From 6c7864b4f528e0119697d43754f4532511cb1379 Mon Sep 17 00:00:00 2001 From: Jonny Harris Date: Fri, 1 Dec 2023 19:13:50 +0000 Subject: [PATCH 1/4] Install WordPress VIP GO coding standards. --- admin.php | 19 +++++++----- composer.json | 9 +++--- lib/class-wp-rest-client.php | 4 +-- lib/class-wp-rest-oauth1-admin.php | 48 +++++++++++++++++++---------- lib/class-wp-rest-oauth1-client.php | 13 +++++--- lib/class-wp-rest-oauth1-ui.php | 7 ++--- lib/class-wp-rest-oauth1.php | 4 +-- oauth-server.php | 6 ++-- phpcs.xml.dist | 38 +++++++++++++++++------ theme/oauth1-authorize.php | 14 ++++----- 10 files changed, 100 insertions(+), 62 deletions(-) diff --git a/admin.php b/admin.php index d8be5ff..af2f259 100644 --- a/admin.php +++ b/admin.php @@ -22,12 +22,15 @@ function rest_oauth1_profile_section( $user ) { global $wpdb; - $results = $wpdb->get_col( "SELECT option_value FROM $wpdb->options WHERE option_name LIKE 'oauth1_access_%'" ); + $results = $wpdb->get_col( "SELECT option_name FROM $wpdb->options WHERE option_name LIKE 'oauth1_access_%'" ); // phpcs:ignore WordPress.DB.DirectDatabaseQuery $approved = array(); - foreach ( $results as $result ) { - $row = unserialize( $result ); - if ( $row['user'] === $user->ID ) { - $approved[] = $row; + foreach ( $results as $option_name ) { + $option = get_option( $option_name ); + if ( ! is_array( $option ) || ! isset( $option['user'] ) ) { + continue; + } + if ( $option['user'] === $user->ID ) { + $approved[] = $option; } } @@ -81,10 +84,10 @@ function rest_oauth1_profile_messages() { } if ( ! empty( $_GET['rest_oauth1_revoked'] ) ) { - echo '

' . __( 'Token revoked.', 'rest_oauth1' ) . '

'; + printf( '

%s

', esc_html( __( 'Token revoked.', 'rest_oauth1' ) ) ); } if ( ! empty( $_GET['rest_oauth1_revocation_failed'] ) ) { - echo '

' . __( 'Unable to revoke token.', 'rest_oauth1' ) . '

'; + printf( '

%s

', esc_html( __( 'Unable to revoke token.', 'rest_oauth1' ) ) ); } } @@ -98,7 +101,7 @@ function rest_oauth1_profile_save( $user_id ) { return; } - $key = wp_unslash( $_POST['rest_oauth1_revoke'] ); + $key = sanitize_text_field( wp_unslash( $_POST['rest_oauth1_revoke'] ) ); $authenticator = new WP_REST_OAuth1(); diff --git a/composer.json b/composer.json index 235f7b3..75cd17d 100644 --- a/composer.json +++ b/composer.json @@ -19,9 +19,9 @@ "php": "5.4" }, "allow-plugins": { - "dealerdirect/phpcodesniffer-composer-installer": true, - "composer/installers": true - } + "dealerdirect/phpcodesniffer-composer-installer": true, + "composer/installers": true + } }, "require": { "php": "^5.4 || ^7.0 || ^8.0", @@ -30,7 +30,8 @@ "require-dev": { "wp-coding-standards/wpcs": "^3.0", "phpcompatibility/phpcompatibility-wp": "^2.1", - "sirbrillig/phpcs-variable-analysis": "^2.8" + "sirbrillig/phpcs-variable-analysis": "^2.8", + "automattic/vipwpcs": "^3.0" }, "scripts": { "format": "@php ./vendor/squizlabs/php_codesniffer/bin/phpcbf --report=summary,source", diff --git a/lib/class-wp-rest-client.php b/lib/class-wp-rest-client.php index b3459e0..3bb1d1c 100644 --- a/lib/class-wp-rest-client.php +++ b/lib/class-wp-rest-client.php @@ -252,9 +252,7 @@ protected static function get_called_class() { } // PHP 5.2 only. - $backtrace = debug_backtrace(); - // [0] WP_REST_Client::get_called_class() - // [1] WP_REST_Client::function() + $backtrace = debug_backtrace(); // phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_debug_backtrace if ( 'call_user_func' === $backtrace[2]['function'] ) { return $backtrace[2]['args'][0][0]; } diff --git a/lib/class-wp-rest-oauth1-admin.php b/lib/class-wp-rest-oauth1-admin.php index 6ed5ad2..9d1da57 100644 --- a/lib/class-wp-rest-oauth1-admin.php +++ b/lib/class-wp-rest-oauth1-admin.php @@ -236,7 +236,7 @@ protected static function handle_edit_submit( $consumer ) { */ public static function render_edit_page() { if ( ! current_user_can( 'edit_users' ) ) { - wp_die( __( 'You do not have permission to access this page.', 'rest_oauth1' ) ); + wp_die( esc_html( __( 'You do not have permission to access this page.', 'rest_oauth1' ) ) ); } // Are we editing? @@ -246,8 +246,12 @@ public static function render_edit_page() { if ( ! empty( $_REQUEST['id'] ) ) { $id = absint( $_REQUEST['id'] ); $consumer = WP_REST_OAuth1_Client::get( $id ); - if ( is_wp_error( $consumer ) || empty( $consumer ) ) { - wp_die( __( 'Invalid consumer ID.', 'rest_oauth1' ) ); + if ( is_wp_error( $consumer ) ) { + wp_die( $consumer ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped + } + + if ( empty( $consumer ) ) { + wp_die( esc_html( __( 'Invalid consumer ID.', 'rest_oauth1' ) ) ); } $form_action = self::get_url( @@ -318,7 +322,7 @@ public static function render_edit_page() {

