_postdata',
-	);
+			'urlencode' => array(
+				'type'      => 'warning',
+				'message'   => '%s() should only be used when dealing with legacy applications rawurlencode should now de used instead. See http://php.net/manual/en/function.rawurlencode.php and http://www.faqs.org/rfcs/rfc3986.html',
+				'functions' => array(
+					'urlencode',
+				),
+			),
 
-	/**
-	 * If true, an error will be thrown; otherwise a warning.
-	 *
-	 * @var bool
-	 */
-	public $error = false;
+		);
+	} // end getGroups()
 
 } // End class.

WordPress/Sniffs/PHP/POSIXFunctionsSniff.php

@@ -38,7 +38,7 @@ public function getGroups() {
 		return array(
 			'ereg' => array(
 				'type'      => 'error',
-				'message'   => '%s has been deprecated since PHP 5.3 and removed in PHP 7.0, please use preg_match() instead.',
+				'message'   => '%s() has been deprecated since PHP 5.3 and removed in PHP 7.0, please use preg_match() instead.',
 				'functions' => array(
 					'ereg',
 					'eregi',
@@ -48,7 +48,7 @@ public function getGroups() {
 
 			'ereg_replace' => array(
 				'type'      => 'error',
-				'message'   => '%s has been deprecated since PHP 5.3 and removed in PHP 7.0, please use preg_replace() instead.',
+				'message'   => '%s() has been deprecated since PHP 5.3 and removed in PHP 7.0, please use preg_replace() instead.',
 				'functions' => array(
 					'ereg_replace',
 					'eregi_replace',
@@ -57,7 +57,7 @@ public function getGroups() {
 
 			'split' => array(
 				'type'      => 'error',
-				'message'   => '%s  has been deprecated since PHP 5.3 and removed in PHP 7.0, please use explode(), str_split() or preg_split() instead.',
+				'message'   => '%s()  has been deprecated since PHP 5.3 and removed in PHP 7.0, please use explode(), str_split() or preg_split() instead.',
 				'functions' => array(
 					'split',
 					'spliti',

WordPress/Sniffs/PHP/RestrictedFunctionsSniff.php

@@ -0,0 +1,88 @@
+<?php
+/**
+ * WordPress Coding Standard.
+ *
+ * @package WPCS\WordPressCodingStandards
+ * @link    https://github.com/WordPress-Coding-Standards/WordPress-Coding-Standards
+ * @license https://opensource.org/licenses/MIT MIT
+ */
+
+/**
+ * Restricts the use of various functions and suggests alternatives.
+ *
+ * @package WPCS\WordPressCodingStandards
+ *
+ * @since   0.11.0
+ */
+class WordPress_Sniffs_PHP_RestrictedFunctionsSniff extends WordPress_AbstractFunctionRestrictionsSniff {
+
+	/**
+	 * Groups of functions to discourage.
+	 *
+	 * Example: groups => array(
+	 * 	'lambda' => array(
+	 * 		'type'      => 'error' | 'warning',
+	 * 		'message'   => 'Use anonymous functions instead please!',
+	 * 		'functions' => array( 'eval', 'create_function' ),
+	 * 	)
+	 * )
+	 *
+	 * @return array
+	 */
+	public function getGroups() {
+		return array(
+			'eval' => array(
+				'type'      => 'error',
+				'message'   => '%s() is not allowed.',
+				'functions' => array(
+					'eval',
+				),
+			),
+
+			'runtime_configuration' => array(
+				'type'      => 'error',
+				'message'   => '%s() is prohibited, changing configuration at runtime should not be done.',
+				'functions' => array(
+					'dl',
+					'error_reporting',
+					'ini_alter',
+					'ini_restore',
+					'ini_set',
+					'magic_quotes_runtime',
+					'set_magic_quotes_runtime',
+					'apache_setenv',
+					'putenv',
+					'set_include_path',
+					'restore_include_path',
+				),
+			),
+
+			'system_calls' => array(
+				'type'      => 'error',
+				'message'   => 'PHP system calls are often disabled by server admins and should not be used. Found %s().',
+				'functions' => array(
+					'exec',
+					'passthru',
+					'proc_open',
+					'shell_exec',
+					'system',
+					'popen',
+				),
+			),
+
+			'obfuscation' => array(
+				'type'      => 'error',
+				'message'   => '%s() is not allowed.',
+				'functions' => array(
+					'base64_decode',
+					'base64_encode',
+					'convert_uudecode',
+					'convert_uuencode',
+					'str_rot13',
+				),
+			),
+
+		);
+	} // end getGroups()
+
+} // End class.