Merge pull request #52 from magento/48-RawQuerySniff

#48: Move RawQuerySniff

Author: lenaorobei

Magento/Sniffs/SQL/RawQuerySniff.php

@@ -0,0 +1,85 @@
+<?php
+/**
+ * Copyright © Magento. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+namespace Magento\Sniffs\SQL;
+
+use PHP_CodeSniffer\Sniffs\Sniff;
+use PHP_CodeSniffer\Files\File;
+use PHP_CodeSniffer\Util\Tokens;
+
+/**
+ * Detects possible raw SQL queries.
+ */
+class RawQuerySniff implements Sniff
+{
+    /**
+     * String representation of warning.
+     *
+     * @var string
+     */
+    protected $warningMessage = 'Possible raw SQL statement %s detected.';
+    /**
+     * Warning violation code.
+     *
+     * @var string
+     */
+    protected $warningCode = 'FoundRawSql';
+    /**
+     * List of SQL statements.
+     *
+     * @var array
+     */
+    protected $statements = [
+        'SELECT',
+        'UPDATE',
+        'INSERT',
+        'CREATE',
+        'DELETE',
+        'ALTER',
+        'DROP',
+        'TRUNCATE'
+    ];
+    /**
+     * List of query functions.
+     *
+     * @var array
+     */
+    protected $queryFunctions = [
+        'query'
+    ];
+    /**
+     * @inheritdoc
+     */
+    public function register()
+    {
+        return array_merge(Tokens::$stringTokens, [T_HEREDOC, T_NOWDOC]);
+    }
+    /**
+     * @inheritdoc
+     */
+    public function process(File $phpcsFile, $stackPtr)
+    {
+        $tokens = $phpcsFile->getTokens();
+        $ignoredTokens = array_merge([T_WHITESPACE, T_OPEN_PARENTHESIS], Tokens::$stringTokens);
+        $prev = $tokens[$phpcsFile->findPrevious($ignoredTokens, $stackPtr - 1, null, true)];
+        if ($prev['code'] === T_EQUAL
+            || ($prev['code'] === T_STRING && in_array($prev['content'], $this->queryFunctions))
+            || in_array($tokens[$stackPtr]['code'], [T_HEREDOC, T_NOWDOC])
+        ) {
+            $trim = function ($str) {
+                return trim(str_replace(['\'', '"'], '', $str));
+            };
+
+            if (preg_match('/^(' . implode('|', $this->statements) . ')\s/i', $trim($tokens[$stackPtr]['content']))) {
+                $phpcsFile->addWarning(
+                    $this->warningMessage,
+                    $stackPtr,
+                    $this->warningCode,
+                    [trim($tokens[$stackPtr]['content'])]
+                );
+            }
+        }
+    }
+}

Magento/Tests/SQL/RawQueryUnitTest.inc

@@ -0,0 +1,114 @@
+<?php
+
+class RawQueryTest
+{
+    /**
+     * @var \Magento\Framework\App\ResourceConnection
+     */
+    private $connection;
+
+    public function __construct(Magento\Framework\App\ResourceConnection $connection)
+    {
+        $this->connection = $connection;
+    }
+
+    private function insertOneRow($ccode, $county, $city, $tax_rate)
+    {
+        $query = '
+            insert INTO `tax_zipcode` (
+                `zipcode` ,
+                `county` ,
+                `city` ,
+                `tax_rate`
+            )
+            VALUES (
+            ' . '\'' . $ccode . '\', \'' . $county . '\', \'' . $city . '\', ' . $tax_rate . ')
+            ON DUPLICATE KEY UPDATE `tax_rate` = ' . $tax_rate . ';';
+
+
+        $this->connection->query($query);
+    }
+
+    public function delete()
+    {
+        $this->connection->query(
+            '      DELETE FROM table_name'
+        );
+    }
+
+    public function delete2()
+    {
+
+        $this->connection->query(
+            "
+            DROP table table_name"
+        );
+    }
+
+    public function truncate()
+    {
+        $this->connection->query(
+            '
+            TRUNCATE table table_name'
+        );
+    }
+
+    public function runQuery($countyInfo, $countyName)
+    {
+        $query = '
+            UPDATE `table_name`
+            SET `tax_rate` = \'' . $countyInfo['tax_percentage'] . '\',
+                `auth_code` = \'' . $countyInfo['auth_code'] . '\'
+            WHERE county = \'' . $countyName . '\'';
+        $this->connection->query($query);
+
+        $this->connection->query('CREATE TABLE Persons
+                (
+                PersonID int,
+                LastName varchar(255),
+                FirstName varchar(255),
+                Address varchar(255),
+                City varchar(255)
+                );');
+    }
+
+    public function getQuery($period)
+    {
+        $this->_period = $period;
+
+        $query = "
+            select `report_data`
+            FROM `trending_report`
+            WHERE `created_at` <= CURDATE( )
+            AND CURDATE( ) <= `expire_at`
+            AND `last_for` = ' . $period . '
+            ORDER BY `created_at` DESC
+            LIMIT 1
+		";
+
+        return $query;
+    }
+}
+
+$installer = $this;
+
+$installer->run("
+    ALTER TABLE `{$installer->getTable('enterprise_catalogpermissions/permission')}`
+        CHANGE `website_id` `website_id` SMALLINT(5) UNSIGNED DEFAULT NULL,
+        CHANGE `customer_group_id` `customer_group_id` SMALLINT(3) UNSIGNED DEFAULT NULL;
+");
+
+$q = <<<EOT
+    select * from table_name1
+EOT;
+
+$q2 = <<<'EOT'
+    select * from table_name2
+EOT;
+
+$q3 = 'select * from table_name3';
+$q4 = 'Selects from database';
+$q5 = '<select></select>';
+
+$message = 'ERROR : UPDATE SINGLE CONTACT';
+$message2 = 'ERROR : SELECT SINGLE CONTACT';

Magento/Tests/SQL/RawQueryUnitTest.php

@@ -0,0 +1,41 @@
+<?php
+/**
+ * Copyright © Magento. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+namespace Magento\Tests\SQL;
+
+use PHP_CodeSniffer\Tests\Standards\AbstractSniffUnitTest;
+
+/**
+ * Class RawQueryUnitTest
+ */
+class RawQueryUnitTest extends AbstractSniffUnitTest
+{
+    /**
+     * @inheritdoc
+     */
+    public function getErrorList()
+    {
+        return [];
+    }
+
+    /**
+     * @inheritdoc
+     */
+    public function getWarningList()
+    {
+        return [
+            18 => 1,
+            35 => 1,
+            44 => 1,
+            52 => 1,
+            59 => 1,
+            65 => 1,
+            80 => 1,
+            102 => 1,
+            106 => 1,
+            109 => 1,
+        ];
+    }
+}

Magento/ruleset.xml

@@ -99,6 +99,10 @@
         <severity>9</severity>
         <type>warning</type>
     </rule>
+    <rule ref="Magento.SQL.RawQuery">
+        <severity>9</severity>
+        <type>warning</type>
+    </rule>
     <rule ref="Squiz.PHP.NonExecutableCode">
         <severity>9</severity>
         <type>warning</type>