* Copyright (C) 2023 Alexandre Janniaux * Copyright (C) 2024 MDW * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program. If not, see . * or see https://www.gnu.org/ */ /** * \file test/phpunit/CodingPhpTest.php * \ingroup test * \brief PHPUnit test * \remarks To run this script as CLI: phpunit filename.php */ global $conf,$user,$langs,$db; //define('TEST_DB_FORCE_TYPE','mysql'); // This is to force using mysql driver //require_once 'PHPUnit/Autoload.php'; require_once dirname(__FILE__).'/../../htdocs/master.inc.php'; require_once dirname(__FILE__).'/../../htdocs/core/lib/security.lib.php'; require_once dirname(__FILE__).'/../../htdocs/core/lib/security2.lib.php'; require_once dirname(__FILE__).'/CommonClassTest.class.php'; if (! defined('NOREQUIREUSER')) { define('NOREQUIREUSER', '1'); } if (! defined('NOREQUIREDB')) { define('NOREQUIREDB', '1'); } if (! defined('NOREQUIRESOC')) { define('NOREQUIRESOC', '1'); } if (! defined('NOREQUIRETRAN')) { define('NOREQUIRETRAN', '1'); } if (! defined('NOCSRFCHECK')) { define('NOCSRFCHECK', '1'); } if (! defined('NOTOKENRENEWAL')) { define('NOTOKENRENEWAL', '1'); } if (! defined('NOREQUIREMENU')) { define('NOREQUIREMENU', '1'); // If there is no menu to show } if (! defined('NOREQUIREHTML')) { define('NOREQUIREHTML', '1'); // If we don't need to load the html.form.class.php } if (! defined('NOREQUIREAJAX')) { define('NOREQUIREAJAX', '1'); } if (! defined("NOLOGIN")) { define("NOLOGIN", '1'); // If this page is public (can be called outside logged session) } if (empty($user->id)) { print "Load permissions for admin user nb 1\n"; $user->fetch(1); $user->getrights(); } $conf->global->MAIN_DISABLE_ALL_MAILS = 1; /** * Class for PHPUnit tests * * @backupGlobals disabled * @backupStaticAttributes enabled * @remarks backupGlobals must be disabled to have db,conf,user and lang not erased. */ class CodingPhpTest extends CommonClassTest { /** * Return list of files for which to verify Php checks * * @return array{name:string,path:string,level1name:string,relativename:string,fullname:string,date:string,size:int,perm:int,type:string} List of php files to check (dol_dir_list) */ public function phpFilesProvider() { // File functions are needed include_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php'; $excludeRegexList = array( '\/includes\/', '\/install\/doctemplates\/websites\/', '\/custom\/', '\/dolimed', '\/nltechno', '\/teclib', ); $fullRegex = '(?:'.implode('|', $excludeRegexList).')'; $filesarray = dol_dir_list(DOL_DOCUMENT_ROOT, 'files', 1, '\.php', [$fullRegex], 'fullname', SORT_ASC, 0, 1, '', 1); /* $filteredArray = array_filter( $filesarray, static function($file) use (&$fullRegex) { return !preg_match($fullRegex, $file['relativename']); } )); */ return array_map(function ($value) { return array($value); }, $filesarray); } /** * testPHP * * @param array{name:string,path:string,level1name:string,relativename:string,fullname:string,date:string,size:int,perm:int,type:string} $file File information * @return string * * @dataProvider phpFilesProvider */ public function testPHP($file) { $this->nbLinesToShow = 1; //print 'Check php file '.$file['relativename']."\n"; $filecontentorigin = file_get_contents($file['fullname']); // We are not interested in the comments $filecontent = $this->removePhpComments($filecontentorigin); // File path for reports $report_filepath = "htdocs/{$file['relativename']}"; $this->verifyIsModuleEnabledOk($filecontent, $report_filepath); if (preg_match('/\.class\.php/', $file['relativename']) || preg_match('/boxes\/box_/', $file['relativename']) || preg_match('/modules\/.