Merge pull request #633 from grappler/feature/discouraged-functions

Modularizing the discouraged functions
WordPress · Dec 30, 2016 · a92b51b · a92b51b
2 parents c079afb + 33b9489
commit a92b51b
Show file tree

Hide file tree

Showing 29 changed files with 2,226 additions and 340 deletions.
diff --git a/WordPress-Extra/ruleset.xml b/WordPress-Extra/ruleset.xml
@@ -5,6 +5,7 @@
 	<!-- Generic PHP best practices.
 		 https://github.com/WordPress-Coding-Standards/WordPress-Coding-Standards/pull/382 -->
 	<rule ref="Generic.PHP.DeprecatedFunctions"/>
+	<rule ref="WordPress.WP.DeprecatedFunctions"/>
 	<rule ref="Generic.PHP.ForbiddenFunctions"/>
 	<rule ref="Generic.Functions.CallTimePassByReference"/>
 	<rule ref="Generic.Formatting.DisallowMultipleStatements"/>
@@ -34,7 +35,15 @@
 		 https://github.com/WordPress-Coding-Standards/WordPress-Coding-Standards/issues/73 -->
 	<rule ref="WordPress.CSRF.NonceVerification" />
 
-	<rule ref="WordPress.PHP.DiscouragedFunctions"/>
+	<rule ref="WordPress.PHP.DevelopmentFunctions"/>
+	<rule ref="WordPress.PHP.DiscouragedPHPFunctions">
+		<!-- WP core still supports PHP 5.2+  -->
+		<exclude name="WordPress.WP.DiscouragedFunctions.create_function" />
+	</rule>
+	<rule ref="WordPress.PHP.RestrictedFunctions"/>
+	<rule ref="WordPress.WP.DeprecatedFunctions"/>
+	<rule ref="WordPress.WP.AlternativeFunctions"/>
+	<rule ref="WordPress.WP.DiscouragedFunctions"/>
 
 	<!-- Scripts & style should be enqueued.
 		 https://github.com/WordPress-Coding-Standards/WordPress-Coding-Standards/issues/35 -->

diff --git a/WordPress-VIP/ruleset.xml b/WordPress-VIP/ruleset.xml
@@ -35,7 +35,45 @@
 	<!-- https://vip.wordpress.com/documentation/code-review-what-we-look-for/#commented-out-code-debug-code-or-output -->
 	<rule ref="Squiz.PHP.CommentedOutCode" />
 
+	<!-- https://vip.wordpress.com/documentation/vip/code-review-what-we-look-for/#eval-and-create_function -->
+	<rule ref="WordPress.PHP.RestrictedFunctions" />
+
+	<!-- https://vip.wordpress.com/documentation/vip/code-review-what-we-look-for/#eval-and-create_function -->
+	<!-- https://vip.wordpress.com/documentation/vip/code-review-what-we-look-for/#serializing-data -->
+	<!-- https://vip.wordpress.com/documentation/vip/code-review-what-we-look-for/#encoding-values-used-when-creating-a-url-or-passed-to-add_query_arg -->
+	<!-- https://github.com/Automattic/vip-scanner/blob/master/vip-scanner/checks/ForbiddenPHPFunctionsCheck.php -->
+	<rule ref="WordPress.PHP.DiscouragedPHPFunctions">
+		<!-- https://github.com/WordPress-Coding-Standards/WordPress-Coding-Standards/pull/633#issuecomment-266634811 -->
+		<exclude name="WordPress.PHP.DiscouragedPHPFunctions.obfuscation" />
+	</rule>
+	<!-- https://vip.wordpress.com/documentation/vip/code-review-what-we-look-for/#settings-alteration -->
+	<rule ref="WordPress.PHP.DiscouragedPHPFunctions.runtime_configuration">
+		<type>error</type>
+	</rule>
+
+	<!-- https://vip.wordpress.com/documentation/code-review-what-we-look-for/#commented-out-code-debug-code-or-output -->
+	<rule ref="WordPress.PHP.DevelopmentFunctions" />
+	<rule ref="WordPress.PHP.DevelopmentFunctions.error_log">
+		<type>error</type>
+	</rule>
+	<!-- https://vip.wordpress.com/documentation/vip/code-review-what-we-look-for/#settings-alteration -->
+	<rule ref="WordPress.PHP.DevelopmentFunctions.prevent_path_disclosure">
+		<type>error</type>
+	</rule>
+
 	<!-- https://vip.wordpress.com/documentation/code-review-what-we-look-for/#using-in_array-without-strict-parameter -->
 	<rule ref="WordPress.PHP.StrictInArray" />
 
