Skip to content

"Referenced sniff does not exist" error when ruleset was auto-discovered via path traversal #1073

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
4 tasks done
jrfnl opened this issue May 2, 2025 · 0 comments
Open
4 tasks done

"Referenced sniff does not exist" error when ruleset was auto-discovered via path traversal #1073

jrfnl opened this issue May 2, 2025 · 0 comments
Labels
Core Component: Config & CLI options Core Component: Ruleset Status: needs investigation Type: bug

Comments

@jrfnl
Copy link
Member

jrfnl commented May 2, 2025

Describe the bug

If no --standard=... is provided on the command-line, PHPCS will automatically try to find a ruleset with any of the following names: .phpcs.xml, phpcs.xml, .phpcs.xml.dist, phpcs.xml.dist in the current working directory and if it doesn't find one in the current directory, it will traverse up the directory tree trying to find a ruleset file in one of the higher level directories.

If such a ruleset file found in a higher level directory then includes another ruleset file, like a phpcs.xml file using <rule ref="phpcs.xml.dist"/> and "ERROR: Referenced sniff "phpcs.xml.dist" does not exist." will display.

Any included path found in a ruleset should always be evaluated in relation to the ruleset, but I suspect this rule is broken when path traversal has been used to find a ruleset in a higher level directory.

To reproduce

  1. Create a directory for the test setup with the following directory structure: 
    - Dir: toplevel
 - File: `phpcs.xml.dist`
 - File: `phpcs.xml`
 - Dir: subdir
   - File: `test.php`
  2. Put the following contents in the file called phpcs.xml.dist: 
    <?xml version="1.0"?>
<ruleset name="My Custom Standard">
    <rule ref="PSR12"/>
</ruleset>
  3. Put the following in the file called phpcs.xml: 
    <?xml version="1.0"?>
<ruleset name="Overloaded Custom Standard">
    <rule ref="phpcs.xml.dist"/>
</ruleset>
  4. Put the following in the file called subdir/test.php: 
    <?php
echo 'hello!';
  5. Navigate to the toplevel/subdir directory.
  6. From within that directory, execute the following command: 
    phpcs -ps ./test.php
  7. See the error.

Expected behavior

No error, i.e. for PHPCS to find the phpcs.xml.dist ruleset, include and read it and then execute the scan.

Versions (please complete the following information)
Operating System not relevant (Windows 10)
PHP version not relevant (8.4.6)
PHP_CodeSniffer version master
Standard see reproduction example
Install type not relevant (git clone)

Please confirm

  • I have searched the issue list and am not opening a duplicate issue.
  • I have read the Contribution Guidelines and this is not a support question.
  • I confirm that this bug is a bug in PHP_CodeSniffer and not in one of the external standards.
  • I have verified the issue still exists in the master branch of PHP_CodeSniffer.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Core Component: Config & CLI options Core Component: Ruleset Status: needs investigation Type: bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jrfnl