*\/doc\/(doc|pdf)_/', $file['relativename']) || preg_match('/modules\/(import|mailings|printing)\//', $file['relativename']) || in_array($file['name'], array('modules_boxes.php', 'TraceableDB.php'))) { // Check Class files if (! in_array($file['name'], array( 'api.class.php', 'commonobject.class.php', 'conf.class.php', 'html.form.class.php', 'translate.class.php', 'utils.class.php', 'TraceableDB.php', 'multicurrency.class.php' ))) { // Must not find $db-> $ok = true; $matches = array(); // Check string $db-> inside a class.php file (it should be $this->db-> in such classes) preg_match_all('/'.preg_quote('$db->', '/').'/', $filecontent, $matches, PREG_SET_ORDER); foreach ($matches as $key => $val) { $ok = false; break; } //print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n"; $this->assertTrue($ok, 'Found string $db-> in a .class.php file in '.$file['relativename'].'. Inside a .class file, you should use $this->db-> instead.'); //exit; } if (preg_match('/\.class\.php$/', $file['relativename']) && ! in_array($file['relativename'], array( 'adherents/class/adherent.class.php', 'adherents/canvas/actions_adherentcard_common.class.php', 'contact/canvas/actions_contactcard_common.class.php', 'compta/facture/class/facture.class.php', 'core/class/commonobject.class.php', 'core/class/extrafields.class.php', 'core/class/html.form.class.php', 'core/class/html.formfile.class.php', 'core/class/html.formcategory.class.php', 'core/class/html.formmail.class.php', 'core/class/html.formother.class.php', 'core/class/html.formsms.class.php', 'core/class/html.formticket.class.php', 'core/class/utils.class.php', 'core/class/openid.class.php', 'fourn/class/fournisseur.facture.class.php', 'societe/canvas/actions_card_common.class.php', 'societe/canvas/individual/actions_card_individual.class.php', 'ticket/class/actions_ticket.class.php', 'ticket/class/ticket.class.php', 'webportal/class/context.class.php', 'webportal/class/html.formcardwebportal.class.php', 'webportal/class/html.formlistwebportal.class.php', 'webportal/controllers/document.controller.class.php', 'workstation/class/workstation.class.php', ))) { // Must not find GETPOST $ok = true; $matches = array(); // Check string GETPOSTFLOAT a class.php file (should not be found in classes) preg_match_all('/GETPOST\(["\'](....)/', $filecontent, $matches, PREG_SET_ORDER); foreach ($matches as $key => $val) { if (in_array($val[1], array('lang', 'forc', 'mass', 'conf'))) { continue; } //var_dump($val); $ok = false; break; } $this->assertTrue($ok, 'Found string GETPOST in a .class.php file in '.$file['relativename'].'.'); } } else { // Check Include files if (! in_array($file['name'], array( 'objectline_view.tpl.php', 'extrafieldsinexport.inc.php', 'extrafieldsinimport.inc.php', 'DolQueryCollector.php', 'DoliStorage.php' ))) { // Must not found $this->db-> $ok = true; $matches = array(); // Check string $this->db-> in a non class.php file (it should be $db-> in such classes) preg_match_all('/'.preg_quote('$this->db->', '/').'/', $filecontent, $matches, PREG_SET_ORDER); foreach ($matches as $key => $val) { $ok = false; break; } //print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n"; $this->assertTrue($ok, 'Found string "$this->db->" in '.$file['relativename']); //exit; } } // Check we don't miss top_httphead() in any ajax pages if (preg_match('/ajax\//', $file['relativename'])) { //print "Analyze ajax page ".$file['relativename']."\n"; $ok = true; $matches = array(); preg_match_all('/top_httphead/', $filecontent, $matches, PREG_SET_ORDER); if (count($matches) == 0) { $ok = false; } //print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n"; $this->assertTrue($ok, 'Did not find top_httphead in the ajax page '.$file['relativename']); //exit; } // Check for unauthorised vardumps if (!preg_match('/test\/phpunit/', $file['fullname'])) { $this->verifyNoActiveVardump($filecontent, $report_filepath); } // Check get_class followed by __METHOD__ $ok = true; $matches = array(); preg_match_all('/'.preg_quote('get_class($this)."::".__METHOD__', '/').'