PHP_CodeSniffer icon indicating copy to clipboard operation
PHP_CodeSniffer copied to clipboard
verified publisher icon PHPCSStandards

"Referenced sniff does not exist" error when ruleset was auto-discovered via path traversal

Open jrfnl opened this issue 8 months ago • 0 comments

Describe the bug

If no --standard=... is provided on the command-line, PHPCS will automatically try to find a ruleset with any of the following names: .phpcs.xml, phpcs.xml, .phpcs.xml.dist, phpcs.xml.dist in the current working directory and if it doesn't find one in the current directory, it will traverse up the directory tree trying to find a ruleset file in one of the higher level directories.

If such a ruleset file found in a higher level directory then includes another ruleset file, like a phpcs.xml file using <rule ref="phpcs.xml.dist"/> and "ERROR: Referenced sniff "phpcs.xml.dist" does not exist." will display.

Any included path found in a ruleset should always be evaluated in relation to the ruleset, but I suspect this rule is broken when path traversal has been used to find a ruleset in a higher level directory.

To reproduce

  1. Create a directory for the test setup with the following directory structure: 
    - Dir: toplevel
 - File: `phpcs.xml.dist`
 - File: `phpcs.xml`
 - Dir: subdir
   - File: `test.php`
  2. Put the following contents in the file called phpcs.xml.dist: 
    <?xml version="1.0"?>
<ruleset name="My Custom Standard">
    <rule ref="PSR12"/>
</ruleset>
  3. Put the following in the file called phpcs.xml: 
    <?xml version="1.0"?>
<ruleset name="Overloaded Custom Standard">
    <rule ref="phpcs.xml.dist"/>
</ruleset>
  4. Put the following in the file called subdir/test.php: 
    <?php
echo 'hello!';
  5. Navigate to the toplevel/subdir directory.
  6. From within that directory, execute the following command: 
    phpcs -ps ./test.php
  7. See the error.

Expected behavior

No error, i.e. for PHPCS to find the phpcs.xml.dist ruleset, include and read it and then execute the scan.

Versions (please complete the following information)
Operating System not relevant (Windows 10)
PHP version not relevant (8.4.6)
PHP_CodeSniffer version master
Standard see reproduction example
Install type not relevant (git clone)

Please confirm

  • [x] I have searched the issue list and am not opening a duplicate issue.
  • [x] I have read the Contribution Guidelines and this is not a support question.
  • [x] I confirm that this bug is a bug in PHP_CodeSniffer and not in one of the external standards.
  • [x] I have verified the issue still exists in the master branch of PHP_CodeSniffer.

jrfnl avatar May 02 '25 21:05 jrfnl