Add initial CI check

.travis.yml

@@ -0,0 +1,66 @@
+dist: trusty
+
+language: php
+
+## Cache composer and apt downloads.
+cache:
+ apt: true
+ directories:
+ # Cache directory for older Composer versions.
+ - $HOME/.composer/cache/files
+ # Cache directory for more recent Composer versions.
+ - $HOME/.cache/composer/files
+
+php:
+ - 5.4
+ - 7.4
+ - "nightly"
+
+# Define the stages used.
+stages:
+ - name: sniff
+ - name: test
+
+jobs:
+ fast_finish: true
+
+ include:
+ #### SNIFF STAGE ####
+ - stage: sniff
+ php: 7.4
+ addons:
+ apt:
+ packages:
+ - libxml2-utils
+ script:
+ # Validate the composer.json file.
+ # @link https://getcomposer.org/doc/03-cli.md#validate
+ - composer validate --no-check-all --strict
+
+ # Validate the xml files.
+ # @link http://xmlsoft.org/xmllint.html
+ - xmllint --noout --schema ./vendor/squizlabs/php_codesniffer/phpcs.xsd ./Security/ruleset.xml
+ - xmllint --noout --schema ./vendor/squizlabs/php_codesniffer/phpcs.xsd ./example_base_ruleset.xml
+ - xmllint --noout --schema ./vendor/squizlabs/php_codesniffer/phpcs.xsd ./example_drupal7_ruleset.xml
+
+ # Check the code-style consistency of the xml files.
+ - diff -B ./Security/ruleset.xml <(xmllint --format "./Security/ruleset.xml")
+ - diff -B ./example_base_ruleset.xml <(xmllint --format "./example_base_ruleset.xml")
+ - diff -B ./example_drupal7_ruleset.xml <(xmllint --format "./example_drupal7_ruleset.xml")
+
+ allow_failures:
+ # Allow failures for unstable builds.
+ - php: "nightly"
+
+before_install:
+ # Speed up build time by disabling Xdebug when its not needed.
+ - phpenv config-rm xdebug.ini || echo 'No xdebug config.'
+
+ - export XMLLINT_INDENT=" "
+
+ # --prefer-dist will allow for optimal use of the travis caching ability.
+ - composer install --prefer-dist --no-suggest
+
+script:
+ # Lint PHP files against parse errors.
+ - composer lint

Security/ruleset.xml

@@ -1,4 +1,4 @@
 <?xml version="1.0"?>
-<ruleset name="Security" namespace="PHPCS_SecurityAudit\Security">
- <description>Security related coding standard.</description>
+<ruleset xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Security" namespace="PHPCS_SecurityAudit\Security" xsi:noNamespaceSchemaLocation="https://raw.githubusercontent.com/squizlabs/PHP_CodeSniffer/master/phpcs.xsd">
+  <description>Security related coding standard.</description>
 </ruleset>

composer.json

@@ -1,6 +1,6 @@
 {
  "name": "pheromone/phpcs-security-audit",
- "type" : "phpcodesniffer-standard",
+ "type" : "phpcodesniffer-standard",
  "description": "phpcs-security-audit is a set of PHP_CodeSniffer rules that finds vulnerabilities and weaknesses related to security in PHP code",
  "license": "GPL-3.0-or-later",
  "authors": [
@@ -13,5 +13,16 @@
  "php": ">=5.4",
  "squizlabs/php_codesniffer": "^3.0.2",
  "dealerdirect/phpcodesniffer-composer-installer": "^0.4.1 || ^0.5 || ^0.6"
+ },
+ "require-dev" : {
+ "php-parallel-lint/php-parallel-lint": "^1.0",
+ "php-parallel-lint/php-console-highlighter": "^0.4"
+ },
+ "minimum-stability": "dev",
+ "prefer-stable": true,
+ "scripts" : {
+ "lint": [
+ "@php ./vendor/php-parallel-lint/php-parallel-lint/parallel-lint . -e php --exclude vendor --exclude .git"
+ ]
  }
 }