/', $filecontent, $matches, PREG_SET_ORDER); foreach ($matches as $key => $val) { $ok = false; break; } //print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n"; $this->assertTrue($ok, 'Found string get_class($this)."::".__METHOD__ that must be replaced with __METHOD__ only in '.$file['relativename']); //exit; // Check string $this->db->idate without quotes $ok = true; $matches = array(); preg_match_all('/(..)\s*\.\s*\$this->db->idate\(/', $filecontent, $matches, PREG_SET_ORDER); foreach ($matches as $key => $val) { if ($val[1] != '\'"' && $val[1] != '\'\'') { $ok = false; break; } //if ($reg[0] != 'db') $ok=false; } //print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n"; $this->assertTrue($ok, 'Found a $this->db->idate to forge a sql request without quotes around this date field '.$file['relativename']); //exit; // Check sql string DELETE|OR|AND|WHERE|INSERT ... yyy = ".$xxx // with xxx that is not 'thi' (for $this->db->sanitize) and 'db-' (for $db->sanitize). It means we forget a ' if string, or an (int) if int, when forging sql request. $ok = true; $matches = array(); preg_match_all('/(DELETE|OR|AND|WHERE|INSERT)\s.*([^\s][^\s][^\s])\s*=\s*(\'|")\s*\.\s*\$(...)/', $filecontent, $matches, PREG_SET_ORDER); foreach ($matches as $key => $val) { if ($val[2] == 'ity' && $val[4] == 'con') { // exclude entity = ".$conf->entity continue; } if ($val[2] == 'ame' && $val[4] == 'db-' && preg_match('/WHERE name/', $val[0])) { // exclude name = ".$db->encrypt( continue; } if ($val[2] == 'ame' && $val[4] == 'thi' && preg_match('/WHERE name/', $val[0])) { // exclude name = ".$this->db->encrypt( continue; } var_dump($matches); $ok = false; break; } //print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n"; $this->assertTrue($ok, 'Found non quoted or not casted var in sql request '.$file['relativename'].' - Bad.'); //exit; // Check that forged sql string is not using NOW() inside SQL $ok = true; $matches = array(); preg_match_all('/NOW\(\)/', $filecontent, $matches, PREG_SET_ORDER); foreach ($matches as $key => $val) { //if ($val[1] != '\'"' && $val[1] != '\'\'') { var_dump($matches); $ok = false; break; //} //if ($reg[0] != 'db') $ok=false; } //print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n"; $this->assertTrue($ok, 'Found a forged SQL string that contains the function NOW() in file '.$file['relativename'].' Using this SQL function is forbidden. See https://wiki.dolibarr.org/index.php?title=Language_and_development_rules#SQL_Coding_rules'); //exit; // Check that forged sql string is using ' instead of " as string PHP quotes $ok = true; $matches = array(); preg_match_all('/\$sql \.= \'\s*VALUES.*\$/', $filecontent, $matches, PREG_SET_ORDER); foreach ($matches as $key => $val) { //if ($val[1] != '\'"' && $val[1] != '\'\'') { var_dump($matches); $ok = false; break; //} //if ($reg[0] != 'db') $ok=false; } //print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n"; $this->assertTrue($ok, 'Found a forged SQL string that mix on same line the use of \' for PHP string and PHP variables in file '.$file['relativename'].' Use " to forge PHP string like this: $sql = "SELECT ".$myvar...'); //exit; // Check that forged sql string is using ' instead of " as string PHP quotes $ok = true; $matches = array(); preg_match_all('/\$sql \.?= \'SELECT.*\$/', $filecontent, $matches, PREG_SET_ORDER); foreach ($matches as $key => $val) { var_dump($matches); $ok = false; break; } $this->assertTrue($ok, 'Found a forged SQL string that mix on same line the use of \' for PHP string and PHP variables in file '.$file['relativename'].' Use " to forge PHP string like this: $sql = "SELECT ".$myvar...'); // Check sql string VALUES ... , ".$xxx // with xxx that is not 'db-' (for $db->escape). It means we forget a ' if string, or an (int) if int, when forging sql request. $ok = true; $matches = array(); preg_match_all('/(VALUES).*,\s*"\s*\.\s*\$(...)