Skip to content

Commit

Permalink
Install WordPress VIP GO coding standards. (#235)
Browse files Browse the repository at this point in the history
* Install WordPress VIP GO coding standards.

* Move rule

* Move rule

* Use esc_html__
  • Loading branch information
spacedmonkey authored Dec 1, 2023
1 parent 210bbbd commit c53ae77
Show file tree
Hide file tree
Showing 10 changed files with 100 additions and 61 deletions.
19 changes: 11 additions & 8 deletions admin.php
Original file line number Diff line number Diff line change
Expand Up @@ -22,12 +22,15 @@
function rest_oauth1_profile_section( $user ) {
global $wpdb;

$results = $wpdb->get_col( "SELECT option_value FROM $wpdb->options WHERE option_name LIKE 'oauth1_access_%'" );
$results = $wpdb->get_col( "SELECT option_name FROM $wpdb->options WHERE option_name LIKE 'oauth1_access_%'" ); // phpcs:ignore WordPress.DB.DirectDatabaseQuery
$approved = array();
foreach ( $results as $result ) {
$row = unserialize( $result );
if ( $row['user'] === $user->ID ) {
$approved[] = $row;
foreach ( $results as $option_name ) {
$option = get_option( $option_name );
if ( ! is_array( $option ) || ! isset( $option['user'] ) ) {
continue;
}
if ( $option['user'] === $user->ID ) {
$approved[] = $option;
}
}

Expand Down Expand Up @@ -81,10 +84,10 @@ function rest_oauth1_profile_messages() {
}

if ( ! empty( $_GET['rest_oauth1_revoked'] ) ) {
echo '<div id="message" class="updated"><p>' . __( 'Token revoked.', 'rest_oauth1' ) . '</p></div>';
printf( '<div id="message" class="updated"><p>%s</p></div>', esc_html__( 'Token revoked.', 'rest_oauth1' ) );
}
if ( ! empty( $_GET['rest_oauth1_revocation_failed'] ) ) {
echo '<div id="message" class="updated"><p>' . __( 'Unable to revoke token.', 'rest_oauth1' ) . '</p></div>';
printf( '<div id="message" class="updated"><p>%s</p></div>', esc_html__( 'Unable to revoke token.', 'rest_oauth1' ) );
}
}

Expand All @@ -98,7 +101,7 @@ function rest_oauth1_profile_save( $user_id ) {
return;
}

$key = wp_unslash( $_POST['rest_oauth1_revoke'] );
$key = sanitize_text_field( wp_unslash( $_POST['rest_oauth1_revoke'] ) );

$authenticator = new WP_REST_OAuth1();

Expand Down
9 changes: 5 additions & 4 deletions composer.json
Original file line number Diff line number Diff line change
Expand Up @@ -19,9 +19,9 @@
"php": "5.4"
},
"allow-plugins": {
"dealerdirect/phpcodesniffer-composer-installer": true,
"composer/installers": true
}
"dealerdirect/phpcodesniffer-composer-installer": true,
"composer/installers": true
}
},
"require": {
"php": "^5.4 || ^7.0 || ^8.0",
Expand All @@ -30,7 +30,8 @@
"require-dev": {
"wp-coding-standards/wpcs": "^3.0",
"phpcompatibility/phpcompatibility-wp": "^2.1",
"sirbrillig/phpcs-variable-analysis": "^2.8"
"sirbrillig/phpcs-variable-analysis": "^2.8",
"automattic/vipwpcs": "^3.0"
},
"scripts": {
"format": "@php ./vendor/squizlabs/php_codesniffer/bin/phpcbf --report=summary,source",
Expand Down
4 changes: 1 addition & 3 deletions lib/class-wp-rest-client.php
Original file line number Diff line number Diff line change
Expand Up @@ -252,9 +252,7 @@ protected static function get_called_class() {
}