example_base_ruleset.xml

@@ -1,53 +1,52 @@
 <?xml version="1.0"?>
-<ruleset name="PHPSecurity">
- <description>Rules for standard PHP projects</description>
-
-<!-- Code Reviews Rules -->
-<!--
- <rule ref="Generic.CodeAnalysis.UnusedFunctionParameter"/>
- <rule ref="PEAR"/>
--->
-
-<!-- Security Code Reviews Rules -->
-
-<!-- Global properties -->
-<!-- Please note that not every sniff uses them and they can be overwritten by rule -->
-<!-- Paranoia mode: Will generate more alerts but will miss less vulnerabilites. Good for assisting manual code review. -->
-<config name="ParanoiaMode" value="1"/>
-
-<!-- BadFunctions -->
-<!-- PHP functions that can lead to security issues -->
-<rule ref="Security.BadFunctions.Asserts"/>
-<rule ref="Security.BadFunctions.Backticks"/>
-<rule ref="Security.BadFunctions.CallbackFunctions"/>
-<rule ref="Security.BadFunctions.CryptoFunctions"/>
-<rule ref="Security.BadFunctions.EasyRFI"/>
-<rule ref="Security.BadFunctions.EasyXSS">
- <properties>
- <!-- Comment out to follow global ParanoiaMode -->
- <property name="forceParanoia" value="1"/>
- </properties>
-</rule>
-<rule ref="Security.BadFunctions.ErrorHandling"/>
-<rule ref="Security.BadFunctions.FilesystemFunctions"/>
-<rule ref="Security.BadFunctions.FringeFunctions"/>
-<rule ref="Security.BadFunctions.FunctionHandlingFunctions"/>
-<rule ref="Security.BadFunctions.Mysqli"/>
-<rule ref="Security.BadFunctions.NoEvals"/>
-<rule ref="Security.BadFunctions.Phpinfos"/>
-<rule ref="Security.BadFunctions.PregReplace"/>
-<rule ref="Security.BadFunctions.SQLFunctions"/>
-<rule ref="Security.BadFunctions.SystemExecFunctions"/>
-
-<!-- CVE -->
-<!-- Entries from CVE database from vendor PHP and bugs.php.net -->
-<rule ref="Security.CVE.CVE20132110"/>
-<rule ref="Security.CVE.CVE20134113"/>
-
-<!-- Misc -->
-<rule ref="Security.Misc.BadCorsHeader"/>
-<rule ref="Security.Misc.IncludeMismatch"/>
-<rule ref="Security.Misc.TypeJuggle"/>
+<ruleset xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="PHPSecurity" xsi:noNamespaceSchemaLocation="https://raw.githubusercontent.com/squizlabs/PHP_CodeSniffer/master/phpcs.xsd">
+  <description>Rules for standard PHP projects</description>
+
+ <!-- Code Reviews Rules -->
+ <!--
+  <rule ref="Generic.CodeAnalysis.UnusedFunctionParameter"/>
+  <rule ref="PEAR"/>
+ -->
+
+ <!-- Security Code Reviews Rules -->
+
+ <!-- Global properties. -->
+ <!-- Please note that not every sniff uses them and they can be overwritten per rule. -->
+ <!-- Paranoia mode: Will generate more alerts but will miss less vulnerabilites. Good for assisting manual code review. -->
+ <config name="ParanoiaMode" value="1"/>
+
+ <!-- BadFunctions -->
+ <!-- PHP functions that can lead to security issues -->
+ <rule ref="Security.BadFunctions.Asserts"/>
+ <rule ref="Security.BadFunctions.Backticks"/>
+ <rule ref="Security.BadFunctions.CallbackFunctions"/>
+ <rule ref="Security.BadFunctions.CryptoFunctions"/>
+ <rule ref="Security.BadFunctions.EasyRFI"/>
+ <rule ref="Security.BadFunctions.EasyXSS">
+ <properties>
+ <!-- Comment out to follow global ParanoiaMode -->
+ <property name="forceParanoia" value="1"/>
+ </properties>
+ </rule>
+ <rule ref="Security.BadFunctions.ErrorHandling"/>
+ <rule ref="Security.BadFunctions.FilesystemFunctions"/>
+ <rule ref="Security.BadFunctions.FringeFunctions"/>
+ <rule ref="Security.BadFunctions.FunctionHandlingFunctions"/>
+ <rule ref="Security.BadFunctions.Mysqli"/>
+ <rule ref="Security.BadFunctions.NoEvals"/>
+ <rule ref="Security.BadFunctions.Phpinfos"/>
+ <rule ref="Security.BadFunctions.PregReplace"/>
+ <rule ref="Security.BadFunctions.SQLFunctions"/>
+ <rule ref="Security.BadFunctions.SystemExecFunctions"/>
+
+ <!-- CVE -->
+ <!-- Entries from CVE database from vendor PHP and bugs.php.net -->
+ <rule ref="Security.CVE.CVE20132110"/>
+ <rule ref="Security.CVE.CVE20134113"/>
+
+ <!-- Misc -->
+ <rule ref="Security.Misc.BadCorsHeader"/>
+ <rule ref="Security.Misc.IncludeMismatch"/>
+ <rule ref="Security.Misc.TypeJuggle"/>
 
