From 38ed674e92a613cfa45185ee10c3bfeae15c482c Mon Sep 17 00:00:00 2001 From: Ryan McCue Date: Wed, 21 Feb 2024 18:25:51 +0000 Subject: [PATCH 1/9] Upgrade to wpcs 3.0 Also upgrades to vipcs 3.0 for necessary changes there. --- composer.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/composer.json b/composer.json index 4a0c621a..24ca041d 100644 --- a/composer.json +++ b/composer.json @@ -5,8 +5,8 @@ "license": "GPL-2.0-or-later", "require": { "php": ">=7.1", - "wp-coding-standards/wpcs": "2.3.0", - "automattic/vipwpcs": "2.0.0", + "wp-coding-standards/wpcs": "~3.0.0", + "automattic/vipwpcs": "~3.0.0", "fig-r/psr2r-sniffer": "^0.5.0", "phpcompatibility/phpcompatibility-wp": "^2.0.0", "squizlabs/php_codesniffer": "~3.5", From d1770a15024eb57cbf430ca72f3647d375b8948d Mon Sep 17 00:00:00 2001 From: Ryan McCue Date: Wed, 21 Feb 2024 18:49:04 +0000 Subject: [PATCH 2/9] Update configuration to match new rule names --- HM-Minimum/ruleset.xml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/HM-Minimum/ruleset.xml b/HM-Minimum/ruleset.xml index d3ee6e63..e03236b6 100644 --- a/HM-Minimum/ruleset.xml +++ b/HM-Minimum/ruleset.xml @@ -154,13 +154,12 @@ - + - - - + + From 85d74774e6694d7e1907095d5d0a14cb32f13bc9 Mon Sep 17 00:00:00 2001 From: Ryan McCue Date: Wed, 21 Feb 2024 19:27:45 +0000 Subject: [PATCH 3/9] Switch to new helper functions --- HM/Sniffs/Performance/SlowMetaQuerySniff.php | 20 ++++++++++++------- HM/Sniffs/Performance/SlowOrderBySniff.php | 4 +++- .../Security/ValidatedSanitizedInputSniff.php | 6 ++++-- 3 files changed, 20 insertions(+), 10 deletions(-) diff --git a/HM/Sniffs/Performance/SlowMetaQuerySniff.php b/HM/Sniffs/Performance/SlowMetaQuerySniff.php index d5950e3a..b473b53d 100644 --- a/HM/Sniffs/Performance/SlowMetaQuerySniff.php +++ b/HM/Sniffs/Performance/SlowMetaQuerySniff.php @@ -4,6 +4,9 @@ use PHP_CodeSniffer\Files\File; use PHP_CodeSniffer\Util\Tokens; +use PHPCSUtils\Utils\Arrays; +use PHPCSUtils\Utils\MessageHelper; +use PHPCSUtils\Utils\TextStrings; use WordPressCS\WordPress\AbstractArrayAssignmentRestrictionsSniff; /** @@ -104,7 +107,8 @@ protected function check_meta_query_item( int $array_open ) { $array_open_token = $this->tokens[ $array_open ]; if ( $array_open_token['code'] !== T_ARRAY && $array_open_token['code'] !== T_OPEN_SHORT_ARRAY ) { // Dynamic value, we can't check. - $this->addMessage( + MessageHelper::addMessage( + $this->phpcsFile, 'meta_query is dynamic, cannot be checked.', $array_open, 'warning', @@ -114,7 +118,7 @@ protected function check_meta_query_item( int $array_open ) { return; } - $array_bounds = $this->find_array_open_close( $array_open ); + $array_bounds = Arrays::getOpenClose( $this->phpcsFile, $array_open ); $elements = $this->get_array_indices( $array_bounds['opener'], $array_bounds['closer'] ); // Is this a "first-order" query? @@ -138,7 +142,7 @@ protected function check_meta_query_item( int $array_open ) { foreach ( $elements as $element ) { if ( isset( $element['index_start'] ) ) { - $index = $this->strip_quotes( $this->tokens[ $element['index_start'] ]['content'] ); + $index = TextStrings::stripQuotes( $this->tokens[ $element['index_start'] ]['content'] ); if ( strtolower( $index ) === 'relation' ) { // Skip 'relation' element. continue; @@ -176,7 +180,7 @@ protected function get_static_value_for_element( array $element ) : ?string { return static::DYNAMIC_VALUE; } - return $this->strip_quotes( $this->tokens[ $value_start ]['content'] ); + return TextStrings::stripQuotes( $this->tokens[ $value_start ]['content'] ); } /** @@ -208,7 +212,7 @@ protected function find_key_in_array( array $elements, string $array_key ) : ?ar continue; } - $index = $this->strip_quotes( $this->tokens[ $start ]['content'] ); + $index = TextStrings::stripQuotes( $this->tokens[ $start ]['content'] ); if ( $index !