Code that uses shell_exec() and exec() now escapes cmds and args in case PHPCS is being used in a web service

Author: gsherwood

CodeSniffer/Fixer.php

@@ -266,7 +266,9 @@ public function generateDiff($filePath=null, $colors=true)
 
         // We must use something like shell_exec() because whitespace at the end
         // of lines is critical to diff files.
-        $cmd  = "diff -u -L\"$filename\" -LPHP_CodeSniffer \"$filename\" \"$tempName\"";
+        $filename = escapeshellarg($filename);
+        $cmd      = "diff -u -L$filename -LPHP_CodeSniffer $filename \"$tempName\"";
+
         $diff = shell_exec($cmd);
 
         fclose($fixedFile);

CodeSniffer/Standards/Generic/Sniffs/Debug/CSSLintSniff.php

@@ -66,7 +66,7 @@ public function process(PHP_CodeSniffer_File $phpcsFile, $stackPtr)
             return;
         }
 
-        $cmd = $csslintPath.' '.escapeshellarg($fileName);
+        $cmd = escapeshellcmd($csslintPath).' '.escapeshellarg($fileName).' 2>&1';
         exec($cmd, $output, $retval);
 
         if (is_array($output) === false) {

CodeSniffer/Standards/Generic/Sniffs/Debug/ClosureLinterSniff.php

@@ -83,8 +83,9 @@ public function process(PHP_CodeSniffer_File $phpcsFile, $stackPtr)
             return;
         }
 
-        $cmd = "$lintPath --nosummary --notime --unix_mode \"$fileName\"";
-        $msg = exec($cmd, $output, $retval);
+        $lintPath = escapeshellcmd($lintPath);
+        $cmd      = '$lintPath --nosummary --notime --unix_mode '.escapeshellarg($fileName);
+        $msg      = exec($cmd, $output, $retval);
 
         if (is_array($output) === false) {
             return;

CodeSniffer/Standards/Generic/Sniffs/Debug/JSHintSniff.php

@@ -70,7 +70,10 @@ public function process(PHP_CodeSniffer_File $phpcsFile, $stackPtr)
             return;
         }
 
-        $cmd = "$rhinoPath \"$jshintPath\" \"$fileName\"";
+        $rhinoPath  = escapeshellcmd($rhinoPath);
+        $jshintPath = escapeshellcmd($jshintPath);
+
+        $cmd = "$rhinoPath \"$jshintPath\" ".escapeshellarg($fileName);
         $msg = exec($cmd, $output, $retval);
 
         if (is_array($output) === true) {

CodeSniffer/Standards/Generic/Sniffs/PHP/SyntaxSniff.php

@@ -73,11 +73,11 @@ public function process(PHP_CodeSniffer_File $phpcsFile, $stackPtr)
             }
         }
 
-        $fileName = $phpcsFile->getFilename();
+        $fileName = escapeshellarg($phpcsFile->getFilename());
         if (defined('HHVM_VERSION') === false) {
-            $cmd = $this->_phpPath." -l -d error_prepend_string='' \"$fileName\" 2>&1";
+            $cmd = escapeshellcmd($this->_phpPath)." -l -d error_prepend_string='' $fileName 2>&1";
         } else {
-            $cmd = $this->_phpPath." -l \"$fileName\" 2>&1";
+            $cmd = escapeshellcmd($this->_phpPath)." -l $fileName 2>&1";
         }
 
         $output  = shell_exec($cmd);

CodeSniffer/Standards/Squiz/Sniffs/Debug/JSLintSniff.php

@@ -68,7 +68,10 @@ public function process(PHP_CodeSniffer_File $phpcsFile, $stackPtr)
             return;
         }
 
-        $cmd = "$rhinoPath \"$jslintPath\" \"$fileName\"";
+        $rhinoPath  = escapeshellcmd($rhinoPath);
+        $jslintPath = escapeshellcmd($jslintPath);
+
+        $cmd = "$rhinoPath \"$jslintPath\" ".escapeshellarg($fileName);
         $msg = exec($cmd, $output, $retval);
 
         if (is_array($output) === true) {

CodeSniffer/Standards/Squiz/Sniffs/Debug/JavaScriptLintSniff.php

@@ -66,7 +66,7 @@ public function process(PHP_CodeSniffer_File $phpcsFile, $stackPtr)
             return;
         }
 
-        $cmd = '"'.$jslPath.'" -nologo -nofilelisting -nocontext -nosummary -output-format __LINE__:__ERROR__ -process "'.$fileName.'"';
+        $cmd = '"'.escapeshellcmd($jslPath).'" -nologo -nofilelisting -nocontext -nosummary -output-format __LINE__:__ERROR__ -process '.escapeshellarg($fileName);
         $msg = exec($cmd, $output, $retval);
 
         // Variable $exitCode is the last line of $output if no error occurs, on

CodeSniffer/Standards/Zend/Sniffs/Debug/CodeAnalyzerSniff.php

@@ -63,7 +63,7 @@ public function process(PHP_CodeSniffer_File $phpcsFile, $stackPtr)
         // In the command, 2>&1 is important because the code analyzer sends its
         // findings to stderr. $output normally contains only stdout, so using 2>&1
         // will pipe even stderr to stdout.
-        $cmd = $analyzerPath.' '.$fileName.' 2>&1';
+        $cmd = escapeshellcmd($analyzerPath).' '.escapeshellarg($fileName).' 2>&1';
 
         // There is the possibility to pass "--ide" as an option to the analyzer.
         // This would result in an output format which would be easier to parse.

package.xml

@@ -27,6 +27,9 @@ http://pear.php.net/dtd/package-2.0.xsd">
  <license uri="https://github.com/squizlabs/PHP_CodeSniffer/blob/master/licence.txt">BSD 3-Clause License</license>
  <notes>
   - The PHP-supplied T_COALESCE_EQUAL token has been replicated for PHP versions before 7.2
+  - Code that uses shell_exec() and exec() now escapes cmds and args in case PHPCS is being used in a web service
+    -- This changes saves having to do filename and config validation before passing content to PHPCS
+    -- Thanks to Klaus Purer for reporting this
   - PEAR.Functions.FunctionDeclaration now reports an error for blank lines found inside a function declaration
   - PEAR.Functions.FunctionDeclaration no longer reports indent errors for blank lines in a function declaration
   - Squiz.Functions.MultiLineFunctionDeclaration no longer reports errors for blank lines in a function declaration