is_token_user_input categorizes many variables incorrectly

[aldenbe]

The is_token_user_input function in utils blanketly categorizes $_FILES, $_SERVER, and $_ENV as direct user input. This leads to a high volume of false positives when using server generated values in these variables.

[jmarcil]

Fair point.

However, those variables, especially _FILES and _SERVER can actually have user input, so we can't really suppress them just like that.

One thing that could be done would be to add a list of safe keys and skip them went not in paranoia mode. This won't be an easy task. Like 'SERVER_SOFTWARE' is okay, 'HTTP_REFERER' is definitely not okay and 'REQUEST_METHOD' is debatable depending on the server and 'SERVER_NAME' depending on the server config.

Currently there's no planned big efforts to provide a better lowered false positive (like #31), but I'm sure this would be on top of any list after we solve the documentation problem (#44).

I'll keep this open to be considered once we're there.

Thanks

[jmarcil]

Oh wow I'm so consistent without remembering anything it's scary.

See https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/EasyRFISniff.php#L42

We do are using is_token_false_positive in utils with some of those safe SERVER vars I was talking about.

This is just an example on how it could be done, as I don't think getSafeServerVars is used anywhere else than the EasyRFISniff.