== $array_key ) { // Not the item we want, skip. continue; @@ -270,7 +274,8 @@ protected function check_compare_value( string $compare, int $stackPtr = null ) } if ( $compare === static::DYNAMIC_VALUE ) { - $this->addMessage( + MessageHelper::addMessage( + $this->phpcsFile, 'meta_query is using a dynamic comparison; this cannot be checked automatically, and may be non-performant.', $stackPtr, 'warning', @@ -278,7 +283,8 @@ protected function check_compare_value( string $compare, int $stackPtr = null ) ); } elseif ( $compare !== 'EXISTS' && $compare !== 'NOT EXISTS' ) { // Add a message ourselves. - $this->addMessage( + MessageHelper::addMessage( + $this->phpcsFile, 'meta_query is using %s comparison, which is non-performant.', $stackPtr, 'warning', diff --git a/HM/Sniffs/Performance/SlowOrderBySniff.php b/HM/Sniffs/Performance/SlowOrderBySniff.php index 5c6a7d4c..c387125a 100644 --- a/HM/Sniffs/Performance/SlowOrderBySniff.php +++ b/HM/Sniffs/Performance/SlowOrderBySniff.php @@ -2,6 +2,7 @@ namespace HM\Sniffs\Performance; +use PHPCSUtils\Utils\MessageHelper; use WordPressCS\WordPress\AbstractArrayAssignmentRestrictionsSniff; /** @@ -61,7 +62,8 @@ public function callback( $key, $val, $line, $group ) { case 'rand': case 'meta_value': case 'meta_value_num': - $this->addMessage( + MessageHelper::addMessage( + $this->phpcsFile, 'Ordering query results by %s is not performant.', $this->stackPtr, 'warning', diff --git a/HM/Sniffs/Security/ValidatedSanitizedInputSniff.php b/HM/Sniffs/Security/ValidatedSanitizedInputSniff.php index 0d13bb4b..b1178616 100644 --- a/HM/Sniffs/Security/ValidatedSanitizedInputSniff.php +++ b/HM/Sniffs/Security/ValidatedSanitizedInputSniff.php @@ -4,6 +4,8 @@ use HM\Sniffs\ExtraSniffCode; use PHP_CodeSniffer\Files\File as PhpcsFile; +use PHPCSUtils\Utils\TextStrings; +use WordPressCS\WordPress\Helpers\VariableHelper; use WordPressCS\WordPress\Sniffs\Security\ValidatedSanitizedInputSniff as WPCSValidatedSanitizedInputSniff; class ValidatedSanitizedInputSniff extends WPCSValidatedSanitizedInputSniff { @@ -71,7 +73,7 @@ public function process_token( $stackPtr ) { * @return bool True if this is a $_SERVER variable and is safe, false to run regular checks. */ protected function check_server_variable( $stackPtr ) { - $key = $this->get_array_access_key( $stackPtr ); + $key = VariableHelper::get_array_access_key( $this->phpcsFile, $stackPtr ); // Find the next non-whitespace token. $open_bracket = $this->phpcsFile->findNext( T_WHITESPACE, ( $stackPtr + 1 ), null, true ); @@ -94,7 +96,7 @@ protected function check_server_variable( $stackPtr ) { } // Constant string, check if it's allowed. - $key = $this->strip_quotes( $this->tokens[ $index_token ]['content'] ); + $key = TextStrings::stripQuotes( $this->tokens[ $index_token ]['content'] ); if ( ! in_array( $key, $this->allowedServerKeys, true ) ) { // Unsafe key, requires sanitising. return false; From 387f0b55255ef2ed077ae6a29d03193791b8aa2d Mon Sep 17 00:00:00 2001 From: Ryan McCue Date: Wed, 21 Feb 2024 20:12:01 +0000 Subject: [PATCH 4/9] Update ignore code duplication --- HM/Sniffs/ExtraSniffCode.php | 8 +++++--- HM/Sniffs/Security/EscapeOutputSniff.php | 12 ++++++------ HM/Sniffs/Security/NonceVerificationSniff.php | 10 +++++----- HM/Sniffs/Security/ValidatedSanitizedInputSniff.php | 10 +++++----- 4 files changed, 21 insertions(+), 19 deletions(-) diff --git a/HM/Sniffs/ExtraSniffCode.php b/HM/Sniffs/ExtraSniffCode.php index a04a2007..f2c3bff0 100644 --- a/HM/Sniffs/ExtraSniffCode.php +++ b/HM/Sniffs/ExtraSniffCode.php @@ -2,6 +2,7 @@ namespace HM\Sniffs; +use PHP_CodeSniffer\Files\File as PhpcsFile; use PHP_CodeSniffer\Util; trait ExtraSniffCode { @@ -11,13 +12,14 @@ trait ExtraSniffCode { * This allows overriding an existing sniff and retaining the existing * ignore statements. * + * @param PhpcsFile $file File being checked. * @param string $legacy Legacy sniff code */ - protected function duplicate_ignores( $legacy ) { + protected function duplicate_ignores( PhpcsFile $file, $legacy ) { $expression = sprintf( '/^%s(\..+)?$/', preg_quote( $legacy ) ); $base_code = Util\Common::getSniffCode( get_class( $this ) ); - foreach ( $this->phpcsFile->tokenizer->ignoredLines as $line => $ignored ) { + foreach ( $file->tokenizer->ignoredLines as $line => $ignored ) { $additional = []; if ( empty( $ignored ) ) { @@ -38,7 +40,7 @@ protected function duplicate_ignores( $legacy ) { } if ( ! empty( $additional ) ) { - $this->phpcsFile->tokenizer->ignoredLines[ $line ] = array_merge( $ignored, $additional ); + $file->tokenizer->ignoredLines[ $line ] = array_merge( $ignored, $additional ); } } diff --git a/HM/Sniffs/Security/EscapeOutputSniff.php b/HM/Sniffs/Security/EscapeOutputSniff.php index 8b1598ee..cbf71095 100644 --- a/HM/Sniffs/Security/EscapeOutputSniff.php +++ b/HM/Sniffs/Security/EscapeOutputSniff.php @@ -56,13 +56,13 @@ public function __construct() { } /** - * Override init to duplicate any ignores. + * Override process to duplicate any ignores. * - * @param PhpcsFile $phpcsFile + * @param PhpcsFile $file + * @param int $stackPtr */ - protected function init( PhpcsFile $phpcsFile ) { - parent::init( $phpcsFile ); - - $this->duplicate_ignores( 'WordPress.Security.EscapeOutput' ); + public function process( PhpcsFile $file, $stackPtr ) { + $this->duplicate_ignores( $file, 'WordPress.Security.EscapeOutput' ); + return parent::process( $file, $stackPtr ); } } diff --git a/HM/Sniffs/Security/NonceVerificationSniff.php b/HM/Sniffs/Security/NonceVerificationSniff.php index 20a9b61d..a1c09af8 100644 --- a/HM/Sniffs/Security/NonceVerificationSniff.php +++ b/HM/Sniffs/Security/NonceVerificationSniff.php @@ -27,17 +27,17 @@ class NonceVerificationSniff extends WPCSNonceVerificationSniff { public $allowQueryVariables = false; /** - * Override init to override config and duplicate any ignores. + * Override process to override config and duplicate any ignores. * * @param PhpcsFile $phpcsFile + * @param int $stackPtr */ - public function init( PhpcsFile $file ) { - parent::init( $file ); - + public function process( PhpcsFile $file, $stackPtr ) { if ( $this->allowQueryVariables ) { unset( $this->superglobals[ '$_GET' ] ); } - $this->duplicate_ignores( 'WordPress.Security.NonceVerification' ); + $this->duplicate_ignores( $file, 'WordPress.Security.NonceVerification' ); + return parent::process( $file, $stackPtr ); } } diff --git a/HM/Sniffs/Security/ValidatedSanitizedInputSniff.php b/HM/Sniffs/Security/ValidatedSanitizedInputSniff.php index b1178616..8104efdd 100644 --- a/HM/Sniffs/Security/ValidatedSanitizedInputSniff.php +++ b/HM/Sniffs/Security/ValidatedSanitizedInputSniff.php @@ -36,14 +36,14 @@ class ValidatedSanitizedInputSniff