pluginscan 0.9.0

data/lib/pluginscan/reports/issues_report/issue_checks/function_check.rb

@@ -0,0 +1,32 @@
+module Pluginscan
+  # Extends Check with helpers for making patterns and ignores based on a list of function names
+  class FunctionCheck < Check
+    def initialize(check_hash)
+      check_hash.default = []
+      check_hash[:patterns] = self.class.patterns(check_hash[:patterns], check_hash[:function_names])
+      check_hash[:ignores]  = self.class.ignores(check_hash[:ignores], check_hash[:function_names])
+      super(check_hash)
+    end
+
+    def self.function_list(functions)
+      # ^             Start of line
+      # [^a-z0-9|_]   Characters which would imply that the word isn't the whole function name
+      # \s*           any amount of whitespace
+      # \\(           a literal open bracket - i.e. the start of the function arguments
+      functions.map{ |function| Regexp.new("(^|[^a-z0-9|_])(#{function})\s*\\(") }
+    end
+
+    def self.function_ignores(functions)
+      # If the author is creating a similarly named function then that should be ignored (?)
+      functions.map { |function| Regexp.new("function\s+[^a-z0-9|_]?#{function}\s*\\(") }
+    end
+
+    private def self.patterns(patterns, function_names)
+      Array(patterns) + function_list(function_names)
+    end
+
+    private def self.ignores(ignores, function_names)
+      Array(ignores) + function_ignores(function_names) + CommentChecker::COMMENT_REGEXPS
+    end
+  end
+end

data/lib/pluginscan/reports/issues_report/issue_checks/variable_check.rb

@@ -0,0 +1,14 @@
+module Pluginscan
+  # Extends Check with helpers for making patterns and ignores based on a list of variables or constantst
+  class VariableCheck < Check
+    def initialize(check_hash)
+      super(check_hash)
+      @patterns = Array(check_hash[:variables]).map{ |var| Regexp.new(Regexp.escape(var)) }
+    end
+
+    def ignore?(variable, content)
+      VariableSafetyChecker.new.all_safe?(variable, content) || CommentChecker.commented?(content)
+    end
+  end
+end
+

data/lib/pluginscan/reports/issues_report/issue_checks/variable_safety_checker.rb

@@ -0,0 +1,112 @@
+module Pluginscan
+  # Responsible for deciding whether usages of a variable in a string are safe
+  class VariableSafetyChecker
+    # Functions which, if they surround the variable, make it safe
+    # because they return a boolean and not the value of the varaible
+    SAFE_FUNCTIONS = [
+      "isset",
+      "empty",
+      "in_array",
+      "strpos",
+      "strlen",
+      "if",
+      "switch",
+      "is_email",
+
+      # PHP typechecks - seen in the wild:
+      "is_array",
+
+      # PHP typechecks - not seen in the wild:
+      "is_bool",
+      "is_callable",
+      "is_double",
+      "is_float",
+      "is_int",
+      "is_integer",
+      "is_long",
+      "is_null",
+      "is_numeric",
+      "is_object",
+      "is_real",
+      "is_resource",
+      "is_scalar",
+      "is_string",
+
+      "intval",
+      "absint",
+      "wp_verify_nonce",
+      "count",
+      "sizeof",
+      "unset",
+
+      # Candidates for inclusion - not seen in the wild:
+      # "gettype",
+      # "settype",
+      # "boolval",
+      # "doubleval", # might match eval?
+      # "floatval",
+    ].freeze
+
+    # Infixes which, if they are used around the variable, make it safe,
+    # because they are checking the value, not returning it
+    SAFE_INFIXES = [
+      '==',
+      '===',
+      '!=',
+      '!==',
+      '<',
+      '>',
+      '<=',
+      '>=',
+    ].freeze
+
+    INFIX_CHARS = %w(= < > !).freeze
+
+    def all_safe?(variable, content)
+      match_count(variable, content) <= safe_count(variable, content)
+    end
+
+    def match_count(variable, content)
+      content.scan(variable).count # `scan` returns ALL matches
+    end
+
+    def safe_count(variable, content)
+      safe_function_count(variable, content) +
+        safe_infix_count(variable, content)
+    end
+
+
+
+    # The number of matches which are safe by being wrapped in a function
+    private def safe_function_count(variable, content)
+      SAFE_FUNCTIONS.map { |function|
+        wrapped_in_function_count(function, variable, content)
+      }.inject(:+)
+    end
+
+    # The number of matches which are safe by being checked in an infix
+    private def safe_infix_count(variable, content)
+      SAFE_INFIXES.map { |infix|
+        used_in_infix_check_count(infix, variable, content)
+      }.inject(:+)
+    end
+
+    # TODO: the below methods feel private, but are directly tested
+    #   That makes me feel like there's an object to be extracted here
+    def used_in_infix_check_count(infix, variable, content)
+      variable = Regexp.escape variable
+      infix    = Regexp.escape infix
+      non_infix = "[^#{Regexp.escape INFIX_CHARS.join}]"
+
+      equals_before_regexp = /#{non_infix}#{infix}\ *#{variable}\ *\[/
+      equals_after_regexp  = /#{variable}\ *\[[^\[]+\]\ *#{infix}#{non_infix}/
+      content.scan(equals_before_regexp).count +
+        content.scan(equals_after_regexp).count
+    end
+
+    def wrapped_in_function_count(function_name, variable, content)
+      variable = Regexp.escape variable
+      content.scan(/#{function_name}\ *\(\ *#{variable}[^)]*\)/).count
+    end
+  end
+end

