<?php
/**
 * WordPress Coding Standard.
 *
 * @package WPCS\WordPressCodingStandards
 * @link    https://github.com/WordPress/WordPress-Coding-Standards
 * @license https://opensource.org/licenses/MIT MIT
 */

namespace WordPressCS\WordPress\Sniffs\Security;

use PHPCSUtils\Utils\PassedParameters;
use WordPressCS\WordPress\AbstractFunctionParameterSniff;

/**
 * Warn about __FILE__ for page registration.
 *
 * @link https://vip.wordpress.com/documentation/vip-go/code-review-blockers-warnings-notices/#using-__file__-for-page-registration
 *
 * @since 0.3.0
 * @since 0.11.0 Refactored to extend the new WordPressCS native
 *               `AbstractFunctionParameterSniff` class.
 * @since 0.13.0 Class name changed: this class is now namespaced.
 * @since 1.0.0  This sniff has been moved from the `VIP` category to the `Security` category.
 */
final class PluginMenuSlugSniff extends AbstractFunctionParameterSniff {

	/**
	 * The group name for this group of functions.
	 *
	 * @since 0.11.0
	 *
	 * @var string
	 */
	protected $group_name = 'add_menu_functions';

	/**
	 * Functions which can be used to add pages to the WP Admin menu.
	 *
	 * @since 0.3.0
	 * @since 0.11.0 Renamed from $add_menu_functions to $target_functions
	 *               and changed visibility to protected.
	 * @since 3.0.0  The format of the value has changed from a numerically indexed
	 *               array containing parameter positions to an array with the parameter
	 *               position as the index and the parameter name as value.
	 *
	 * @var array<string, array<int, string|array>> Key is the name of the functions being targeted.
	 *                                              Value is an array with parameter positions as the
	 *                                              keys and parameter names as the values
	 */
	protected $target_functions = array(
		'add_comments_page'   => array(
			4 => 'menu_slug',
		),
		'add_dashboard_page'  => array(
			4 => 'menu_slug',
		),
		'add_links_page'      => array(
			4 => 'menu_slug',
		),
		'add_management_page' => array(
			4 => 'menu_slug',
		),
		'add_media_page'      => array(
			4 => 'menu_slug',
		),
		'add_menu_page'       => array(
			4 => 'menu_slug',
		),
		'add_object_page'     => array(
			4 => 'menu_slug',
		),
		'add_options_page'    => array(
			4 => 'menu_slug',
		),
		'add_pages_page'      => array(
			4 => 'menu_slug',
		),
		'add_plugins_page'    => array(
			4 => 'menu_slug',
		),
		'add_posts_page'      => array(
			4 => 'menu_slug',
		),
		'add_submenu_page'    => array(
			1 => 'parent_slug',
			5 => 'menu_slug',
		),
		'add_theme_page'      => array(
			4 => 'menu_slug',
		),
		'add_users_page'      => array(
			4 => 'menu_slug',
		),
		'add_utility_page'    => array(
			4 => 'menu_slug',
		),
	);

	/**
	 * Process the parameters of a matched function.
	 *
	 * @since 0.11.0
	 *
	 * @param int    $stackPtr        The position of the current token in the stack.
	 * @param string $group_name      The name of the group which was matched.
	 * @param string $matched_content The token content (function name) which was matched
	 *                                in lowercase.
	 * @param array  $parameters      Array with information about the parameters.
	 *
	 * @return void
	 */
	public function process_parameters( $stackPtr, $group_name, $matched_content, $parameters ) {
		foreach ( $this->target_functions[ $matched_content ] as $position => $param_name ) {
			$found_param = PassedParameters::getParameterFromStack( $parameters, $position, $param_name );
			if ( false === $found_param ) {
				continue;
			}

			$file_constant = $this->phpcsFile->findNext( \T_FILE, $found_param['start'], ( $found_param['end'] + 1 ) );
			if ( false !== $file_constant ) {
				$this->phpcsFile->addWarning( 'Using __FILE__ for menu slugs risks exposing filesystem structure.', $file_constant, 'Using__FILE__' );
			}
		}
	}
}