From c53ae779643dd8a931053a5d2890bed279360cc1 Mon Sep 17 00:00:00 2001
From: Jonny Harris <spacedmonkey@users.noreply.github.com>
Date: Fri, 1 Dec 2023 20:04:50 +0000
Subject: [PATCH] Install WordPress VIP GO coding standards. (#235)

* Install WordPress VIP GO coding standards.

* Move rule

* Move rule

* Use esc_html__
---
 admin.php                           | 19 +++++++-----
 composer.json                       |  9 +++---
 lib/class-wp-rest-client.php        |  4 +--
 lib/class-wp-rest-oauth1-admin.php  | 48 +++++++++++++++++++----------
 lib/class-wp-rest-oauth1-client.php | 13 +++++---
 lib/class-wp-rest-oauth1-ui.php     |  7 ++---
 lib/class-wp-rest-oauth1.php        |  4 +--
 oauth-server.php                    |  4 +--
 phpcs.xml.dist                      | 39 +++++++++++++++++------
 theme/oauth1-authorize.php          | 14 ++++-----
 10 files changed, 100 insertions(+), 61 deletions(-)

diff --git a/admin.php b/admin.php
index d8be5ff..8f9dfe8 100644
--- a/admin.php
+++ b/admin.php
@@ -22,12 +22,15 @@
 function rest_oauth1_profile_section( $user ) {
 	global $wpdb;
 
-	$results  = $wpdb->get_col( "SELECT option_value FROM $wpdb->options WHERE option_name LIKE 'oauth1_access_%'" );
+	$results  = $wpdb->get_col( "SELECT option_name FROM $wpdb->options WHERE option_name LIKE 'oauth1_access_%'" ); // phpcs:ignore WordPress.DB.DirectDatabaseQuery
 	$approved = array();
-	foreach ( $results as $result ) {
-		$row = unserialize( $result );
-		if ( $row['user'] === $user->ID ) {
-			$approved[] = $row;
+	foreach ( $results as $option_name ) {
+		$option = get_option( $option_name );
+		if ( ! is_array( $option ) || ! isset( $option['user'] ) ) {
+			continue;
+		}
+		if ( $option['user'] === $user->ID ) {
+			$approved[] = $option;
 		}
 	}
 
@@ -81,10 +84,10 @@ function rest_oauth1_profile_messages() {
 	}
 
 	if ( ! empty( $_GET['rest_oauth1_revoked'] ) ) {
-		echo '<div id="message" class="updated"><p>' . __( 'Token revoked.', 'rest_oauth1' ) . '</p></div>';
+		printf( '<div id="message" class="updated"><p>%s</p></div>', esc_html__( 'Token revoked.', 'rest_oauth1' ) );
 	}
 	if ( ! empty( $_GET['rest_oauth1_revocation_failed'] ) ) {
-		echo '<div id="message" class="updated"><p>' . __( 'Unable to revoke token.', 'rest_oauth1' ) . '</p></div>';
+		printf( '<div id="message" class="updated"><p>%s</p></div>', esc_html__( 'Unable to revoke token.', 'rest_oauth1' ) );
 	}
 }
 
@@ -98,7 +101,7 @@ function rest_oauth1_profile_save( $user_id ) {
 		return;
 	}
 
-	$key = wp_unslash( $_POST['rest_oauth1_revoke'] );
+	$key = sanitize_text_field( wp_unslash( $_POST['rest_oauth1_revoke'] ) );
 
 	$authenticator = new WP_REST_OAuth1();
 
diff --git a/composer.json b/composer.json
index 235f7b3..75cd17d 100644
--- a/composer.json
+++ b/composer.json
@@ -19,9 +19,9 @@
         "php": "5.4"
        },
        "allow-plugins": {
-        "dealerdirect/phpcodesniffer-composer-installer": true,
-        "composer/installers": true
-       }
+            "dealerdirect/phpcodesniffer-composer-installer": true,
+            "composer/installers": true
+        }
     },
     "require": {
       "php": "^5.4 || ^7.0 || ^8.0",
@@ -30,7 +30,8 @@
     "require-dev": {
         "wp-coding-standards/wpcs": "^3.0",
         "phpcompatibility/phpcompatibility-wp": "^2.1",
-        "sirbrillig/phpcs-variable-analysis": "^2.8"
+        "sirbrillig/phpcs-variable-analysis": "^2.8",
+        "automattic/vipwpcs": "^3.0"
     },
     "scripts": {
       "format": "@php ./vendor/squizlabs/php_codesniffer/bin/phpcbf --report=summary,source",
diff --git a/lib/class-wp-rest-client.php b/lib/class-wp-rest-client.php
index b3459e0..3bb1d1c 100644
--- a/lib/class-wp-rest-client.php
+++ b/lib/class-wp-rest-client.php
@@ -252,9 +252,7 @@ protected static function get_called_class() {
 		}
 