/', $filecontent, $matches, PREG_SET_ORDER); foreach ($matches as $key => $val) { if ($val[1] == 'VALUES' && $val[2] == 'db-') { // exclude $db->escape( continue; } if ($val[1] == 'VALUES' && $val[2] == 'thi' && preg_match('/this->db->encrypt/', $val[0])) { // exclude ".$this->db->encrypt( continue; } var_dump($matches); $ok = false; break; } //print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n"; $this->assertTrue($ok, 'Found non quoted or not casted var in sql request '.$file['relativename'].' - Bad.'); //exit; // Check '".$xxx non escaped // Check string ='".$this->xxx with xxx that is not 'escape'. It means we forget a db->escape when forging sql request. $ok = true; $matches = array(); preg_match_all('/=\s*\'"\s*\.\s*\$this->(....)/', $filecontent, $matches, PREG_SET_ORDER); foreach ($matches as $key => $val) { if ($val[1] != 'db->' && $val[1] != 'esca') { $ok = false; break; } } //print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n"; $this->assertTrue($ok, 'Found non escaped string in building of a sql request (case 1) in '.$file['relativename'].' - Bad.'); // Check string sql|set|WHERE|...'".$yyy->xxx with xxx that is not 'escape', 'idate', .... It means we forget a db->escape when forging sql request. $ok = true; $matches = array(); $found = ""; preg_match_all('/(sql|SET|WHERE|where|INSERT|insert|VALUES|LIKE).+\s*\'"\s*\.\s*\$(.......)/', $filecontent, $matches, PREG_SET_ORDER); foreach ($matches as $key => $val) { if (! in_array($val[2], array('this->d', 'this->e', 'db->esc', 'dbs->es', 'dbs->id', 'mydb->e', 'dbsessi', 'db->ida', 'escaped', 'exclude', 'include'))) { $found = $val[0]; $ok = false; // This will generate error break; } //if ($reg[0] != 'db') $ok=false; } //print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n"; $this->assertTrue($ok, 'Found non escaped string in building of a sql request (case 2) in '.$file['relativename'].': '.$found.' - Bad.'); //exit; // Check string sql|set...'.$yyy->xxx with xxx that is not 'escape', 'idate', .... It means we forget a db->escape when forging sql request. $ok = true; $matches = array(); $found = ""; preg_match_all('/(\$sql|SET\s|WHERE\s|INSERT\s|VALUES\s|VALUES\().+\s*\'\s*\.\s*\$(.........)/', $filecontent, $matches, PREG_SET_ORDER); foreach ($matches as $key => $val) { if (! in_array($val[2], array('this->db-', 'db->prefi', 'db->sanit', 'dbs->pref', 'dbs->sani', 'conf->ent', 'key : \'\')', 'key])."\')', 'excludefi', 'regexstri', ''))) { $found = $val[0]; $ok = false; var_dump($matches); break; } //if ($reg[0] != 'db') $ok=false; } //print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n"; $this->assertTrue($ok, 'Found non escaped string in building of a sql request (case 3) in '.$file['relativename'].': '.$found.' - Bad.'); //exit; // Check string sql|set...=".... without (int). It means we forget a cast (int) when forging sql request. $ok = true; $matches = array(); $found = ""; // $sql .= " field = ".(isset($this->field) ? $this->escape($this->field) : "null")... is KO // $sql .= " field = ".(isset($this->field) ? "'".$this->escape($this->field)."'" : "null")... is OK /* preg_match_all('/(\$sql|VALUES\()[^\'\n]*[^\'\n]"\s*\.\s*([^\n]+)\n/m', $filecontent, $matches, PREG_SET_ORDER); foreach ($matches as $key => $val) { if (! preg_match('/^(implode\(\' OR \', \$search|implode\(\' AND \', \$search|MAIN_DB_PREFIX|accountancy_code|\w+::|\$key|\$db->prefix|\$this->db->prefix|\$predefinedgroupwhere|\$db->sanitize|\$this->db->sanitize|\$db->ifsql|\$db->decrypt|\(int\)|\(float\)|\(\(int\)|\(\(float\)|\$conf->entity|getEntity|\$this->from)/', $val[2])) { //print "Found a suspicious string: ".$val[2]."\n"; if (preg_match('/.+\?.+:.+/', $val[2])) { // We found a string that follow the " in $sql .= " "..... and does not contains simple quote for escapement nor casting // May be it is later, into the b or c in case of a ? b : c // Example: // $val[2] is (isset($this->field) ? $this->escape($this->field) : "null")... is KO // $val[2] is (isset($this->field) ? "'".