' . esc_html( $msg ) . '

'; + printf( '

%s

', esc_attr( $notice_type ), esc_html( $msg ) ); } } ?> @@ -420,23 +424,31 @@ public static function handle_delete() { if ( ! current_user_can( 'delete_post', $id ) ) { $code = is_user_logged_in() ? 403 : 401; wp_die( - '

' . __( 'An error has occurred.', 'rest_oauth1' ) . '

' . - '

' . __( 'You are not allowed to delete this application.', 'rest_oauth1' ) . '

', - $code + sprintf( + '

%s

%s

', + esc_html( __( 'You are not allowed to delete this application.', 'rest_oauth1' ) ), + esc_html( __( 'An error has occurred.', 'rest_oauth1' ) ) + ), + '', + array( 'response' => (int) $code ) ); } $client = WP_REST_OAuth1_Client::get( $id ); if ( is_wp_error( $client ) ) { - wp_die( $client ); + wp_die( $client ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped } if ( ! $client->delete() ) { $code = is_user_logged_in() ? 403 : 401; wp_die( - '

' . __( 'An error has occurred.', 'rest_oauth1' ) . '

' . - '

' . __( 'Invalid consumer ID', 'rest_oauth1' ) . '

', - $code + sprintf( + '

%s

%s

', + esc_html( __( 'An error has occurred.', 'rest_oauth1' ) ), + esc_html( __( 'Invalid consumer ID', 'rest_oauth1' ) ) + ), + '', + array( 'response' => (int) $code ) ); } @@ -458,19 +470,23 @@ public static function handle_regenerate() { if ( ! current_user_can( 'edit_post', $id ) ) { $code = is_user_logged_in() ? 403 : 401; wp_die( - '

' . __( 'An error has occurred.', 'rest_oauth1' ) . '

' . - '

' . __( 'You are not allowed to edit this application.', 'rest_oauth1' ) . '

', - $code + sprintf( + '

%s

%s

', + esc_html( __( 'An error has occurred.', 'rest_oauth1' ) ), + esc_html( __( 'You are not allowed to edit this application.', 'rest_oauth1' ) ) + ), + '', + array( 'response' => (int) $code ) ); } $client = WP_REST_OAuth1_Client::get( $id ); if ( is_wp_error( $client ) ) { - wp_die( $client ); + wp_die( $client ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped } $result = $client->regenerate_secret(); if ( is_wp_error( $result ) ) { - wp_die( $result ); + wp_die( $result ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped } wp_safe_redirect( diff --git a/lib/class-wp-rest-oauth1-client.php b/lib/class-wp-rest-oauth1-client.php index 698ed6a..af4608c 100644 --- a/lib/class-wp-rest-oauth1-client.php +++ b/lib/class-wp-rest-oauth1-client.php @@ -52,12 +52,15 @@ protected static function get_type() { */ public function delete() { global $wpdb; - $results = $wpdb->get_results( "SELECT * FROM $wpdb->options WHERE option_name LIKE 'oauth1_access_%' OR option_name LIKE 'oauth1_request_%'", ARRAY_A ); + $results = $wpdb->get_col( "SELECT option_name FROM $wpdb->options WHERE option_name LIKE 'oauth1_access_%' OR option_name LIKE 'oauth1_request_%'", ARRAY_A ); // phpcs:ignore WordPress.DB.DirectDatabaseQuery $delete_option = array(); - foreach ( $results as $result ) { - $row = unserialize( $result['option_value'] ); - if ( $this->post->ID === $row['consumer'] ) { - $delete_option[] = $result['option_name']; + foreach ( $results as $option_name ) { + $option = get_option( $option_name ); + if ( ! is_array( $option ) || ! isset( $option['consumer'] ) ) { + continue; + } + if ( $this->post->ID === $option['consumer'] ) { + $delete_option[] = $option_name; } } diff --git a/lib/class-wp-rest-oauth1-ui.php b/lib/class-wp-rest-oauth1-ui.php index b74798f..5d1cd16 100644 --- a/lib/class-wp-rest-oauth1-ui.php +++ b/lib/class-wp-rest-oauth1-ui.php @@ -155,8 +155,8 @@ public function handle_callback_redirect( $verifier ) { login_header( __( 'Access Token', 'rest_oauth1' ) ); echo '

