Merge pull request #66 from magento/xss-sniff-fix

lenaorobei · web-flow · commit fcf609477e44 · 2019-03-20T14:53:20.000-05:00
XssTemplateSniff does not detect some use cases
diff --git a/Magento2/Sniffs/Security/XssTemplateSniff.php b/Magento2/Sniffs/Security/XssTemplateSniff.php
@@ -151,6 +151,10 @@ private function findSpecialAnnotation($stackPtr)
             $startOfStatement = $this->file->findPrevious(T_OPEN_TAG, $stackPtr);
             return $this->file->findPrevious(T_COMMENT, $stackPtr, $startOfStatement);
         }
+        if ($this->tokens[$stackPtr]['code'] === T_OPEN_TAG_WITH_ECHO) {
+            $endOfStatement = $this->file->findNext(T_CLOSE_TAG, $stackPtr);
+            return $this->file->findNext(T_COMMENT, $stackPtr, $endOfStatement);
+        }
         return false;
     }
 
diff --git a/Magento2/Tests/Security/XssTemplateUnitTest.inc b/Magento2/Tests/Security/XssTemplateUnitTest.inc
@@ -1,5 +1,5 @@
 <!--unsafe-->
-<?php /* @noEscape */ echo $code; ?>
+
 <?php $block->getSomeData(); echo $block->getSomeData(); /* @escapeNotVerified */ echo $block->getSomeData();?>
 <?=  $block->getTitle();?>
 <?php echo $object->getSomeMethod($block->getHtmlId());?>
@@ -56,3 +56,4 @@ echo $var;
 <?php echo $block->escapeJs($js); ?>
 <?php echo $block->escapeCss($css); ?>
 <?php echo $block->getJsLayout($jsLayout); ?>
+<?= /* @noEscape */ json_encode($config) ?>
diff --git a/Magento2/ruleset.xml b/Magento2/ruleset.xml
@@ -60,6 +60,7 @@
         <severity>10</severity>
         <type>error</type>
         <exclude-pattern>*/lib/*</exclude-pattern>
+        <exclude-pattern>*/Test/*</exclude-pattern>
     </rule>
     <rule ref="Magento2.Strings.ExecutableRegEx">
         <severity>10</severity>
@@ -97,6 +98,7 @@
         <severity>9</severity>
         <type>warning</type>
         <exclude-pattern>*/lib/*</exclude-pattern>
+        <exclude-pattern>*/Test/*</exclude-pattern>
     </rule>
     <rule ref="Magento2.Security.XssTemplate">
         <include-pattern>*.phtml</include-pattern>
@@ -252,6 +254,7 @@
     <rule ref="Squiz.PHP.GlobalKeyword">
         <severity>7</severity>
         <type>warning</type>
+        <exclude-pattern>*/Test/*</exclude-pattern>
     </rule>
     <rule ref="Squiz.Scope.MemberVarScope">
         <severity>7</severity>

Original file line number	Diff line number	Diff line change
`@@ -151,6 +151,10 @@ private function findSpecialAnnotation($stackPtr)`
`151`	`151`	`$startOfStatement = $this->file->findPrevious(T_OPEN_TAG, $stackPtr);`
`152`	`152`	`return $this->file->findPrevious(T_COMMENT, $stackPtr, $startOfStatement);`
`153`	`153`	`}`
	`154`	`+ if ($this->tokens[$stackPtr]['code'] === T_OPEN_TAG_WITH_ECHO) {`
	`155`	`+ $endOfStatement = $this->file->findNext(T_CLOSE_TAG, $stackPtr);`
	`156`	`+ return $this->file->findNext(T_COMMENT, $stackPtr, $endOfStatement);`
	`157`	`+ }`
`154`	`158`	`return false;`
`155`	`159`	`}`
`156`	`160`