$this->escape($this->field)."'" : "null")... is OK $tmps = $val[2]; $tmps = preg_replace('/^[^\?]+\?/', '', $tmps); $tmps2 = explode(':', $tmps, 2); $tmps2a = trim($tmps2[0]); if (!empty($tmps2[1])) { $tmps2b = trim($tmps2[1]); } else { $tmps2b = ''; } } else { $tmps2a = $val[2]; $tmps2b = ''; } if (preg_match('/^(\(*["\']|\(+int\)|\(+float\)|\(*\d|GETPOSTINT|getDolGlobalInt|dolSqlDateFilter|\$user->id|\$conf->entity|\$this->entity|\$this->where|\(?\$this->societe|str_pad\(\(int)/', $tmps2a) && (empty($tmps2b) || preg_match('/^(\(*["\']|\(+int\)|\(+float\)|\(*\d|GETPOSTINT|getDolGlobalInt|dolSqlDateFilter|\$user->id|\$conf->entity|\$this->entity|\$this->where|\(?\$this->societe|str_pad\(\(int)/', $tmps2b))) { continue; // No problem } var_dump($val); $found = $val[0]; $ok = false; break; } } //print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n"; $this->assertTrue($ok, 'Found non escaped or non casted string in building of a sql request (case 4) in '.$file['relativename'].': '.$found.' - Bad.'); */ // Checks with IN // Check string ' IN (".xxx' or ' IN (\'.xxx' with xxx that is not '$this->db->sanitize' and not '$db->sanitize'. It means we forget a db->sanitize when forging sql request. $ok = true; $matches = array(); preg_match_all('/\s+IN\s*\([\'"]\s*\.\s*(.........)/i', $filecontent, $matches, PREG_SET_ORDER); foreach ($matches as $key => $val) { //var_dump($val); if (!in_array($val[1], array('$db->sani', '$this->db', 'getEntity', 'WON\',\'L', 'self::STA', 'Commande:', 'CommandeF', 'Entrepot:', 'Facture::', 'FactureFo', 'ExpenseRe', 'Societe::', 'Ticket::S'))) { $ok = false; break; } //if ($reg[0] != 'db') $ok=false; } //print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n"; $this->assertTrue($ok, 'Found non sanitized string in building of a IN or NOT IN sql request '.$file['relativename'].' - Bad.'); //exit; // Check string ' IN (\'".xxx' with xxx that is not '$this->db->sanitize' and not '$db->sanitize'. It means we forget a db->sanitize when forging sql request. $ok = true; $matches = array(); preg_match_all('/\s+IN\s*\(\'"\s*\.\s*(.........)/i', $filecontent, $matches, PREG_SET_ORDER); foreach ($matches as $key => $val) { //var_dump($val); if (!in_array($val[1], array('$db->sani', '$this->db', 'getEntity', 'WON\',\'L', 'self::STA', 'Commande:', 'CommandeF', 'Entrepot:', 'Facture::', 'FactureFo', 'ExpenseRe', 'Societe::', 'Ticket::S'))) { $ok = false; break; } //if ($reg[0] != 'db') $ok=false; } //print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n"; $this->assertTrue($ok, 'Found non sanitized string in building of a IN or NOT IN sql request '.$file['relativename'].' - Bad.'); //exit; // Test that output of $_SERVER\[\'QUERY_STRING\'\] is escaped. $ok = true; $matches = array(); preg_match_all('/(..............)\$_SERVER\[\'QUERY_STRING\'\]/', $filecontent, $matches, PREG_SET_ORDER); foreach ($matches as $key => $val) { if ($val[1] != 'scape_htmltag(' && $val[1] != 'ing_nohtmltag(' && $val[1] != 'dol_escape_js(') { $ok = false; break; } } $this->assertTrue($ok, 'Found a $_SERVER[\'QUERY_STRING\'] without dol_escape_htmltag neither dol_string_nohtmltag around it, in file '.$file['relativename'].'. Bad.'); // Check GETPOST(... 'none'); $ok = true; $matches = array(); preg_match_all('/GETPOST\s*\(([^\)]+),\s*["\']none["\']/i', $filecontent, $matches, PREG_SET_ORDER); foreach ($matches as $key => $val) { //var_dump($val); if (!in_array($val[1], array( "'content'", "'replacestring'", "'htmlheader'", "'WEBSITE_HTML_HEADER'", "'WEBSITE_CSS_INLINE'", "'WEBSITE_JS_INLINE'", "'WEBSITE_MANIFEST_JSON'", "'PAGE_CONTENT'", "'WEBSITE_README'", "'WEBSITE_LICENSE'", '"mysqldump"', '"postgresqldump"', "'db_pass_root'", "'db_pass'", '"pass"', '"pass1"', '"pass2"', '"password"', "'password'"))) { $ok = false; break; } //if ($reg[0] != 'db') $ok=false; } //print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n"; $this->assertTrue($ok, 'Found a GETPOST that use \'none\' as a parameter in file '.