From 93db5cdbff0e7bbda275a2ad4e754d9635ce8cc2 Mon Sep 17 00:00:00 2001
From: David Binovec <david.binovec@gmail.com>
Date: Fri, 18 Aug 2017 20:50:22 +0000
Subject: [PATCH 1/3] Detect Basic Auth implementation in PHP

Basic Auth should not be set via PHP.

This commit adds new sniff which is producing errors in case it spots `$_SERVER['PHP_AUTH_PW']` in the code.

Unit tests are included.
---
 .../Sniffs/Variables/ServerVariablesSniff.php | 69 +++++++++++++++++++
 .../Variables/ServerVariablesUnitTest.inc     |  5 ++
 .../Variables/ServerVariablesUnitTest.php     | 40 +++++++++++
 3 files changed, 114 insertions(+)
 create mode 100644 WordPressVIPMinimum/Sniffs/Variables/ServerVariablesSniff.php
 create mode 100644 WordPressVIPMinimum/Tests/Variables/ServerVariablesUnitTest.inc
 create mode 100644 WordPressVIPMinimum/Tests/Variables/ServerVariablesUnitTest.php

diff --git a/WordPressVIPMinimum/Sniffs/Variables/ServerVariablesSniff.php b/WordPressVIPMinimum/Sniffs/Variables/ServerVariablesSniff.php
new file mode 100644
index 00000000..d57c899e
--- /dev/null
+++ b/WordPressVIPMinimum/Sniffs/Variables/ServerVariablesSniff.php
@@ -0,0 +1,69 @@
+<?php
+/**
+ * WordPress-VIP-Minimum Coding Standard.
+ *
+ * @package VIPCS\WordPressVIPMinimum
+ * @link https://github.com/Automattic/VIP-Coding-Standards
+ */
+
+namespace WordPressVIPMinimum\Sniffs\Variables;
+
+use PHP_CodeSniffer_File as File;
+use PHP_CodeSniffer_Tokens as Tokens;
+
+/**
+ * Restricts usage of some server variables.
+ *
+ * @package VIPCS\WordPressVIPMinimum
+ */
+class ServerVariablesSniff implements \PHP_CodeSniffer_Sniff {
+
+	/**
+	 * List of restricted constant names.
+	 *
+	 * @var array
+	 */
+	public $restrictedVariables = array(
+		'PHP_AUTH_PW',
+	);
+
+	/**
+	 * Returns an array of tokens this test wants to listen for.
+	 *
+	 * @return array
+	 */
+	public function register() {
+		return array(
+			T_VARIABLE,
+		);
+	}//end register()
+
+	/**
+	 * Process this test when one of its tokens is encoutnered
+	 *
+	 * @param \PHP_CodeSniffer\Files\File $phpcsFile The file being scanned.
+	 * @param int                         $stackPtr  The position of the current token in the stack passed in $tokens.
+	 *
+	 * @return void
+	 */
+	public function process( File $phpcsFile, $stackPtr ) {
+
+		$tokens = $phpcsFile->getTokens();
+
+		if ( '$_SERVER' !== $tokens[ $stackPtr ]['content'] ) {
+			// Not the variable we are looking for.
+			return;
+		}
+
+		$variableNamePtr = $phpcsFile->findNext( array( T_CONSTANT_ENCAPSED_STRING ), ($stackPtr + 1), null, false, null, true );
+		$variableName = str_replace( "'", '', $tokens[$variableNamePtr]['content'] );
+
+		if ( false === in_array( $variableName, $this->restrictedVariables , true ) ) {
+			// Not the variable we are looking for.
+			return;
+		}
+
+		$phpcsFile->addError( 'Basic authentication should not be handled via PHP code.', $stackPtr, 'ServerVariables' );
+	}
+
+} // End class.
diff --git a/WordPressVIPMinimum/Tests/Variables/ServerVariablesUnitTest.inc b/WordPressVIPMinimum/Tests/Variables/ServerVariablesUnitTest.inc
new file mode 100644
index 00000000..52bb9707
--- /dev/null
+++ b/WordPressVIPMinimum/Tests/Variables/ServerVariablesUnitTest.inc
@@ -0,0 +1,5 @@
+<?php
+
+$_SERVER['PHP_AUTH_PW']; // Bad. Should never happen.
+
+$_SERVER['SOME_OTHER_VARIABLE']; // We don't care.
\ No newline at end of file
diff --git a/WordPressVIPMinimum/Tests/Variables/ServerVariablesUnitTest.php b/WordPressVIPMinimum/Tests/Variables/ServerVariablesUnitTest.php
new file mode 100644
index 00000000..bcfa6684
--- /dev/null
+++ b/WordPressVIPMinimum/Tests/Variables/ServerVariablesUnitTest.php
@@ -0,0 +1,40 @@
+<?php
+/**
+ * Unit test class for WordPressVIPMinimum Coding Standard.
+ *
+ * @package VIPCS\WordPressVIPMinimum
+ */
+
+namespace WordPressVIPMinimum\Tests\Variables;
+
+use PHP_CodeSniffer\Tests\Standards\AbstractSniffUnitTest;
+
+/**
+ * Unit test class for the Variable Analysis sniff.
+ *
+ * @package VIPCS\WordPressVIPMinimum
+ */
+class ServerVariablesUnitTest extends AbstractSniffUnitTest {
+
+	/**
+	 * Returns the lines where errors should occur.
+	 *
+	 * @return array <int line number> => <int number of errors>
+	 */
+	public function getErrorList() {
+		return array(
+			3 => 1,
+		);
+	}
+
+	/**
+	 * Returns the lines where warnings should occur.
+	 *
+	 * @return array <int line number> => <int number of warnings>
+	 */
+	public function getWarningList() {
+		return array();
+
+	}
+
+} // End class.

