Security/PHPFilterFunctions: ignore function calls using PHP 5.6+ argument unpacking

This sniff ignores the function call if it cannot reliably be determined if a warning should be thrown.

So, for function calls using PHP 5.6+ argument unpacking, I've elected to also ignore these function calls.

Includes tests covering the change.

Author: jrfnl

WordPressVIPMinimum/Sniffs/Security/PHPFilterFunctionsSniff.php

@@ -79,6 +79,28 @@ public function process_parameters( $stackPtr, $group_name, $matched_content, $p
 
 		$target_param = PassedParameters::getParameterFromStack( $parameters, $param_position, $param_name );
 		if ( $target_param === false ) {
+			/*
+			 * Check for PHP 5.6+ argument unpacking.
+			 *
+			 * No need for extensive defensive coding, we already know this is syntactically a valid function call,
+			 * otherwise this method would not have been reached.
+			 */
+			$tokens       = $this->phpcsFile->getTokens();
+			$open_parens  = $this->phpcsFile->findNext( Tokens::$emptyTokens, ( $stackPtr + 1 ), null, true );
+			$has_ellipses = $this->phpcsFile->findNext( T_ELLIPSIS, ( $open_parens + 1 ), $tokens[ $open_parens ]['parenthesis_closer'] );
+
+			if ( $has_ellipses !== false ) {
+				$target_nesting_level = 1;
+				if ( isset( $tokens[ $open_parens ]['nested_parenthesis'] ) ) {
+					$target_nesting_level = ( count( $tokens[ $open_parens ]['nested_parenthesis'] ) + 1 );
+				}
+
+				if ( $target_nesting_level === count( $tokens[ $has_ellipses ]['nested_parenthesis'] ) ) {
+					// Bow out as undetermined.
+					return;
+				}
+			}
+
 			$message = 'Missing $%s parameter for "%s()".';
 			$data    = [ $param_name, $matched_content ];
 

WordPressVIPMinimum/Tests/Security/PHPFilterFunctionsUnitTest.inc

@@ -73,3 +73,9 @@ filter_var(value: $value, filters: FILTER_SANITIZE_URL); // Typo in parameter na
 filter_var_array(options: FILTER_UNSAFE_RAW, array: $array); // This filter ID does nothing.
 
 filter_input_array($type, add_empty: false, options: FILTER_DEFAULT,); // This filter ID does nothing.
+
+// Ignore function calls using PHP 5.6 argument unpacking as we don't know what parameters were passed.
+filter_input(INPUT_GET, ...$params);
+trim(filter_input(INPUT_GET, ...$params));
+// ... but only ignore unpacking if done at the correct nesting level.
+filter_input(INPUT_GET, $obj->getVarname(...$params)); // Missing $filter parameter.

WordPressVIPMinimum/Tests/Security/PHPFilterFunctionsUnitTest.php

@@ -49,6 +49,7 @@ public function getWarningList() {
 			71 => 1,
 			73 => 1,
 			75 => 1,
+			81 => 1,
 		];
 	}
 }