$file['relativename'].' and param is not an allowed parameter for using none - Bad.'); //exit; // Test that first param of print_liste_field_titre is a translation key and not the translated value $ok = true; $matches = array(); // Check string ='print_liste_field_titre\(\$langs'. preg_match_all('/print_liste_field_titre\(\$langs/', $filecontent, $matches, PREG_SET_ORDER); foreach ($matches as $key => $val) { $ok = false; break; } $this->assertTrue($ok, 'Found a use of print_liste_field_titre with first parameter that is a translated value instead of just the translation key in file '.$file['relativename'].'. Bad.'); // Test we don't have
$ok = true; $matches = array(); preg_match_all('//', $filecontent, $matches, PREG_SET_ORDER); foreach ($matches as $key => $val) { if ($file['name'] != 'functions.lib.php') { $ok = false; break; } } $this->assertTrue($ok, 'Found a tag
that is for xml in file '.$file['relativename'].'. You must use html syntax
instead.'); // Test we don't have name="token" value="'.$_SESSION['newtoken'], we must use name="token" value="'.newToken() instead. $ok = true; $matches = array(); preg_match_all('/name="token" value="\'\s*\.\s*\$_SESSION/', $filecontent, $matches, PREG_SET_ORDER); foreach ($matches as $key => $val) { if ($file['name'] != 'excludefile.php') { $ok = false; break; } } $this->assertTrue($ok, 'Found a forbidden string sequence in '.$file['relativename'].' : name="token" value="\'.$_SESSION[..., you must use a newToken() instead of $_SESSION[\'newtoken\'].'); // Test we don't have preg_grep with a param without preg_quote $ok = true; $matches = array(); preg_match_all('/preg_grep\(.*\$/', $filecontent, $matches, PREG_SET_ORDER); foreach ($matches as $key => $val) { if (strpos($val[0], 'preg_quote') === false) { $ok = false; break; } } $this->assertTrue($ok, 'Found a preg_grep with a param that is a $var but without preg_quote in file '.$file['relativename'].'.'); // Test we don't have "if ($resql >" $ok = true; $matches = array(); preg_match_all('/if \(\$resql >/', $filecontent, $matches, PREG_SET_ORDER); foreach ($matches as $key => $val) { $ok = false; break; } $this->assertTrue($ok, 'Found a if $resql with a > operator (when $resql is a boolean or resource) in file '.$file['relativename'].'. Please remove the > ... part.'); // Test we don't have empty($user->hasRight $ok = true; $matches = array(); preg_match_all('/empty\(\$user->hasRight/', $filecontent, $matches, PREG_SET_ORDER); foreach ($matches as $key => $val) { $ok = false; break; } $this->assertTrue($ok, 'Found code empty($user->hasRight in file '.$file['relativename'].'. empty() must not be used on a var not on a function.'); // Test we don't have empty(DolibarrApiAccess::$user->hasRight $ok = true; $matches = array(); preg_match_all('/empty\(DolibarrApiAccess::\$user->hasRight/', $filecontent, $matches, PREG_SET_ORDER); foreach ($matches as $key => $val) { $ok = false; break; } $this->assertTrue($ok, 'Found code empty(DolibarrApiAccess::$user->hasRight in file '.$file['relativename'].'. empty() must not be used on a var not on a function.'); // Test we don't have empty($user->hasRight $ok = true; $matches = array(); preg_match_all('/empty\(getDolGlobal/', $filecontent, $matches, PREG_SET_ORDER); foreach ($matches as $key => $val) { $ok = false; break; } $this->assertTrue($ok, 'Found code empty(getDolGlobal... in file '.$file['relativename'].'. empty() must be used on a var not on a function.'); // Test we don't have @var array( $ok = true; $matches = array(); preg_match_all('/@var\s+array\(/', $filecontent, $matches, PREG_SET_ORDER); foreach ($matches as $key => $val) { $ok = false; break; } $this->assertTrue($ok, 'Found a declaration @var array() instead of @var array in file '.