extends WPCSValidatedSanitizedInputSniff { ]; /** - * Override init to duplicate any ignores. + * Override process to duplicate any ignores. * * @param PhpcsFile $phpcsFile + * @param int $stackPtr */ - protected function init( PhpcsFile $phpcsFile ) { - parent::init( $phpcsFile ); - - $this->duplicate_ignores( 'WordPress.Security.ValidatedSanitizedInput' ); + public function process( PhpcsFile $file, $stackPtr ) { + $this->duplicate_ignores( $file, 'WordPress.Security.ValidatedSanitizedInput' ); + return parent::process( $file, $stackPtr ); } /** From 11e1447f7ee0f6b809a0a033450368cae336901a Mon Sep 17 00:00:00 2001 From: Ryan McCue Date: Wed, 21 Feb 2024 20:13:27 +0000 Subject: [PATCH 5/9] Load NonceVerificationSniff in tests --- tests/bootstrap.php | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/bootstrap.php b/tests/bootstrap.php index 1afd902e..025aff9b 100644 --- a/tests/bootstrap.php +++ b/tests/bootstrap.php @@ -27,4 +27,5 @@ require dirname( __DIR__ ) . '/vendor/wp-coding-standards/wpcs/WordPress/Sniffs/Security/NonceVerificationSniff.php'; require dirname( __DIR__ ) . '/vendor/wp-coding-standards/wpcs/WordPress/PHPCSHelper.php'; require dirname( __DIR__ ) . '/vendor/wp-coding-standards/wpcs/WordPress/Sniffs/Security/EscapeOutputSniff.php'; +require dirname( __DIR__ ) . '/vendor/wp-coding-standards/wpcs/WordPress/Sniffs/Security/NonceVerificationSniff.php'; require dirname( __DIR__ ) . '/vendor/wp-coding-standards/wpcs/WordPress/Sniffs/Security/ValidatedSanitizedInputSniff.php'; From 798d1372fed69c54a9cc9043dbd70c392acdd6ea Mon Sep 17 00:00:00 2001 From: goldenapples Date: Mon, 1 Apr 2024 17:18:02 -0400 Subject: [PATCH 6/9] Update sniff names for ignored short arrays and short ternaries These sniffs have been renamed upstream; I'm updating the ignore refernces to them here to avoid errors parsing the HM ruleset. --- HM/ruleset.xml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/HM/ruleset.xml b/HM/ruleset.xml index 8e472a4d..c9e5ab6a 100644 --- a/HM/ruleset.xml +++ b/HM/ruleset.xml @@ -24,9 +24,9 @@ - - - + + + - + - + - + From c5f69a8b9acaac86fe5f3c0854f3dd446a82c949 Mon Sep 17 00:00:00 2001 From: goldenapples Date: Tue, 2 Apr 2024 10:58:37 -0400 Subject: [PATCH 8/9] Add AllowDynamicProperties annotation for PHP 8.3 compat --- HM/Sniffs/Security/EscapeOutputSniff.php | 1 + 1 file changed, 1 insertion(+) diff --git a/HM/Sniffs/Security/EscapeOutputSniff.php b/HM/Sniffs/Security/EscapeOutputSniff.php index cbf71095..6c99c13e 100644 --- a/HM/Sniffs/Security/EscapeOutputSniff.php +++ b/HM/Sniffs/Security/EscapeOutputSniff.php @@ -14,6 +14,7 @@ * * @see https://github.com/WordPress/WordPress-Coding-Standards/issues/1864 */ +#[AllowDynamicProperties] class EscapeOutputSniff extends WPCSEscapeOutputSniff { use ExtraSniffCode; From 4834dfc505f2dbd7840defbef60499d05c37cf9e Mon Sep 17 00:00:00 2001 From: Joeleen Kennedy Date: Tue, 2 Apr 2024 13:15:22 -0400 Subject: [PATCH 9/9] Add backslash to AllowDynamicProperties --- HM/Sniffs/Security/EscapeOutputSniff.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/HM/Sniffs/Security/EscapeOutputSniff.php b/HM/Sniffs/Security/EscapeOutputSniff.php index 6c99c13e..861113fe 100644 --- a/HM/Sniffs/Security/EscapeOutputSniff.php +++ b/HM/Sniffs/Security/EscapeOutputSniff.php @@ -14,7 +14,7 @@ * * @see https://github.com/WordPress/WordPress-Coding-Standards/issues/1864 */ -#[AllowDynamicProperties] +#[\AllowDynamicProperties] class EscapeOutputSniff extends WPCSEscapeOutputSniff { use ExtraSniffCode;