Security/ValidatedSanitizedInput: use PHPCSutils and bug fixes #2362
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
19 tasks
A superglobal key being unset doesn't need sanitization or validation, however, the unset should _not_ be seen as validation for use of the superglobal key later on. This bug was introduced long ago (0.3.0 - 64fab4f) and later moved into the `is_validated()` method via ba15db9 Discovered when making some changes to the tests for the `ValidatedSanitizedInput` sniff. Includes dedicated test for this situation.
Discovered when making some changes to the tests for the `ValidatedSanitizedInput` sniff. A number of the tests in that file are in the _global_ scope. As things were, if validation was encountered for a particular superglobal key in a _closed_ scope (function, class) prior to the use of the superglobal key in the _global_ scope, the superglobal key would be seen as correctly validated, even though the code within the closed scope may not have been executed. IMO tracking whether the code within the closed scope is executed is outside the scope of this sniff and a "missing validation" error should be thrown for those cases. And while PHP 7.4+ arrow functions are _open_ scopes, validation done within an arrow function should not be counted as valid for superglobals used _outside the arrow function, though validation done outside an arrow function should IMO be okay for superglobals used _within_ an arrow function. Fixed now. Includes a minor tweak to the pre-existing tests for the case which made me discover the bug (superglobal use in global scope). Includes additional tests with closed scopes within an already closed scope. Includes additional tests documenting the behaviour around arrow functions.
…amined are used in tests The `$_SERVER` and `$_COOKIE` superglobals are being examined by the sniff, but there were no tests safeguarding this. Fixed now by adjusting some pre-existing tests.
…rmination [1] Previously, the sniff would disregard the `$_SESSION` and `$_ENV` superglobals. This is now no longer the case when examining variables embedded in text strings. This may have been on purpose, but I could not find any discussion about this and it seems more consistent (and more correct) to flag the unvalidated/unsanitized use of **all** superglobals. Note: the `$GLOBALS` superglobal is exempt as in that case, any variable may be accessed (`$GLOBALS['var']`), not just superglobals (`$GLOBALS['_GET']`). Includes tests.
…rmination [2] Previously, the sniff would disregard the `$_SESSION` and `$_ENV` superglobals. This will now no longer be the case when the sniff examines variable tokens. I suspect these superglobals were originally disregarded as the values in these superglobals are not slashed by WP (see the below refs), but that doesn't mean the values shouldn't be validated and sanitized before use. The strange thing is that `$_FILES` _was_ already being examined, even though it also isn't slashed by WP. The sniff, however, would throw an incorrect "requires unslashing" error when the `$_FILES` superglobal was being used. Also see bug report 1720. Either way, along the same lines of the previous commit, when examining variable tokens, the `ValidatedSanitizedInput` sniff will now take all superglobals into account, with the exception of the `$GLOBALS` superglobal (this last bit is the same as before). As the values in the `$_FILES`, `$_SESSION` and `$_ENV` superglobals aren't slashed by WP, they get an exception for the "unslash" error. And as the `Sniff::$input_superglobals` property is now unused, I'm removing it. Includes tests. Fixes 1720 Refs: * https://developer.wordpress.org/reference/functions/wp_magic_quotes/ * https://github.com/WordPress/wordpress-develop/blob/trunk/src/wp-includes/load.php#L1229-L1238
…alesce equals PR 1684 (WPCS 2.1.0) already took care of the handling of validation via the null coalesce equals assignment operator, but there was one test case missing. This adds that extra test as an additional safeguard.
When a superglobal is used in a match condition, it doesn't need to be unslashed/sanitized. This is already handled correctly, this just adds a test to safeguard this.
When a superglobal is used in the match return expressions, it should be validated, unslashed and sanitized. This is already handled correctly, this just adds a test to safeguard this.
…informative Previously, the error would read `$_POST data not unslashed...`. Now, the error message will show the exact variable with keys we're talking about like `$_POST['key'] not unslashed...`.
jrfnl
force-pushed
the
feature/validatedsanitizedinput-use-phpcsutils-and-more-fixes
branch
from
0e634e6 to
5f8fe49
Compare
|
@dingo-d 💯 Duh... I should have done that out of habit... fixed now. |
dingo-d
approved these changes
Aug 19, 2023
GaryJones
deleted the
feature/validatedsanitizedinput-use-phpcsutils-and-more-fixes
branch
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
ValidationHelper: bug fix - unsetting is not validation
A superglobal key being unset doesn't need sanitization or validation, however, the unset should not be seen as validation for use of the superglobal key later on.