$file['relativename'].'.'); // Test we don't have CURDATE() $ok = true; $matches = array(); preg_match_all('/CURDATE\(\)/', $filecontent, $matches, PREG_SET_ORDER); foreach ($matches as $key => $val) { $ok = false; break; } $this->assertTrue($ok, 'Found a CURDATE\(\) in code. Do not use this SQL method in file '.$file['relativename'].'. You must use the PHP function dol_now() instead.'); // Test we don't have if ($action == 'xxx'... without test on permission // We do not test on file into admin, protection is done on page on user->admin if (!preg_match('/admin\//', $file['fullname']) && !preg_match('/\.tpl\.php/', $file['fullname']) && !preg_match('/\.lib\.php/', $file['fullname']) && !preg_match('/\.inc\.php/', $file['fullname']) && !preg_match('/\.class\.php/', $file['fullname']) && !preg_match('/NORUN$/', $file['fullname'])) { $ok = true; $matches = array(); // Get to part of string to use for analysis $reg = array(); if (preg_match('/\*\s+Action(.*)\*\s+View/ims', $filecontentorigin, $reg)) { $filecontentaction = $reg[1]; } else { $filecontentaction = $filecontent; } preg_match_all('/if\s*\(\s*\$action\s*==\s*[\'"][a-z]+[\'"].*/', $filecontentaction, $matches, PREG_SET_ORDER); foreach ($matches as $key => $val) { if (!preg_match('/\$user->hasR/', $val[0]) && !preg_match('/\$permission/', $val[0]) && !preg_match('/\$permto/', $val[0]) && !preg_match('/\$usercan/', $val[0]) && !preg_match('/\$canedit/', $val[0]) && !preg_match('/\$user->admin/', $val[0]) && !preg_match('/already done/i', $val[0]) && !preg_match('/done later/i', $val[0]) && !preg_match('/not required/i', $val[0])) { $ok = false; //var_dump($file['fullname'].' '.$filecontentaction);exit; print "File ".$file['relativename']." - Line: ".$val[0]."\n"; break; } } $this->assertTrue($ok, 'Found a test on $action, without check on permission on same line and without the comment "// Test on permission already done", in file '.$file['relativename'].'.'); } } /** * Verify that no active var_dump was left over in the code * * @param string $filecontent Contents to check for php code that uses a module name * @param string $filename File name for the contents (used for reporting) * * @return void */ private function verifyNoActiveVardump(&$filecontent, $filename) { $ok = true; $matches = array(); // Match!: // - Line-start, whitespace, var_dump // - Line-start, no-comment-leader, var_dump // no-commen-leader= // - Any character not / or * // - Any / not preceded with / and not followed by / or * // - Any * not preceded with / preg_match_all('{^(?:^|^(?:[ \t]*|(?:(?:[^*/]|(? $val) { if (!isset($val[1]) || $val[1] != '/' && $val[1] != '*') { $ok = false; $failing_string = $val[0]; break; } } $this->assertTrue($ok, "Found string var_dump that is not just after /* or // in '$filename': $failing_string"); } /** * Provide test data for testing the method detecting var_dump presence. * * @return array Test sets */ public function vardumpTesterProvider() { return [ 'var_dump at start of file' => ["var_dump(\$help)\n", true], 'var_dump at start of line' => ["\nvar_dump(\$help)\n", true], 'var_dump after comment next line' => ["/* Hello */\nvar_dump(\$help)\n", true], 'var_dump with space' => [" var_dump(\$help)\n", true], 'var_dump after comment' => [" // var_dump(\$help)\n", false], '2 var_dumps after comment' => [" // var_dump(\$help); var_dump(\$help)\n", false], 'var_dump before and after comment' => [" var_dump(\$help); // var_dump(\$help)\n", true], ]; } /** * Test that verifyNoActiveVardump generates a notification * * @param string $filecontent Fake file content * @param bool $hasVardump When true, expect var_dump detection * * @return void * * @dataProvider vardumpTesterProvider */ public function