Security/PHPFilterFunctions: document unsupported PHP feature

jrfnl · jrfnl · commit 824bb1be7234 · 2025-07-18T15:09:09.000+02:00
The `$options` parameter for `filter_var_array()` and `filter_input_array()` can take either an integer (filter constant) or an array with options, which could include an option setting the filter constant. At this time, this sniff does not handle an array with options being passed to these functions. Adding support for this will make the sniff much more complicated as PHP supports multiple array formats. Additionally, if the `$options` parameter is passed as an array, the likelyhood that the array is passed in as a variable increases exponentially, so then the next problem would be finding the variable definition and analysing that. All in all, this is a rabbit hole without end. Refs: * https://www.php.net/manual/en/function.filter-var-array.php * https://www.php.net/manual/en/function.filter-input-array.php
diff --git a/WordPressVIPMinimum/Sniffs/Security/PHPFilterFunctionsSniff.php b/WordPressVIPMinimum/Sniffs/Security/PHPFilterFunctionsSniff.php
@@ -16,6 +16,10 @@
 /**
  * This sniff ensures that proper sanitization is occurring when PHP's filter_* functions are used.
  *
+ * {@internal The $options parameter for filter_var_array() and filter_input_array() can take either an
+ * integer (filter constant) or an array with options, which could include an option setting the filter constant.
+ * At this time, this sniff does not handle an array with options being passed.}
+ *
  * @since 0.4.0
  */
 class PHPFilterFunctionsSniff extends AbstractFunctionParameterSniff {
diff --git a/WordPressVIPMinimum/Tests/Security/PHPFilterFunctionsUnitTest.inc b/WordPressVIPMinimum/Tests/Security/PHPFilterFunctionsUnitTest.inc
@@ -79,3 +79,22 @@ filter_input(INPUT_GET, ...$params);
 trim(filter_input(INPUT_GET, ...$params));
 // ... but only ignore unpacking if done at the correct nesting level.
 filter_input(INPUT_GET, $obj->getVarname(...$params)); // Missing $filter parameter.
+
+// False negatives: $options arrays are currently not (yet) supported by this sniff.
+// See: https://www.php.net/manual/en/function.filter-var-array.php and https://www.php.net/manual/en/function.filter-input-array.php
+filter_var_array(
+	$array,
+	array('keyA' => FILTER_DEFAULT), // This filter ID does nothing.
+);
+filter_input_array(
+	$array,
+	[
+		'keyA' => [
+			'filter' => FILTER_UNSAFE_RAW, // This filter ID does nothing.
+			'flags'  => FILTER_FORCE_ARRAY,
+		],
+		'keyB' => [
+			'filter' => FILTER_SANITIZE_ENCODED,
+		],
+	]
+);