data/lib/pluginscan/reports/issues_report/issues_models/check_findings.rb

@@ -0,0 +1,29 @@
+module Pluginscan
+  Finding = Struct.new(:lineno, :line, :match, :ignored)
+
+  class CheckFindings
+    attr_reader :findings
+    attr_reader :check
+
+    def initialize(check)
+      @check = check
+      @findings = []
+    end
+
+    def add(more_findings)
+      @findings += more_findings
+    end
+
+    def any_findings?
+      !findings.empty?
+    end
+
+    def all_ignored?
+      @findings.all?(&:ignored)
+    end
+
+    def count
+      findings.count
+    end
+  end
+end

data/lib/pluginscan/reports/issues_report/issues_models/issues.rb

@@ -0,0 +1,31 @@
+module Pluginscan
+  # Wraps a couple of helper methods around an array of issues
+  class Issues
+    include Enumerable
+
+    def initialize(issues)
+      @issues = issues
+    end
+
+    def each(&block)
+      @issues.each(&block)
+    end
+
+    def scanned_files_count
+      @issues.count
+    end
+
+    def found_problems_count
+      found_problems.reduce(0){ |count, (_file, file_findings)| count + file_findings.map(&:count).reduce(:+) }
+    end
+
+    private def files
+      @issues.keys
+    end
+
+    private def found_problems
+      # Ignore files which didn't have any problems
+      Issues.new(@issues.select { |_file, file_findings| !file_findings.empty? })
+    end
+  end
+end

data/lib/pluginscan/reports/issues_report/issues_printer.rb

@@ -0,0 +1,34 @@
+require 'pluginscan/printer'
+require 'pluginscan/reports/issues_report/issues_printer/file_issues_printer'
+require 'pluginscan/reports/issues_report/issues_printer/check_findings_printer'
+require 'pluginscan/reports/issues_report/issues_printer/finding_printer'
+
+module Pluginscan
+  class IssuesPrinter < Printer
+    def initialize(hide_ignores, output = $stdout)
+      @hide_ignores = hide_ignores
+      @output = output
+    end
+
+    def print(data)
+      issues = data[:issues]
+      file_count = data[:file_count]
+      print_headline(issues, file_count)
+      print_results(issues)
+    end
+
+  private
+
+    def print_headline(issues, file_count)
+      @output.puts "Scanned #{issues.scanned_files_count} out of #{file_count} files and found #{issues.found_problems_count} things:".color(:blue)
+    end
+
+    def print_results(issues)
+      printer = FileIssuesPrinter.new(@hide_ignores, @output)
+      issues.each do |file, findings|
+        findings = findings.reject(&:all_ignored?) if @hide_ignores
+        printer.print(file, findings)
+      end
+    end
+  end
+end

data/lib/pluginscan/reports/issues_report/issues_printer/check_findings_printer.rb

@@ -0,0 +1,37 @@
+module Pluginscan
+  # Responsible for printing a check description and all of the
+  # findings associated with that check
+  class CheckFindingsPrinter < Printer
+    def print(check, findings)
+      return if findings.empty? && check.name != 'Encoding' # Encoding deliberately has no findings because its a file-level check. TODO: Find a better way to handle this. The benefits of filtering out findings before we try and print them are significant.
+
+      @output.puts CheckView.new(check).title_line
+      print_findings(findings)
+      print_blank_line
+    end
+
+  private
+
+    def print_findings(findings)
+      printer = FindingPrinter.new(@output)
+      findings.each do |finding|
+        printer.print(finding)
+      end
+    end
+  end
+
+  # Decorate Check with view-specific methods
+  class CheckView < SimpleDelegator
+    def initialize(check)
+      @check = check
+      super
+    end
+
+    def title_line
+      name = "#{@check.name}:".color(:red)
+      message = @check.message.color(:yellow)
+
+      "  #{name} #{message}"
+    end
+  end
+end

data/lib/pluginscan/reports/issues_report/issues_printer/file_issues_printer.rb

@@ -0,0 +1,36 @@
+require 'delegate' # This shouldn't (?) be required - should be autoloaded, but apparently isn't
+
+module Pluginscan
+  # Print a findings report for an individual file
+  class FileIssuesPrinter < Printer
+    def initialize(hide_ignores, output = $stdout)
+      @hide_ignores = hide_ignores
+      @output = output
+    end
+
+    def print(file, checks_findings)
+      return if checks_findings.empty?
+
+      @output.puts FileView.new(file).file_path
+      print_findings(checks_findings)
+      # Doesn't need a blank line: each block of findings ends with a blank line
+    end
+
+  private
+
+    def print_findings(checks_findings)
+      printer = CheckFindingsPrinter.new(@output)
+      checks_findings.each do |check_findings|
+        findings = check_findings.findings
+        findings.reject!(&:ignored) if @hide_ignores
+        printer.print(check_findings.check, findings)
+      end
+    end
+  end
+
+  class FileView < SimpleDelegator
+    def file_path
+      color(:green)
+    end
+  end
+end