testVerifyNoActiveVardump(&$filecontent, $hasVardump) { $this->nbLinesToShow = 1; // Create some dummy file content $filename = $this->getName(false); $notification = false; ob_start(); // Do not disturb the output with tests that are meant to fail. try { $this->verifyNoActiveVardump($filecontent, $filename); } catch (Throwable $e) { $notification = (string) $e; } $output = ob_get_clean(); // Assert that a notification was generated if ($hasVardump) { $this->assertStringContainsString("Found string var_dump", $notification ?? '', "Expected notification not found."); } else { $this->assertFalse($notification, "Unexpection detection of var_dump"); } } /** * Verify that only known modules are used * * @param string $filecontent Contents to check for php code that uses a module name * @param string $filename File name for the contents (used for reporting) * * @return void */ private function verifyIsModuleEnabledOk(&$filecontent, $filename) { // Verify that only known modules are used $matches = array(); preg_match_all("/isModEnabled\\(\s*[\"']([^\$\"']+)[\"']\\s*\\)/", $filecontent, $matches, PREG_SET_ORDER); foreach ($matches as $key => $val) { $module_name = $val[1]; $this->assertModuleIsOk($module_name, "isModEnabled('$module_name') in '$filename'"); } } /** * Assert that the module name is ok, generate appropriate notifications * * @param string $module_name Module name to check * @param string $message Message to shown in case an assertion fails * * @return void */ private function assertModuleIsOk($module_name, $message = '') { if (isset(self::EFFECTIVE_DEPRECATED_MODULE_MAPPING[$module_name])) { $new_name = self::EFFECTIVE_DEPRECATED_MODULE_MAPPING[$module_name]; print("\033[31mDeprecated module name, use '$new_name':\033[0m$message".PHP_EOL); //trigger_error("Deprecated module name, use '$new_name': $message", E_USER_NOTICE); trigger_error("Deprecated module name, use '$new_name': $message", E_USER_DEPRECATED); } else { $this->assertTrue( array_key_exists($module_name, self::VALID_MODULE_MAPPING) || array_key_exists($module_name, self::DEPRECATED_MODULE_MAPPING), "Unknown module: $message" ); } } /** * Remove php comments from source string * * @param string $string The string from which the PHP comments are removed * * @return string The string without the comments */ private function removePhpComments($string) { return preg_replace_callback( '{(//.*?$)|(/\*.*?\*/)}ms', static function ($match) { if (isset($match[2])) { // Count the number of newline characters in the comment $num_newlines = substr_count($match[0], "\n"); // Generate whitespace equivalent to the number of newlines if ($num_newlines == 0) { // /* Comment on single line -> space return " "; } else { // /* Comment on multiple lines -> new lines return str_repeat("\n", $num_newlines); } } else { // Double slash comment, just remove return ""; } }, $string ); } /** * Provide test data for testing the comments remover * * @return array Test sets */ public function commentRemovalTestProvider() { return [ 'complete line 1' => ["/*Comment complete line*/", " "], 'complete line 2' => ["// Comment complete line", ""], 'partial line 1' => ["a/*Comment complete line*/b", "a b"], 'partial line 2' => ["a// Comment complete line", "a"], 'multi line full 1' => ["/*Comment\ncomplete line*/", "\n"], 'multi line full 2' => ["/*Comment\ncomplete line*/\n", "\n\n"], 'multi line partials 1' => ["a/*Comment\ncomplete line*/b", "a\nb"], ]; } /** * Test that comments are properly removed * * @param string $source Fake file content * @param bool $expected When true, expect var_dump detection * * @return void * * @dataProvider commentRemovalTestProvider */ public function testRemovePhpComments(&$source, &$expected) { $this->nbLinesToShow = 0; $this->assertEquals($expected, $this->removePhpComments($source), "Comments not removed as expected"); } }