+	<!-- https://vip.wordpress.com/documentation/vip/code-review-what-we-look-for/#use-wp_parse_url-instead-of-parse_url -->
+	<!-- https://vip.wordpress.com/documentation/vip/code-review-what-we-look-for/#use-wp_json_encode-over-json_encode -->
+	<!-- https://vip.wordpress.com/documentation/vip/code-review-what-we-look-for/#filesystem-writes -->
+	<!-- https://vip.wordpress.com/documentation/vip/code-review-what-we-look-for/#remote-calls -->
+	<rule ref="WordPress.WP.AlternativeFunctions" />
+	<!-- VIP recommends other functions -->
+	<rule ref="WordPress.WP.AlternativeFunctions.curl">
+		<message>Using cURL functions is highly discouraged within VIP context. Check (Fetching Remote Data) on VIP Documentation.</message>
+	</rule>
+	<rule ref="WordPress.WP.AlternativeFunctions.file_get_contents">
+		<message>%s() is highly discouraged, please use vip_safe_wp_remote_get() instead.</message>
+	</rule>
 </ruleset>
diff --git a/WordPress/AbstractFunctionRestrictionsSniff.php b/WordPress/AbstractFunctionRestrictionsSniff.php
@@ -97,7 +97,7 @@ public function register() {
 	 * Set up the regular expressions for each group.
 	 *
 	 * @param string $key The group array index key where the input for the regular expression can be found.
-	 * @return bool True is the groups were setup. False if not.
+	 * @return bool True if the groups were setup. False if not.
 	 */
 	protected function setup_groups( $key ) {
 		// Prepare the function group regular expressions only once.

diff --git a/WordPress/Sniffs/PHP/DevelopmentFunctionsSniff.php b/WordPress/Sniffs/PHP/DevelopmentFunctionsSniff.php
@@ -0,0 +1,62 @@
+<?php
+/**
+ * WordPress Coding Standard.
+ *
+ * @package WPCS\WordPressCodingStandards
+ * @link    https://github.com/WordPress-Coding-Standards/WordPress-Coding-Standards
+ * @license https://opensource.org/licenses/MIT MIT
+ */
+
+/**
+ * Restrict the use of various development functions.
+ *
+ * @package WPCS\WordPressCodingStandards
+ *
+ * @since   0.11.0
+ */
+class WordPress_Sniffs_PHP_DevelopmentFunctionsSniff extends WordPress_AbstractFunctionRestrictionsSniff {
+
+	/**
+	 * Groups of functions to restrict.
+	 *
+	 * Example: groups => array(
+	 * 	'lambda' => array(
+	 * 		'type'      => 'error' | 'warning',
+	 * 		'message'   => 'Use anonymous functions instead please!',
+	 * 		'functions' => array( 'eval', 'create_function' ),
+	 * 	)
+	 * )
+	 *
+	 * @return array
+	 */
+	public function getGroups() {
+		return array(
+			'error_log' => array(
+				'type'      => 'warning',
+				'message'   => '%s() found. Debug code should not normally be used in production.',
+				'functions' => array(
+					'error_log',
+					'var_dump',
+					'var_export',
+					'print_r',
+					'trigger_error',
+					'set_error_handler',
+					'debug_backtrace',
+					'debug_print_backtrace',
+					'wp_debug_backtrace_summary',
+				),
+			),
+
+			'prevent_path_disclosure' => array(
+				'type'      => 'warning',
+				'message'   => '%s() can lead to full path disclosure.',
+				'functions' => array(
+					'error_reporting',
+					'phpinfo',
+				),
+			),
+
+		);
+	} // end getGroups()
+
+} // end class
diff --git a/WordPress/Sniffs/PHP/DiscouragedFunctionsSniff.php b/WordPress/Sniffs/PHP/DiscouragedFunctionsSniff.php
@@ -7,65 +7,26 @@
  * @license https://opensource.org/licenses/MIT MIT
  */
 