 </ruleset>
-

example_drupal7_ruleset.xml

@@ -1,79 +1,79 @@
 <?xml version="1.0"?>
-<ruleset name="Drupal7Security">
- <description>Rules for Drupal 7 projects</description>
-<!-- Code Reviews Rules -->
-<!--
- <rule ref="Generic.CodeAnalysis.UnusedFunctionParameter"/>
- <rule ref="PEAR"/>
--->
+<ruleset xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Drupal7Security" xsi:noNamespaceSchemaLocation="https://raw.githubusercontent.com/squizlabs/PHP_CodeSniffer/master/phpcs.xsd">
+ <description>Rules for Drupal 7 projects</description>
 
-<!-- Security Code Reviews Rules -->
+ <!-- Code Reviews Rules -->
+ <!--
+ <rule ref="Generic.CodeAnalysis.UnusedFunctionParameter"/>
+ <rule ref="PEAR"/>
+ -->
 
-<!-- Global properties -->
-<!-- Please note that not every sniff uses them and they can be overwritten by rule -->
-<!-- Framework or CMS used. Must be a class under Security_Sniffs. -->
-<config name="CmsFramework" value="Drupal7"/>
-<!-- Paranoia mode: Will generate more alerts but will miss less vulnerabilites. Good for assisting manual code review. -->
-<config name="ParanoiaMode" value="1"/>
+ <!-- Security Code Reviews Rules -->
 
-<!-- BadFunctions -->
-<!-- PHP functions that can lead to security issues -->
-<rule ref="Security.BadFunctions.Asserts"/>
-<rule ref="Security.BadFunctions.Backticks"/>
-<rule ref="Security.BadFunctions.CallbackFunctions"/>
-<rule ref="Security.BadFunctions.CryptoFunctions"/>
-<rule ref="Security.BadFunctions.EasyRFI"/>
-<rule ref="Security.BadFunctions.EasyXSS"/>
-<rule ref="Security.BadFunctions.ErrorHandling"/>
-<rule ref="Security.BadFunctions.FilesystemFunctions"/>
-<rule ref="Security.BadFunctions.FringeFunctions"/>
-<rule ref="Security.BadFunctions.FunctionHandlingFunctions"/>
-<rule ref="Security.BadFunctions.Mysqli"/>
-<rule ref="Security.BadFunctions.NoEvals"/>
-<rule ref="Security.BadFunctions.Phpinfos"/>
-<rule ref="Security.BadFunctions.PregReplace"/>
-<rule ref="Security.BadFunctions.SQLFunctions"/>
-<rule ref="Security.BadFunctions.SystemExecFunctions"/>
+ <!-- Global properties. -->
+ <!-- Please note that not every sniff uses them and they can be overwritten per rule. -->
+ <!-- Framework or CMS used. Must be a class under Security_Sniffs. -->
+ <config name="CmsFramework" value="Drupal7"/>
+ <!-- Paranoia mode: Will generate more alerts but will miss less vulnerabilites. Good for assisting manual code review. -->
+ <config name="ParanoiaMode" value="1"/>
 
-<!-- CVE -->
-<!-- Entries from CVE database from vendor PHP and bugs.php.net -->
-<rule ref="Security.CVE.CVE20132110"/>
-<rule ref="Security.CVE.CVE20134113"/>
+ <!-- BadFunctions -->
+ <!-- PHP functions that can lead to security issues -->
+ <rule ref="Security.BadFunctions.Asserts"/>
+ <rule ref="Security.BadFunctions.Backticks"/>
+ <rule ref="Security.BadFunctions.CallbackFunctions"/>
+ <rule ref="Security.BadFunctions.CryptoFunctions"/>
+ <rule ref="Security.BadFunctions.EasyRFI"/>
+ <rule ref="Security.BadFunctions.EasyXSS"/>
+ <rule ref="Security.BadFunctions.ErrorHandling"/>
+ <rule ref="Security.BadFunctions.FilesystemFunctions"/>
+ <rule ref="Security.BadFunctions.FringeFunctions"/>
+ <rule ref="Security.BadFunctions.FunctionHandlingFunctions"/>
+ <rule ref="Security.BadFunctions.Mysqli"/>
+ <rule ref="Security.BadFunctions.NoEvals"/>
+ <rule ref="Security.BadFunctions.Phpinfos"/>
+ <rule ref="Security.BadFunctions.PregReplace"/>
+ <rule ref="Security.BadFunctions.SQLFunctions"/>
+ <rule ref="Security.BadFunctions.SystemExecFunctions"/>
 