From 130a2d0ad6fb4e1b8d32d86b420879de1d6805c4 Mon Sep 17 00:00:00 2001
From: David Binovec <david.binovec@gmail.com>
Date: Wed, 29 Nov 2017 18:26:38 +0000
Subject: [PATCH 2/3] Addressing code style violations

---
 WordPressVIPMinimum/Sniffs/Variables/ServerVariablesSniff.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/WordPressVIPMinimum/Sniffs/Variables/ServerVariablesSniff.php b/WordPressVIPMinimum/Sniffs/Variables/ServerVariablesSniff.php
index d57c899e..bed6c75f 100644
--- a/WordPressVIPMinimum/Sniffs/Variables/ServerVariablesSniff.php
+++ b/WordPressVIPMinimum/Sniffs/Variables/ServerVariablesSniff.php
@@ -56,7 +56,7 @@ public function process( File $phpcsFile, $stackPtr ) {
 		}
 
 		$variableNamePtr = $phpcsFile->findNext( array( T_CONSTANT_ENCAPSED_STRING ), ($stackPtr + 1), null, false, null, true );
-		$variableName = str_replace( "'", '', $tokens[$variableNamePtr]['content'] );
+		$variableName = str_replace( "'", '', $tokens[ $variableNamePtr ]['content'] );
 
 		if ( false === in_array( $variableName, $this->restrictedVariables , true ) ) {
 			// Not the variable we are looking for.

From ee9427729a6d0f874bcc3d3e6cb52a5c46b02337 Mon Sep 17 00:00:00 2001
From: David Binovec <david.binovec@gmail.com>
Date: Wed, 29 Nov 2017 18:30:37 +0000
Subject: [PATCH 3/3] Moar PHPCS fixes. The report I have been working against
 was quite outdated :)

---
 .../Sniffs/Variables/ServerVariablesSniff.php               | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/WordPressVIPMinimum/Sniffs/Variables/ServerVariablesSniff.php b/WordPressVIPMinimum/Sniffs/Variables/ServerVariablesSniff.php
index bed6c75f..a414c9c7 100644
--- a/WordPressVIPMinimum/Sniffs/Variables/ServerVariablesSniff.php
+++ b/WordPressVIPMinimum/Sniffs/Variables/ServerVariablesSniff.php
@@ -55,10 +55,10 @@ public function process( File $phpcsFile, $stackPtr ) {
 			return;
 		}
 
-		$variableNamePtr = $phpcsFile->findNext( array( T_CONSTANT_ENCAPSED_STRING ), ($stackPtr + 1), null, false, null, true );
-		$variableName = str_replace( "'", '', $tokens[ $variableNamePtr ]['content'] );
+		$variableNamePtr = $phpcsFile->findNext( array( T_CONSTANT_ENCAPSED_STRING ), ( $stackPtr + 1 ), null, false, null, true );
+		$variableName    = str_replace( "'", '', $tokens[ $variableNamePtr ]['content'] );
 
-		if ( false === in_array( $variableName, $this->restrictedVariables , true ) ) {
+		if ( false === in_array( $variableName, $this->restrictedVariables, true ) ) {
 			// Not the variable we are looking for.
 			return;
 		}