Skip to content

Fix/feedback cr self service into Development#121

Merged
noelsaw1 merged 7 commits intodevelopmentfrom
fix/feedback-cr-self-service
Mar 24, 2026
Merged

Fix/feedback cr self service into Development#121
noelsaw1 merged 7 commits intodevelopmentfrom
fix/feedback-cr-self-service

Conversation

@noelsaw1
Copy link
Copy Markdown
Contributor

@noelsaw1 noelsaw1 commented Mar 24, 2026

Description

Type of Change

  • 🐛 Bug fix (non-breaking change which fixes an issue)
  • ✨ New feature (non-breaking change which adds functionality)
  • 💥 Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • 📝 Documentation update
  • 🧪 Test update
  • ♻️ Refactoring (no functional changes)

Related Issue

Fixes #(issue number)

Changes Made

Testing

  • Ran dist/tests/run-fixture-tests.sh - All tests pass
  • Tested against real WordPress plugin/theme
  • Added new test fixtures (if applicable)
  • Verified no new issues in dist/tests/fixtures/clean-code.php

Checklist

  • My code follows the project's coding standards
  • I have updated the documentation (README.md, CHANGELOG.md)
  • I have added tests that prove my fix/feature works
  • All new and existing tests pass
  • I have updated CHANGELOG.md with my changes
  • I have read and agree to the Contributor License Agreement (CLA)

CLA Signature

For first-time contributors: Please comment below with:

I have read and agree to the CLA

This is a one-time requirement. Once signed, you can contribute to all future PRs without re-signing.

Questions about the CLA? See CLA.md or email cla@hypercart.com

Additional Notes

noelsaw1 added 7 commits March 23, 2026 19:26
@noelsaw1
Fix FPs: exec word boundary + wp-load bootstrap exclusion
740ba08 
- php-shell-exec-functions: add \b word boundary to exec-call pattern
  to prevent curl_exec() being flagged as shell execution (8 CRITICAL FPs)
- php-dynamic-include: exclude lines containing 'wp-load' from dynamic
  include detection; WP bootstrap finder pattern (static array -> wp-load.php)
  is not a user-controlled include vulnerability (2 CRITICAL FPs)
@noelsaw1
Update FEEDBACK-CR-SELF-SERVICE.md
39d06b4
@noelsaw1
Research + document spo-002 and unsanitized-superglobal FP root causes
2649fb1 
spo-002 CURLOPT_POST FPs (~30 findings):
- Root cause: inline bash grep uses double-quoted \FEEDBACK-CR-SELF-SERVICE.md which expands the
  $_ bash special variable (last command arg), corrupting the ERE pattern
- JSON pattern itself is correct; bug is in check-performance.sh ~L3723
- Fix: single-quote the inline grep pattern string

unsanitized-superglobal-read sanitized-reads FPs (~20 findings):
- Root cause: simple pattern runner (check-performance.sh ~L5970) never
  applies exclude_patterns from the JSON definition
- Same-line sanitize_text_field/isset wrapping is not filtered out
- Fix: pipe cached_grep output through grep -v for each exclude_pattern
@noelsaw1
Fix spo-002 grep expansion and apply simple pattern exclusions
81079d6 
- single-quote inline spo-002 grep to stop bash $_ expansion from corrupting
  the superglobal regex at runtime
- honor JSON exclude_patterns and exclude_files in the simple pattern runner
  before adding findings
- document measured impact from verification scan against
  creditconnection2-self-service
@noelsaw1
Fix php-dynamic-include WP-CLI bootstrap false positives
e739ebf
@noelsaw1
Refresh planning docs and finalize recent scanner fixes
83c5b9a
@noelsaw1
Update 4X4.md
34833e1
@noelsaw1 noelsaw1 merged commit c677966 into development Mar 24, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@noelsaw1