-<!-- Misc -->
-<rule ref="Security.Misc.BadCorsHeader"/>
-<rule ref="Security.Misc.IncludeMismatch"/>
+ <!-- CVE -->
+ <!-- Entries from CVE database from vendor PHP and bugs.php.net. -->
+ <rule ref="Security.CVE.CVE20132110"/>
+ <rule ref="Security.CVE.CVE20134113"/>
 
-<!-- Drupal7 -->
-<!-- Specific security issues of Drupal7 and advisories -->
-<rule ref="Security.Drupal7.AdvisoriesContrib">
- <exclude-pattern>(?&lt;!\.info)$</exclude-pattern>
-</rule>
-<rule ref="Security.Drupal7.AdvisoriesCore">
- <exclude-pattern>(?&lt;!includes\/bootstrap\.inc)$</exclude-pattern>
-</rule>
-<rule ref="Security.Drupal7.SQLi"/>
-<rule ref="Security.Drupal7.SQLi.D7NoDbQuery"/>
-<rule ref="Security.Drupal7.SQLi.D7DbQuerySQLi"/>
-<rule ref="Security.Drupal7.SQLi.D7DbQueryDirectVar"/>
-<rule ref="Security.Drupal7.XSSPTheme"/>
-<rule ref="Security.Drupal7.UserInputWatch">
- <properties>
- <property name="FormThreshold" value="10"/>
- <property name="FormStateThreshold" value="10"/>
- </properties>
-</rule>
-<rule ref="Security.Drupal7.XSSFormValue"/>
-<rule ref="Security.Drupal7.XSSHTMLConstruct"/>
-<rule ref="Security.Drupal7.DbQueryAC">
- <properties>
- <!-- Comment out to follow global ParanoiaMode -->
- <property name="forceParanoia" value="1"/>
- </properties>
-</rule>
-<rule ref="Security.Drupal7.DynQueries"/>
-<rule ref="Security.Drupal7.Cachei"/>
-<rule ref="Security.Drupal7.HttpRequest"/>
+ <!-- Misc -->
+ <rule ref="Security.Misc.BadCorsHeader"/>
+ <rule ref="Security.Misc.IncludeMismatch"/>
 
-</ruleset>
+ <!-- Drupal 7 -->
+ <!-- Specific security issues of Drupal7 and advisories. -->
+ <rule ref="Security.Drupal7.AdvisoriesContrib">
+ <exclude-pattern>(?&lt;!\.info)$</exclude-pattern>
+ </rule>
+ <rule ref="Security.Drupal7.AdvisoriesCore">
+ <exclude-pattern>(?&lt;!includes\/bootstrap\.inc)$</exclude-pattern>
+ </rule>
+ <rule ref="Security.Drupal7.SQLi"/>
+ <rule ref="Security.Drupal7.SQLi.D7NoDbQuery"/>
+ <rule ref="Security.Drupal7.SQLi.D7DbQuerySQLi"/>
+ <rule ref="Security.Drupal7.SQLi.D7DbQueryDirectVar"/>
+ <rule ref="Security.Drupal7.XSSPTheme"/>
+ <rule ref="Security.Drupal7.UserInputWatch">
+ <properties>
+ <property name="FormThreshold" value="10"/>
+ <property name="FormStateThreshold" value="10"/>
+ </properties>
+ </rule>
+ <rule ref="Security.Drupal7.XSSFormValue"/>
+ <rule ref="Security.Drupal7.XSSHTMLConstruct"/>
+ <rule ref="Security.Drupal7.DbQueryAC">
+ <properties>
+ <!-- Comment out to follow global ParanoiaMode -->
+ <property name="forceParanoia" value="1"/>
+ </properties>
+ </rule>
+ <rule ref="Security.Drupal7.DynQueries"/>
+ <rule ref="Security.Drupal7.Cachei"/>
+ <rule ref="Security.Drupal7.HttpRequest"/>
 
+</ruleset>