Merge pull request #2572 from rodrigoprimo/nonce-verification-fix-function-name-case-false-positive

Security/NonceVerification: handle function names case correctly

Author: dingo-d

WordPress/Sniffs/Security/NonceVerificationSniff.php

@@ -309,8 +309,10 @@ private function has_nonce_check( $stackPtr, array $cache_keys, $allow_nonce_aft
 				continue;
 			}
 
+			$content_lc = \strtolower( $this->tokens[ $i ]['content'] );
+
 			// If this is one of the nonce verification functions, we can bail out.
-			if ( isset( $this->nonceVerificationFunctions[ $this->tokens[ $i ]['content'] ] ) ) {
+			if ( isset( $this->nonceVerificationFunctions[ $content_lc ] ) ) {
 				/*
 				 * Now, make sure it is a call to a global function.
 				 */
@@ -416,6 +418,8 @@ protected function mergeFunctionLists() {
 				$this->nonceVerificationFunctions
 			);
 
+			$this->nonceVerificationFunctions = array_change_key_case( $this->nonceVerificationFunctions );
+
 			$this->addedCustomNonceFunctions = $this->customNonceVerificationFunctions;
 		}
 	}

WordPress/Tests/Security/NonceVerificationUnitTest.1.inc

@@ -486,3 +486,41 @@ enum MyEnum {
 		echo $_POST['foo']; // OK.
 	}
 }
+
+// Good, has a nonce check. Ensure the check is case-insensitive as function names are case-insensitive in PHP.
+function ajax_process() {
+    CHECK_AJAX_REFERER( 'something' );
+
+    update_post_meta( (int) $_POST['id'], 'a_key', $_POST['a_value'] );
+}
+
+// phpcs:set WordPress.Security.NonceVerification customNonceVerificationFunctions[] MIXED_case_NAME
+function non_ascii_characters() {
+    MIXED_case_NAME( $_POST['something'] ); // Passing $_POST to ensure the sniff bails correctly for variables inside the nonce verification function.
+
+    update_post_meta( (int) $_POST['id'], 'a_key', $_POST['a_value'] );
+}
+// phpcs:set WordPress.Security.NonceVerification customNonceVerificationFunctions[]
+
+/*
+ * Test case handling of non-ASCII characters in function names.
+ */
+// phpcs:set WordPress.Security.NonceVerification customNonceVerificationFunctions[] déjà_vu
+function same_function_same_case() {
+    déjà_vu( 'something' ); // Ok.
+
+    update_post_meta( (int) $_POST['id'], 'a_key', $_POST['a_value'] );
+}
+
+function same_function_different_case() {
+    DéJà_VU( 'something' ); // Ok.
+
+    update_post_meta( (int) $_POST['id'], 'a_key', $_POST['a_value'] );
+}
+
+function different_function_name() {
+    dÉjÀ_vu( 'something' ); // Bad, dÉjÀ_vu() and déjà_vu() are NOT the same function.
+
+    update_post_meta( (int) $_POST['id'], 'a_key', $_POST['a_value'] );
+}
+// phpcs:set WordPress.Security.NonceVerification customNonceVerificationFunctions[]

WordPress/Tests/Security/NonceVerificationUnitTest.php

@@ -74,6 +74,7 @@ public function getErrorList( $testFile = '' ) {
 					453 => 1,
 					470 => 1,
 					478 => 1,
+					524 => 2,
 				);
 
 			case 'NonceVerificationUnitTest.2.inc':