WP/AlternativeFunctions: fails to detect namespaced and class-based function/constant calls

[rodrigoprimo]

The sniff WordPress.WP.AlternativeFunctions checks for function calls and constants in the first parameter of file_get_contents() without differentiating global and non-global function calls and constants. It also fails to differentiate between functions/constants, and class methods/class constants. This leads to false negatives in some cases.

All the examples below don't trigger the sniff, but they should:

file_get_contents(MyNamespace\WP_Upload_Dir()['path'] . 'subdir/file.inc');
file_get_contents(\MyNamespace\WP_Upload_Dir()['path'] . 'subdir/file.inc');
file_get_contents(namespace\WP_Upload_Dir()['path'] . 'subdir/file.inc');
file_get_contents(MyNamespace\ABSPATH . 'wp-admin/css/some-file.css');
file_get_contents(\MyNamespace\ABSPATH . 'wp-admin/css/some-file.css');
file_get_contents(namespace\ABSPATH . 'wp-admin/css/some-file.css');

file_get_contents(MyClass::wp_upload_dir() . 'subdir/file.inc');
file_get_contents($this->wp_upload_dir() . 'subdir/file.inc');
file_get_contents(MyClass::ABSPATH . 'subdir/file.inc');
file_get_contents($this->ABSPATH . 'subdir/file.inc');

[jrfnl]

Valid point.

On the one hand, some of these could probably be prevented already by making the regex more specific with a (negative) look-behind. On the other hand, the regex could just function as an "initial filter", with token walking to confirm that it is actually a global constant/function call if something would pass the initial filter.

Having said that, if we'd move to token walking (with or without the initial filtering with the regex), this token walking will be more straight forward to do once support for PHPCS 3.x has been dropped.

And considering nobody has complained about this bug before now, I think there is no rush to fix this and we can leave this till later when PHPCS 3.x support has been dropped.