This bug was introduced long ago (0.3.0 - 64fab4f) and later moved into the
is_validated()method via ba15db9Discovered when making some changes to the tests for the
ValidatedSanitizedInputsniff.Includes dedicated test for this situation.
ValidationHelper: bug fix - validation done in another scope
Discovered when making some changes to the tests for the
ValidatedSanitizedInputsniff.A number of the tests in that file are in the global scope.
As things were, if validation was encountered for a particular superglobal key in a closed scope (function, class) prior to the use of the superglobal key in the global scope, the superglobal key would be seen as correctly validated, even though the code within the closed scope may not have been executed.
IMO tracking whether the code within the closed scope is executed is outside the scope of this sniff and a "missing validation" error should be thrown for those cases.
And while PHP 7.4+ arrow functions are open scopes, validation done within an arrow function should not be counted as valid for superglobals used _outside the arrow function, though validation done outside an arrow function should IMO be okay for superglobals used within an arrow function.
Fixed now.
Includes a minor tweak to the pre-existing tests for the case which made me discover the bug (superglobal use in global scope).
Includes additional tests with closed scopes within an already closed scope.
Includes additional tests documenting the behaviour around arrow functions.
Security/ValidatedSanitizedInput: make sure all superglobals being examined are used in tests
The
$_SERVERand$_COOKIEsuperglobals are being examined by the sniff, but there were no tests safeguarding this.Fixed now by adjusting some pre-existing tests.
Security/ValidatedSanitizedInput: use PHPCSUtils for superglobal determination [1]
Previously, the sniff would disregard the
$_SESSIONand$_ENVsuperglobals. This is now no longer the case when examining variables embedded in text strings.This may have been on purpose, but I could not find any discussion about this and it seems more consistent (and more correct) to flag the unvalidated/unsanitized use of all superglobals.
Note: the
$GLOBALSsuperglobal is exempt as in that case, any variable may be accessed ($GLOBALS['var']), not just superglobals ($GLOBALS['_GET']).Includes tests.
Security/ValidatedSanitizedInput: use PHPCSUtils for superglobal determination [2]
Previously, the sniff would disregard the
$_SESSIONand$_ENVsuperglobals. This will now no longer be the case when the sniff examines variable tokens.I suspect these superglobals were originally disregarded as the values in these superglobals are not slashed by WP (see the below refs), but that doesn't mean the values shouldn't be validated and sanitized before use.
The strange thing is that
$_FILESwas already being examined, even though it also isn't slashed by WP.The sniff, however, would throw an incorrect "requires unslashing" error when the
$_FILESsuperglobal was being used. Also see bug report #1720.Either way, along the same lines of the previous commit, when examining variable tokens, the
ValidatedSanitizedInputsniff will now take all superglobals into account, with the exception of the$GLOBALSsuperglobal (this last bit is the same as before).As the values in the
$_FILES,$_SESSIONand$_ENVsuperglobals aren't slashed by WP, they get an exception for the "unslash" error.And as the
Sniff::$input_superglobalsproperty is now unused, I'm removing it.Includes tests.
Fixes #1720
Refs:
Security/ValidatedSanitizedInput: add extra test for PHP 7.4+ null coalesce equals
PR #1684 (WPCS 2.1.0) already took care of the handling of validation via the null coalesce equals assignment operator, but there was one test case missing.
This adds that extra test as an additional safeguard.
Security/ValidatedSanitizedInput: add test with PHP 8.0+ match [1]
When a superglobal is used in a match condition, it doesn't need to be unslashed/sanitized.
This is already handled correctly, this just adds a test to safeguard this.
Security/ValidatedSanitizedInput: add tests with PHP 8.0+ match [2]
When a superglobal is used in the match return expressions, it should be validated, unslashed and sanitized.
This is already handled correctly, this just adds a test to safeguard this.
Security/ValidatedSanitizedInput: make MissingUnslash message more informative
Previously, the error would read
$_POST data not unslashed.... Now, the error message will show the exact variable with keys we're talking about like$_POST['key'] not unslashed....