-if ( ! class_exists( 'Generic_Sniffs_PHP_ForbiddenFunctionsSniff', true ) ) {
-	throw new PHP_CodeSniffer_Exception( 'Class Generic_Sniffs_PHP_ForbiddenFunctionsSniff not found' );
-}
-
 /**
- * Discourages the use of various functions and suggests (WordPress) alternatives.
+ * Discourages the use of various native PHP functions and suggests alternatives.
  *
- * @package WPCS\WordPressCodingStandards
+ * @package    WPCS\WordPressCodingStandards
  *
- * @since   0.1.0
- * @since   0.10.0 The checks for the POSIX functions have been replaced by the stand-alone
- *                 sniff WordPress_Sniffs_PHP_POSIXFunctionsSniff.
+ * @since      0.1.0
+ * @since      0.10.0 The checks for the POSIX functions have been replaced by the stand-alone
+ *                    sniff WordPress_Sniffs_PHP_POSIXFunctionsSniff.
+ * @deprecated 0.11.0 The checks for the PHP development functions have been replaced by the
+ *                    stand-alone sniff WordPress_Sniffs_PHP_DevelopmentFunctionsSniff.
+ *                    The checks for the WP deprecated functions have been replaced by the
+ *                    stand-alone sniff WordPress_Sniffs_WP_DeprecatedFunctionsSniff.
+ *                    The checks for the PHP functions which have a WP alternative has been replaced
+ *                    by the stand-alone sniff WordPress_Sniffs_WP_AlternativeFunctionsSniff.
+ *                    The checks for the WP discouraged functions have been replaced by the
+ *                    stand-alone sniff WordPress_Sniffs_WP_DiscouragedFunctionsSniff.
+ *                    The checks for the PHP discouraged functions have been replaced by the
+ *                    stand-alone sniff WordPress_Sniffs_WP_DiscouragedPHPFunctionsSniff.
+ *                    The check for the `register_globals` has been removed as there is no such
+ *                    function. To check for `register_globals` ini directive use
+ *                    PHPCompatibility_Sniffs_PHP_DeprecatedIniDirectivesSniff from wimg/PHPCompatibility.
  */
-class WordPress_Sniffs_PHP_DiscouragedFunctionsSniff extends Generic_Sniffs_PHP_ForbiddenFunctionsSniff {
-
-	/**
-	 * A list of forbidden functions with their alternatives.
-	 *
-	 * The value is NULL if no alternative exists. I.e. the
-	 * function should just not be used.
-	 *
-	 * @var array(string => string|null)
-	 */
-	public $forbiddenFunctions = array(
-		// Development.
-		'print_r'                  => null,
-		'debug_print_backtrace'    => null,
-		'var_dump'                 => null,
-		'var_export'               => null,
-
-		// Discouraged.
-		'json_encode'              => 'wp_json_encode',
-
-		// WordPress deprecated.
-		'find_base_dir'            => 'WP_Filesystem::abspath',
-		'get_base_dir'             => 'WP_Filesystem::abspath',
-		'dropdown_categories'      => 'wp_link_category_checklist',
-		'dropdown_link_categories' => 'wp_link_category_checklist',
-		'get_link'                 => 'get_bookmark',
-		'get_catname'              => 'get_cat_name',
-		'register_globals'         => null,
-		'wp_setcookie'             => 'wp_set_auth_cookie',
-		'wp_get_cookie_login'      => null,
-		'wp_login'                 => 'wp_signon',
-		'get_the_attachment_link'  => 'wp_get_attachment_link',
-		'get_attachment_icon_src'  => 'wp_get_attachment_image_src',
-		'get_attachment_icon'      => 'wp_get_attachment_image',
-		'get_attachment_innerHTML' => 'wp_get_attachment_image',
-
-		// WordPress discouraged.
-		'query_posts'              => 'WP_Query',
-		'wp_reset_query'           => 'wp_reset_postdata',
-	);
-
-	/**
-	 * If true, an error will be thrown; otherwise a warning.
-	 *
-	 * @var bool
-	 */
-	public $error = false;
-
-} // End class.
+class WordPress_Sniffs_PHP_DiscouragedFunctionsSniff {}
diff --git a/WordPress/Sniffs/PHP/DiscouragedPHPFunctionsSniff.php b/WordPress/Sniffs/PHP/DiscouragedPHPFunctionsSniff.php
@@ -0,0 +1,108 @@
+<?php
+/**
+ * WordPress Coding Standard.
+ *
+ * @package WPCS\WordPressCodingStandards
+ * @link    https://github.com/WordPress-Coding-Standards/WordPress-Coding-Standards
+ * @license https://opensource.org/licenses/MIT MIT
+ */
+
+/**
+ * Discourages the use of various native PHP functions and suggests alternatives.
+ *
+ * @package WPCS\WordPressCodingStandards
+ *
+ * @since   0.11.0
+ */
+class WordPress_Sniffs_PHP_DiscouragedPHPFunctionsSniff extends WordPress_AbstractFunctionRestrictionsSniff {
+
+	/**
+	 * Groups of functions to discourage.
+	 *
+	 * Example: groups => array(
+	 * 	'lambda' => array(
+	 * 		'type'      => 'error' | 'warning',
+	 * 		'message'   => 'Use anonymous functions instead please!',
+	 * 		'functions' => array( 'eval', 'create_function' ),
+	 * 	)
+	 * )
+	 *
+	 * @return array
+	 */
+	public function getGroups() {
+		return array(
+			'create_function' => array(
+				'type'      => 'warning',
+				'message'   => '%s() is discouraged, please use anonymous functions instead.',
+				'functions' => array(
+					'create_function',
+				),
+			),
+
+			'serialize' => array(
+				'type'      => 'warning',
+				'message'   => '%s() found. Serialized data has known vulnerability problems with Object Injection. JSON is generally a better approach for serializing data. See https://www.owasp.org/index.php/PHP_Object_Injection',
+				'functions' => array(
+					'serialize',
+					'unserialize',
+				),
+			),
+
+			'urlencode' => array(
+				'type'      => 'warning',
+				'message'   => '%s() should only be used when dealing with legacy applications rawurlencode() should now be used instead. See http://php.net/manual/en/function.rawurlencode.php and http://www.faqs.org/rfcs/rfc3986.html',
+				'functions' => array(
+					'urlencode',
+				),
+			),
+
+			'runtime_configuration' => array(
+				'type'      => 'warning',
+				'message'   => '%s() found. Changing configuration at runtime is rarely necessary.',
+				'functions' => array(
+					'error_reporting',
+					'ini_alter',
+					'ini_restore',
+					'ini_set',
+					'apache_setenv',
+					'putenv',
+					'set_include_path',
+					'restore_include_path',
+					// This alias was DEPRECATED in PHP 5.3.0, and REMOVED as of PHP 7.0.0.
+					'magic_quotes_runtime',
+					// Warning This function was DEPRECATED in PHP 5.3.0, and REMOVED as of PHP 7.0.0.
+					'set_magic_quotes_runtime',
+					// Warning This function was removed from most SAPIs in PHP 5.3.0, and was removed from PHP-FPM in PHP 7.0.0.
+					'dl',
+				),
+			),
+
+			'system_calls' => array(
+				'type'      => 'warning',
+				'message'   => '%s() found. PHP system calls are often disabled by server admins.',
+				'functions' => array(
+					'exec',
+					'passthru',
+					'proc_open',
+					'shell_exec',
+					'system',
+					'popen',
+				),
+			),
+
+			'obfuscation' => array(
+				'type'      => 'warning',
+				'message'   => '%s() can be used to obfuscate code which is strongly discouraged. Please verify that the function is used for benign reasons.',
+				'functions' => array(
+					'base64_decode',
+					'base64_encode',
+					'convert_uudecode',
+					'convert_uuencode',
+					'str_rot13',
+				),
+			),
+
+		);
+	} // end getGroups()
+
+} // End class.
diff --git a/WordPress/Sniffs/PHP/POSIXFunctionsSniff.php b/WordPress/Sniffs/PHP/POSIXFunctionsSniff.php
@@ -17,7 +17,7 @@
  * @package WPCS\WordPressCodingStandards
  *
  * @since   0.10.0 Previously this check was contained within WordPress_Sniffs_VIP_RestrictedFunctionsSniff
- *                 and the WordPress_Sniffs_PHP_DiscouragedFunctionsSniff.
+ *                 and the WordPress_Sniffs_PHP_DiscouragedPHPFunctionsSniff.
  */
 class WordPress_Sniffs_PHP_POSIXFunctionsSniff extends WordPress_AbstractFunctionRestrictionsSniff {
 