data/lib/pluginscan/reports/issues_report/issues_printer/finding_printer.rb

@@ -0,0 +1,38 @@
+module Pluginscan
+  # Responsible for printing a single finding on the command line
+  class FindingPrinter < Printer
+    def print(finding)
+      finding = FindingView.new(finding)
+      finding = IgnoredFindingView.new(finding) if finding.ignored
+      @output.puts finding.source_line
+    end
+  end
+
+  class FindingView < SimpleDelegator
+    def source_line
+      data = {
+        lineno:  lineno,
+        line:    highlight_matches(line.strip),
+      }
+
+      # pad line number to 5. Because some plugin files really are over 10k lines
+      format "     %<lineno>5s: %{line}\n", data
+    end
+
+  private
+
+    def highlight_matches(line)
+      return line unless match # TODO: nil checks are evil!
+
+      line.gsub match, match.color(:cyan)
+    end
+  end
+
+  class IgnoredFindingView < SimpleDelegator
+    def source_line
+      i_symbol = "[I]".color(:red)
+
+      super.gsub(/^     /, "  #{i_symbol}")
+    end
+  end
+end

data/lib/pluginscan/reports/issues_report/issues_printer_factory.rb

@@ -0,0 +1,19 @@
+require 'pluginscan/reports/issues_report/issues_printer'
+require 'pluginscan/reports/issues_report/error_list_printer'
+
+module Pluginscan
+  # Responsible for creating an object which can print out the list of issues
+  # in one of several different ways
+  class IssuesPrinterFactory
+    def self.create_printer(issues_format, hide_ignores = false, output = $stdout)
+      case issues_format
+      when :report
+        IssuesPrinter.new(hide_ignores, output)
+      when :error_list
+        ErrorListPrinter.new(hide_ignores, output)
+      else
+        fail Pluginscan::UnknownIssuesFormat, "Unknown issues formatter '#{issues_format}'"
+      end
+    end
+  end
+end

data/lib/pluginscan/reports/issues_report/issues_scanner.rb

@@ -0,0 +1,49 @@
+require 'pluginscan/reports/issues_report/issues_scanner/file_issues_scanner'
+require 'pluginscan/reports/issues_report/issues_scanner/line_issues_scanner'
+require 'pluginscan/reports/issues_report/issues_scanner/utf8_checker'
+require 'pluginscan/reports/issues_report/issues_models/check_findings'
+require 'pluginscan/reports/issues_report/issues_models/issues'
+
+module Pluginscan
+  class IssuesScanner
+    def initialize(checks)
+      file_issues_scanner = FileIssuesScanner.new(checks)
+      @file_scanner = FileScanner.new(file_issues_scanner)
+    end
+
+    def scan(files)
+      issues = scan_files(files)
+
+      Issues.new(issues)
+    end
+
+  private
+
+    def scan_files(file_paths)
+      file_paths.inject({}) do |issues, file_path|
+        issues.merge file_path => scan_file(file_path)
+      end
+    end
+
+    def scan_file(file_path)
+      file_contents = File.read(file_path)
+      @file_scanner.scan(file_contents)
+    end
+  end
+
+  # Responsible for checking that a file's contents is valid
+  # and if so, running an issues scan on it
+  class FileScanner
+    def initialize(issues_scanner)
+      @issues_scanner = issues_scanner
+    end
+
+    def scan(file_contents)
+      # Check file contents are valid UTF-8 to avoid exceptions later
+      invalid_utf8 = UTF8Checker.new.check(file_contents)
+      return Array(invalid_utf8) if invalid_utf8
+
+      @issues_scanner.scan(file_contents)
+    end
+  end
+end

data/lib/pluginscan/reports/issues_report/issues_scanner/file_issues_scanner.rb

@@ -0,0 +1,39 @@
+require 'stringio'
+
+module Pluginscan
+  # Responsible for scanning a file for a set of issue types
+  class FileIssuesScanner
+    attr_reader :file_results
+
+    def initialize(checks)
+      @checks = checks
+    end
+
+    # Returns an array of CheckFindings objects
+    def scan(file_contents)
+      # Run each check on the file
+      checks_findings = @checks.map { |check| LinesIssuesScanner.new(check).scan(file_contents) }
+      checks_findings.select(&:any_findings?)
+    end
+  end
+end
+
+module Pluginscan
+  # Responsible for scanning each line of a file for issues of a certain type
+  class LinesIssuesScanner
+    def initialize(check)
+      @line_issues_scanner = LineIssuesScanner.new(check)
+      @check_findings = CheckFindings.new(check)
+    end
+
+    def scan(file_contents)
+      string_io = StringIO.new(file_contents)
+      @check_findings.tap do |check_findings|
+        string_io.each_line do |line|
+          check_findings.add @line_issues_scanner.scan(line, string_io.lineno)
+        end
+      end
+    end
+  end
+end
+