' . sprintf( /* translators: %s: verifier **/ - __( 'Your verification token is %s', 'rest_oauth1' ), - $verifier + wp_kses( __( 'Your verification token is %s', 'rest_oauth1' ), array( 'code' ) ), + esc_html( $verifier ) ) . '

'; login_footer(); @@ -183,8 +183,7 @@ public function handle_callback_redirect( $verifier ) { // Offsite, so skip safety check. wp_redirect( $callback ); - - return null; + exit; } /** diff --git a/lib/class-wp-rest-oauth1.php b/lib/class-wp-rest-oauth1.php index 742a709..48563db 100644 --- a/lib/class-wp-rest-oauth1.php +++ b/lib/class-wp-rest-oauth1.php @@ -84,7 +84,7 @@ public function parse_header( $header ) { */ public function get_authorization_header() { if ( ! empty( $_SERVER['HTTP_AUTHORIZATION'] ) ) { - return wp_unslash( $_SERVER['HTTP_AUTHORIZATION'] ); + return sanitize_text_field( wp_unslash( $_SERVER['HTTP_AUTHORIZATION'] ) ); } if ( function_exists( 'getallheaders' ) ) { @@ -695,7 +695,7 @@ public function check_oauth_signature( $consumer, $oauth_params, $token = null ) $params = array_merge( $params, $oauth_params ); - $request_path = parse_url( $_SERVER['REQUEST_URI'], PHP_URL_PATH ); + $request_path = parse_url( $_SERVER['REQUEST_URI'], PHP_URL_PATH ); // phpcs:ignore WordPress.WP.AlternativeFunctions.parse_url_parse_url $wp_base = get_home_url( null, '/', 'relative' ); if ( substr( $request_path, 0, strlen( $wp_base ) ) === $wp_base ) { $request_path = substr( $request_path, strlen( $wp_base ) ); diff --git a/oauth-server.php b/oauth-server.php index c7b5b07..a49553d 100644 --- a/oauth-server.php +++ b/oauth-server.php @@ -109,7 +109,7 @@ function rest_oauth1_force_reauthentication() { // Force reauthentication. global $current_user; - $current_user = null; + $current_user = null; // phpcs:ignore WordPress.WP.GlobalVariablesOverride.Prohibited wp_get_current_user(); } @@ -145,13 +145,13 @@ function rest_oauth1_loaded() { } status_header( $status ); - echo $response->get_error_message(); + echo $response->get_error_message(); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped die(); } $response = http_build_query( $response, '', '&' ); - echo $response; + echo $response; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped // Finish off our request. die(); diff --git a/phpcs.xml.dist b/phpcs.xml.dist index 8b269f3..913cd76 100644 --- a/phpcs.xml.dist +++ b/phpcs.xml.dist @@ -11,9 +11,34 @@ - - lib/class-wp-rest-oauth1-cli.php - + + + + lib/class-wp-rest-oauth1-listtable.php + lib/class-wp-rest-client.php + + + + *.php + lib/* + + + + *.php + lib/* + + + + lib/class-wp-rest-oauth1-cli.php + + + + oauth-server.php + + + + lib/class-wp-rest-oauth1-admin.php + @@ -27,15 +52,8 @@ - theme/*.php - lib/class-wp-rest-oauth1-ui.php - - *.php - lib/* - - diff --git a/theme/oauth1-authorize.php b/theme/oauth1-authorize.php index f2cf1d8..9d4f11f 100644 --- a/theme/oauth1-authorize.php +++ b/theme/oauth1-authorize.php @@ -16,7 +16,7 @@ $errors ); -$current_user = wp_get_current_user(); +$this_user = wp_get_current_user(); $url = site_url( 'wp-login.php?action=oauth1_authorize', 'login_post' ); $url = add_query_arg( 'oauth_token', $token_key, $url ); @@ -77,16 +77,16 @@