@@ -38,7 +38,7 @@ public function getGroups() {
 		return array(
 			'ereg' => array(
 				'type'      => 'error',
-				'message'   => '%s has been deprecated since PHP 5.3 and removed in PHP 7.0, please use preg_match() instead.',
+				'message'   => '%s() has been deprecated since PHP 5.3 and removed in PHP 7.0, please use preg_match() instead.',
 				'functions' => array(
 					'ereg',
 					'eregi',
@@ -48,7 +48,7 @@ public function getGroups() {
 
 			'ereg_replace' => array(
 				'type'      => 'error',
-				'message'   => '%s has been deprecated since PHP 5.3 and removed in PHP 7.0, please use preg_replace() instead.',
+				'message'   => '%s() has been deprecated since PHP 5.3 and removed in PHP 7.0, please use preg_replace() instead.',
 				'functions' => array(
 					'ereg_replace',
 					'eregi_replace',
@@ -57,7 +57,7 @@ public function getGroups() {
 
 			'split' => array(
 				'type'      => 'error',
-				'message'   => '%s  has been deprecated since PHP 5.3 and removed in PHP 7.0, please use explode(), str_split() or preg_split() instead.',
+				'message'   => '%s() has been deprecated since PHP 5.3 and removed in PHP 7.0, please use explode(), str_split() or preg_split() instead.',
 				'functions' => array(
 					'split',
 					'spliti',