ValidatedSanitizedInput: handle null coalesce (equal) correctly #1684
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The null coalesce operator `??` is a special comparison operator, in the sense that it doesn't compare a variable to whatever is on the other side of the comparison operator. For this reason, it should be possible to disregard it.
…way to validate a variable This adds recognition of the coalesce operator `??` (PHP 7.0) and the coalesce equals operator `??=`, as will be added in PHP 7.4, to the `Sniff::is_validated()` method. This prevents false positives where variables would be seen as "not validated", when the variable has in fact been validated via a coalesce equals assignment in a previous statement. Related to 764, 840
…oalesced variable
…l coalesce equals PHP 7.0 introduced the null coalesce operator, while PHP 7.4 will introduce the null coalesce equal operator. These operators should be accounted for in the `ValidatedSanitizedInput` sniff as valid ways to validate a variable, but should still allow for the sniff to *also* check for sanitization. Refs: * https://php.net/manual/en/language.operators.comparison.php#language.operators.comparison.coalesce * https://wiki.php.net/rfc/isset_ternary * https://wiki.php.net/rfc/null_coalesce_equal_operator Related to 764 Fixes 837 Closes 840 which is superseded by this PR
GaryJones
approved these changes
Apr 2, 2019
GaryJones
deleted the
feature/837-840-validatedsanitizedinput-allow-for-null-coalesce
branch
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
PHP 7.0 introduced the null coalesce operator, while PHP 7.4 will introduce the null coalesce equal operator.
These operators should be accounted for in the
ValidatedSanitizedInputsniff as valid ways to validate a variable, but should still allow for the sniff to also check for sanitization.Refs:
Related to #764
Includes unit tests.
Fixes #837
Closes #840 which is superseded by this PR
As part of this PR, two methods in the
Sniffclass received changes:Sniff::is_comparison(): allow to disregard null coalesce
The null coalesce operator
??is a special comparison operator, in the sense that it doesn't compare a variable to whatever is on the other side of the comparison operator.For this reason, it should be possible to disregard it.
Sniff::is_validated(): recognize null coalesce (equal) operator as a way to validate a variable
This adds recognition of the coalesce operator
??(PHP 7.0) and the coalesce equals operator??=, as will be added in PHP 7.4, to theSniff::is_validated()method.This prevents false positives where variables would be seen as "not validated", when the variable has in fact been validated via a coalesce equals assignment in a previous statement.
Related to #764, #840