Implement RegularExpressionQuotingRule #3252
Conversation
|
//cc @Seldaek |
|
as pointed out by Jordi in phpstan/phpstan#11338 (comment) we could also think about introspecting every string-concatenation which contains a that way this rule would also work for composer/pcre and nette/strings automatically. this could report false-positives though when someone is building a regex out of several independent variables which get concatenated together and also brings the need to check every string concat in the code-base. alternatively we could invoke the rule on all if (Preg::match('{fo'. preg_quote($s) .'+}', $string, $matches))
{
// ...
} one last option could be to create a helper service which can be re-used from rules (similar to Ondrej, what do you think about this use-case/implications? |
clxmstaab
force-pushed
the
quote
branch
2 times, most recently
from
d13063a
to
18a2fbb
Compare
|
This pull request has been marked as ready for review. |
On further consideration, because this is such a rare problem in real life (unless you stick to Just my 2c though :) |
|
but wrong escaping - at best with user provided input - would be a security vulnerability, right? |
|
You could trigger a crash or in really bad cases maybe exploit something further down if you can break a regex validation or so but that's unsure how.. It's not like the good old days anymore where you had the e/execute modifier to call arbitrary functions anymore. That's gone as of php 7.0 |
|
Devil's advocate here: is this really a common mistake we should spend our time on? Also: it'd be much more powerful to express this in the typesystem (but also a bit more complex). If we were able to carry "this is a preg_quoted string with such and such delimiter" in a subclass of ConstantStringType, we'd be able to check more code - that for example first saves the result of But other than that, I'm not sure even if this PR is worth it. I'd much rather have other existing functions like |
|
I don't have a strong opinion on this one. it was easy to implement and sounded useful. I am ok with closing if you guys don't see value in it |
its not forgotten - I promise ;-D |
|
one last data-point, then I am silent
at least on github.com we have ~650k files which use |
|
Yeah I know it's extremely common because some languages like JS have native regex types with |
|
@Seldaek Sorry, I'm too slow. How is JS syntax relevant to quoting strings inside regexes? |
|
I mean in JS you have to define regexes as That means |
|
Should I rebase, or will it be closed? |
|
Alright, I get it, so The problem most often isn't using the wrong delimiter In that case this is definitely a useful addition! |
|
btw: the new rule reports 7 real world bugs in the drupal CI :-) |
| } | ||
|
|
||
| if (!isset($normalizedArgs[1])) { | ||
| return RuleErrorBuilder::message(sprintf('Call to preg_quote() is missing delimiter %s to be effective.', $patternDelimiter)) |
There was a problem hiding this comment.
This doesn't sound really true in context of check for delimiters which get properly escaped by default.
If the delimiter of the regex is one of those characters in the list, then a single-arg call to preg_quote is OK?
There was a problem hiding this comment.
this code was not reached for the case mentioned.
I refactored the code to make it more reasonable.
implements the idea described in phpstan/phpstan#11338 (comment)
closes phpstan/phpstan#11338