// PHP 5.2 only.
$backtrace = debug_backtrace();
// [0] WP_REST_Client::get_called_class()
// [1] WP_REST_Client::function()
$backtrace = debug_backtrace(); // phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_debug_backtrace
if ( 'call_user_func' === $backtrace[2]['function'] ) {
return $backtrace[2]['args'][0][0];
}
Expand Down
48 changes: 32 additions & 16 deletions lib/class-wp-rest-oauth1-admin.php
Original file line number Diff line number Diff line change
Expand Up @@ -236,7 +236,7 @@ protected static function handle_edit_submit( $consumer ) {
*/
public static function render_edit_page() {
if ( ! current_user_can( 'edit_users' ) ) {
wp_die( __( 'You do not have permission to access this page.', 'rest_oauth1' ) );
wp_die( esc_html__( 'You do not have permission to access this page.', 'rest_oauth1' ) );
}

// Are we editing?
Expand All @@ -246,8 +246,12 @@ public static function render_edit_page() {
if ( ! empty( $_REQUEST['id'] ) ) {
$id = absint( $_REQUEST['id'] );
$consumer = WP_REST_OAuth1_Client::get( $id );
if ( is_wp_error( $consumer ) || empty( $consumer ) ) {
wp_die( __( 'Invalid consumer ID.', 'rest_oauth1' ) );
if ( is_wp_error( $consumer ) ) {
wp_die( $consumer ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
}

if ( empty( $consumer ) ) {
wp_die( esc_html__( 'Invalid consumer ID.', 'rest_oauth1' ) );
}

$form_action = self::get_url(
Expand Down Expand Up @@ -318,7 +322,7 @@ public static function render_edit_page() {
<?php
if ( ! empty( $messages ) ) {
foreach ( $messages as $msg ) {
echo '<div id="message" class="notice is-dismissible notice-' . $notice_type . '"><p>' . esc_html( $msg ) . '</p></div>';
printf( '<div id="message" class="notice is-dismissible notice-%s"><p>%s</p></div>', esc_attr( $notice_type ), esc_html( $msg ) );
}
}
?>
Expand Down Expand Up @@ -420,23 +424,31 @@ public static function handle_delete() {
if ( ! current_user_can( 'delete_post', $id ) ) {
$code = is_user_logged_in() ? 403 : 401;
wp_die(
'<h1>' . __( 'An error has occurred.', 'rest_oauth1' ) . '</h1>' .
'<p>' . __( 'You are not allowed to delete this application.', 'rest_oauth1' ) . '</p>',
$code
sprintf(
'<h1>%s</h1><p>%s</p>',
esc_html__( 'You are not allowed to delete this application.', 'rest_oauth1' ),
esc_html__( 'An error has occurred.', 'rest_oauth1' )
),
'',
array( 'response' => (int) $code )
);
}

$client = WP_REST_OAuth1_Client::get( $id );
if ( is_wp_error( $client ) ) {
wp_die( $client );
wp_die( $client ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
}

if ( ! $client->delete() ) {
$code = is_user_logged_in() ? 403 : 401;
wp_die(
'<h1>' . __( 'An error has occurred.', 'rest_oauth1' ) . '</h1>' .
'<p>' . __( 'Invalid consumer ID', 'rest_oauth1' ) . '</p>',
$code
sprintf(
'<h1>%s</h1><p>%s</p>',
esc_html__( 'An error has occurred.', 'rest_oauth1' ),
esc_html__( 'Invalid consumer ID', 'rest_oauth1' )
),
'',
array( 'response' => (int) $code )
);
}

Expand All @@ -458,19 +470,23 @@ public static function handle_regenerate() {
if ( ! current_user_can( 'edit_post', $id ) ) {
$code = is_user_logged_in() ? 403 : 401;
wp_die(
'<h1>' . __( 'An error has occurred.', 'rest_oauth1' ) . '</h1>' .
'<p>' . __( 'You are not allowed to edit this application.', 'rest_oauth1' ) . '</p>',
$code
sprintf(
'<h1>%s</h1><p>%s</p>',
esc_html__( 'An error has occurred.', 'rest_oauth1' ),
esc_html__( 'You are not allowed to edit this application.', 'rest_oauth1' )
),
'',
array( 'response' => (int) $code )
);
}

