Skip to content

"Referenced sniff does not exist" error when ruleset was auto-discovered via path traversal #1073

New issue
New issue
Open
Open
"Referenced sniff does not exist" error when ruleset was auto-discovered via path traversal#1073
Labels
Core Component: Config & CLI optionsCore Component: RulesetStatus: needs investigationType: bug
@jrfnl

Description

@jrfnl
jrfnl
opened on May 2, 2025

Describe the bug

If no --standard=... is provided on the command-line, PHPCS will automatically try to find a ruleset with any of the following names: .phpcs.xml, phpcs.xml, .phpcs.xml.dist, phpcs.xml.dist in the current working directory and if it doesn't find one in the current directory, it will traverse up the directory tree trying to find a ruleset file in one of the higher level directories.

If such a ruleset file found in a higher level directory then includes another ruleset file, like a phpcs.xml file using <rule ref="phpcs.xml.dist"/> and "ERROR: Referenced sniff "phpcs.xml.dist" does not exist." will display.

Any included path found in a ruleset should always be evaluated in relation to the ruleset, but I suspect this rule is broken when path traversal has been used to find a ruleset in a higher level directory.

To reproduce

  1. Create a directory for the test setup with the following directory structure: 
    - Dir: toplevel
 - File: `phpcs.xml.dist`
 - File: `phpcs.xml`
 - Dir: subdir
   - File: `test.php`
  2. Put the following contents in the file called phpcs.xml.dist: 
    <?xml version="1.0"?>
<ruleset name="My Custom Standard">
    <rule ref="PSR12"/>
</ruleset>
  3. Put the following in the file called phpcs.xml: 
    <?xml version="1.0"?>
<ruleset name="Overloaded Custom Standard">
    <rule ref="phpcs.xml.dist"/>
</ruleset>
  4. Put the following in the file called subdir/test.php: 
    <?php
echo 'hello!';
  5. Navigate to the toplevel/subdir directory.
  6. From within that directory, execute the following command: 
    phpcs -ps ./test.php
  7. See the error.

Expected behavior

No error, i.e. for PHPCS to find the phpcs.xml.dist ruleset, include and read it and then execute the scan.

Versions (please complete the following information)
Operating System not relevant (Windows 10)
PHP version not relevant (8.4.6)
PHP_CodeSniffer version master
Standard see reproduction example
Install type not relevant (git clone)

Please confirm

  • I have searched the issue list and am not opening a duplicate issue.
  • I have read the Contribution Guidelines and this is not a support question.
  • I confirm that this bug is a bug in PHP_CodeSniffer and not in one of the external standards.
  • I have verified the issue still exists in the master branch of PHP_CodeSniffer.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Core Component: Config & CLI optionsCore Component: RulesetStatus: needs investigationType: bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions