Skip to content

Commit 53be140

Browse files
jrfnljrfnl
committed
BadFunctions/EasyRFI: efficiency fix
As the tokens to search for don't change during a PHPCS run, it is inefficient to use the "expensive" `array_merge()` function 1) within a `while` loop and 2) every time the sniff is triggered by an include/require token. The set of tokens to search for can just as easily be set only once before the sniff is ever triggered and doing so will make the sniff faster.
1 parent a6ac8e5 commit 53be140

File tree

2 files changed

+19
-2
lines changed

2 files changed

+19
-2
lines changed

Security/Sniffs/BadFunctions/EasyRFISniff.php

Lines changed: 13 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,12 +7,24 @@
77

88
class EasyRFISniff implements Sniff {
99

10+
/**
11+
* Tokens to search for within an include/require statement.
12+
*
13+
* @var array
14+
*/
15+
private $search = [];
16+
1017
/**
1118
* Returns the token types that this sniff is interested in.
1219
*
1320
* @return array(int)
1421
*/
1522
public function register() {
23+
// Set the $search property.
24+
$this->search = \PHP_CodeSniffer\Util\Tokens::$emptyTokens;
25+
$this->search += \PHP_CodeSniffer\Util\Tokens::$bracketTokens;
26+
$this->search += \PHPCS_SecurityAudit\Security\Sniffs\Utils::$staticTokens;
27+
1628
return array(T_INCLUDE, T_INCLUDE_ONCE, T_REQUIRE, T_REQUIRE_ONCE);
1729
}
1830

@@ -37,7 +49,7 @@ public function process(File $phpcsFile, $stackPtr) {
3749
$s = $stackPtr;
3850
}
3951
while ($s) {
40-
$s = $phpcsFile->findNext(array_merge(\PHP_CodeSniffer\Util\Tokens::$emptyTokens, \PHP_CodeSniffer\Util\Tokens::$bracketTokens, \PHPCS_SecurityAudit\Security\Sniffs\Utils::$staticTokens), $s + 1, $closer, true);
52+
$s = $phpcsFile->findNext($this->search, $s + 1, $closer, true);
4153
if ($s && $utils::is_token_user_input($tokens[$s])) {
4254
if (\PHP_CodeSniffer\Config::getConfigData('ParanoiaMode') || !$utils::is_token_false_positive($tokens[$s], $tokens[$s+2])) {
4355
$phpcsFile->addError('Easy RFI detected because of direct user input with ' . $tokens[$s]['content'] . ' on ' . $tokens[$stackPtr]['content'], $s, 'ErrEasyRFI');

Security/Sniffs/Utils.php

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,12 @@
33
class Utils {
44

55
// Tokens that can't containts or use any variables (so no user input)
6-
public static $staticTokens = array(T_CONSTANT_ENCAPSED_STRING, T_COMMA, T_LNUMBER, T_DNUMBER);
6+
public static $staticTokens = array(
7+
T_CONSTANT_ENCAPSED_STRING => T_CONSTANT_ENCAPSED_STRING,
8+
T_COMMA => T_COMMA,
9+
T_LNUMBER => T_LNUMBER,
10+
T_DNUMBER => T_DNUMBER,
11+
);
712

813
/**
914
* Heavy used function to verify if a string from a token contains user input

0 commit comments

Comments
 (0)