$client = WP_REST_OAuth1_Client::get( $id );
if ( is_wp_error( $client ) ) {
wp_die( $client );
wp_die( $client ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
}
$result = $client->regenerate_secret();
if ( is_wp_error( $result ) ) {
wp_die( $result );
wp_die( $result ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
}

wp_safe_redirect(
Expand Down
13 changes: 8 additions & 5 deletions lib/class-wp-rest-oauth1-client.php
Original file line number Diff line number Diff line change
Expand Up @@ -52,12 +52,15 @@ protected static function get_type() {
*/
public function delete() {
global $wpdb;
$results = $wpdb->get_results( "SELECT * FROM $wpdb->options WHERE option_name LIKE 'oauth1_access_%' OR option_name LIKE 'oauth1_request_%'", ARRAY_A );
$results = $wpdb->get_col( "SELECT option_name FROM $wpdb->options WHERE option_name LIKE 'oauth1_access_%' OR option_name LIKE 'oauth1_request_%'", ARRAY_A ); // phpcs:ignore WordPress.DB.DirectDatabaseQuery
$delete_option = array();
foreach ( $results as $result ) {
$row = unserialize( $result['option_value'] );
if ( $this->post->ID === $row['consumer'] ) {
$delete_option[] = $result['option_name'];
foreach ( $results as $option_name ) {
$option = get_option( $option_name );
if ( ! is_array( $option ) || ! isset( $option['consumer'] ) ) {
continue;
}
if ( $this->post->ID === $option['consumer'] ) {
$delete_option[] = $option_name;
}
}

Expand Down
7 changes: 3 additions & 4 deletions lib/class-wp-rest-oauth1-ui.php
Original file line number Diff line number Diff line change
Expand Up @@ -155,8 +155,8 @@ public function handle_callback_redirect( $verifier ) {
login_header( __( 'Access Token', 'rest_oauth1' ) );
echo '<p>' . sprintf(
/* translators: %s: verifier **/
__( 'Your verification token is <code>%s</code>', 'rest_oauth1' ),
$verifier
wp_kses( __( 'Your verification token is <code>%s</code>', 'rest_oauth1' ), array( 'code' ) ),
esc_html( $verifier )
) .
'</p>';
login_footer();
Expand All @@ -183,8 +183,7 @@ public function handle_callback_redirect( $verifier ) {

// Offsite, so skip safety check.
wp_redirect( $callback );

return null;
exit;
}

/**
Expand Down
4 changes: 2 additions & 2 deletions lib/class-wp-rest-oauth1.php
Original file line number Diff line number Diff line change
Expand Up @@ -84,7 +84,7 @@ public function parse_header( $header ) {
*/
public function get_authorization_header() {
if ( ! empty( $_SERVER['HTTP_AUTHORIZATION'] ) ) {
return wp_unslash( $_SERVER['HTTP_AUTHORIZATION'] );
return sanitize_text_field( wp_unslash( $_SERVER['HTTP_AUTHORIZATION'] ) );
}

if ( function_exists( 'getallheaders' ) ) {
Expand Down Expand Up @@ -695,7 +695,7 @@ public function check_oauth_signature( $consumer, $oauth_params, $token = null )

$params = array_merge( $params, $oauth_params );

$request_path = parse_url( $_SERVER['REQUEST_URI'], PHP_URL_PATH );
$request_path = parse_url( $_SERVER['REQUEST_URI'], PHP_URL_PATH ); // phpcs:ignore WordPress.WP.AlternativeFunctions.parse_url_parse_url
$wp_base = get_home_url( null, '/', 'relative' );
if ( substr( $request_path, 0, strlen( $wp_base ) ) === $wp_base ) {
$request_path = substr( $request_path, strlen( $wp_base ) );
Expand Down
4 changes: 2 additions & 2 deletions oauth-server.php
Original file line number Diff line number Diff line change
Expand Up @@ -145,13 +145,13 @@ function rest_oauth1_loaded() {
}

status_header( $status );
echo $response->get_error_message();
echo $response->get_error_message(); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
die();
}

$response = http_build_query( $response, '', '&' );

echo $response;
echo $response; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped

// Finish off our request.
die();
Expand Down
39 changes: 29 additions & 10 deletions phpcs.xml.dist
Original file line number Diff line number Diff line change
Expand Up @@ -11,9 +11,35 @@
</rule>

<rule ref="WordPress-Core"/>
<rule ref="WordPress-Docs">
<exclude-pattern>lib/class-wp-rest-oauth1-cli.php</exclude-pattern>
</rule>
<rule ref="WordPress-VIP-Go"/>

<rule ref="WordPress.DB.SlowDBQuery">
<exclude-pattern>lib/class-wp-rest-oauth1-listtable.php</exclude-pattern>
<exclude-pattern>lib/class-wp-rest-client.php</exclude-pattern>
</rule>

<rule ref="WordPress.Security.ValidatedSanitizedInput">
<exclude-pattern>*.php</exclude-pattern>
<exclude-pattern>lib/*</exclude-pattern>
</rule>

<rule ref="WordPress.Security.NonceVerification">
<exclude-pattern>*.php</exclude-pattern>
<exclude-pattern>lib/*</exclude-pattern>
</rule>

<rule ref="WordPressVIPMinimum.Classes.RestrictedExtendClasses.wp_cli">
<exclude-pattern>lib/class-wp-rest-oauth1-cli.php</exclude-pattern>
</rule>

<rule ref="WordPressVIPMinimum.Functions.RestrictedFunctions.flush_rewrite_rules_flush_rewrite_rules">
<exclude-pattern>oauth-server.php</exclude-pattern>
</rule>

<rule ref="WordPress.WP.GlobalVariablesOverride.Prohibited">
<exclude-pattern>oauth-server.php</exclude-pattern>
<exclude-pattern>lib/class-wp-rest-oauth1-admin.php</exclude-pattern>
</rule>

<rule ref="WordPress.WP.I18n">
<properties>
Expand All @@ -27,15 +53,8 @@
<properties>
<property name="allowUnusedParametersBeforeUsed" value="true"/>
</properties>
<exclude-pattern>theme/*.php</exclude-pattern>
<exclude-pattern>lib/class-wp-rest-oauth1-ui.php</exclude-pattern>
</rule>

<rule ref="Squiz.Commenting.FileComment.Missing">
<exclude-pattern>*.php</exclude-pattern>
<exclude-pattern>lib/*</exclude-pattern>
</rule>

<rule ref="PEAR.Functions.FunctionCallSignature">
<properties>
<property name="allowMultipleArguments" value="false"/>
Expand Down
14 changes: 7 additions & 7 deletions theme/oauth1-authorize.php
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@
$errors
);

$current_user = wp_get_current_user();
$this_user = wp_get_current_user();

$url = site_url( 'wp-login.php?action=oauth1_authorize', 'login_post' );
$url = add_query_arg( 'oauth_token', $token_key, $url );
Expand Down Expand Up @@ -77,16 +77,16 @@

<div class="login-info">

<?php echo get_avatar( $current_user->ID, '78' ); ?>
<?php echo get_avatar( $this_user->ID, '78' ); ?>

<p>
<?php
printf(
// translators: 1: username. 2: consumer name.
__( 'Howdy <strong>%1$s</strong>,<br/> "%2$s" would like to connect to %3$s.', 'rest_oauth1' ),
$current_user->user_login,
$consumer->post_title,
get_bloginfo( 'name' )
wp_kses( __( 'Howdy <strong>%1$s</strong>,<br/> "%2$s" would like to connect to %3$s.', 'rest_oauth1' ), array( 'strong', 'br' ) ),
esc_html( $this_user->user_login ),
esc_html( $consumer->post_title ),
esc_html( get_bloginfo( 'name' ) )
)
?>
</p>
Expand Down Expand Up @@ -120,7 +120,7 @@
*
* @param string $registration_url Registration URL.
*/
echo ' | ' . apply_filters( 'register', $registration_url );
echo ' | ' . esc_url( apply_filters( 'register', $registration_url ) );
endif;
?>
</p>
Expand Down

0 comments on commit c53ae77

Please sign in to comment.