 		// PHP 5.2 only.
-		$backtrace = debug_backtrace();
-		// [0] WP_REST_Client::get_called_class()
-		// [1] WP_REST_Client::function()
+		$backtrace = debug_backtrace(); // phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_debug_backtrace
 		if ( 'call_user_func' === $backtrace[2]['function'] ) {
 			return $backtrace[2]['args'][0][0];
 		}
diff --git a/lib/class-wp-rest-oauth1-admin.php b/lib/class-wp-rest-oauth1-admin.php
index 6ed5ad2..fcba04e 100644
--- a/lib/class-wp-rest-oauth1-admin.php
+++ b/lib/class-wp-rest-oauth1-admin.php
@@ -236,7 +236,7 @@ protected static function handle_edit_submit( $consumer ) {
 	 */
 	public static function render_edit_page() {
 		if ( ! current_user_can( 'edit_users' ) ) {
-			wp_die( __( 'You do not have permission to access this page.', 'rest_oauth1' ) );
+			wp_die( esc_html__( 'You do not have permission to access this page.', 'rest_oauth1' ) );
 		}
 
 		// Are we editing?
@@ -246,8 +246,12 @@ public static function render_edit_page() {
 		if ( ! empty( $_REQUEST['id'] ) ) {
 			$id       = absint( $_REQUEST['id'] );
 			$consumer = WP_REST_OAuth1_Client::get( $id );
-			if ( is_wp_error( $consumer ) || empty( $consumer ) ) {
-				wp_die( __( 'Invalid consumer ID.', 'rest_oauth1' ) );
+			if ( is_wp_error( $consumer ) ) {
+				wp_die( $consumer ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
+			}
+
+			if ( empty( $consumer ) ) {
+				wp_die( esc_html__( 'Invalid consumer ID.', 'rest_oauth1' ) );
 			}
 
 			$form_action       = self::get_url(
@@ -318,7 +322,7 @@ public static function render_edit_page() {
 		<?php
 		if ( ! empty( $messages ) ) {
 			foreach ( $messages as $msg ) {
-				echo '<div id="message" class="notice is-dismissible notice-' . $notice_type . '"><p>' . esc_html( $msg ) . '</p></div>';
+				printf( '<div id="message" class="notice is-dismissible notice-%s"><p>%s</p></div>', esc_attr( $notice_type ), esc_html( $msg ) );
 			}
 		}
 		?>
@@ -420,23 +424,31 @@ public static function handle_delete() {
 		if ( ! current_user_can( 'delete_post', $id ) ) {
 			$code = is_user_logged_in() ? 403 : 401;
 			wp_die(
-				'<h1>' . __( 'An error has occurred.', 'rest_oauth1' ) . '</h1>' .
-				'<p>' . __( 'You are not allowed to delete this application.', 'rest_oauth1' ) . '</p>',
-				$code
+				sprintf(
+					'<h1>%s</h1><p>%s</p>',
+					esc_html__( 'You are not allowed to delete this application.', 'rest_oauth1' ),
+					esc_html__( 'An error has occurred.', 'rest_oauth1' )
+				),
+				'',
+				array( 'response' => (int) $code )
 			);
 		}
 
 		$client = WP_REST_OAuth1_Client::get( $id );
 		if ( is_wp_error( $client ) ) {
-			wp_die( $client );
+			wp_die( $client ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
 		}
 
 		if ( ! $client->delete() ) {
 			$code = is_user_logged_in() ? 403 : 401;
 			wp_die(
-				'<h1>' . __( 'An error has occurred.', 'rest_oauth1' ) . '</h1>' .
-				'<p>' . __( 'Invalid consumer ID', 'rest_oauth1' ) . '</p>',
-				$code
+				sprintf(
+					'<h1>%s</h1><p>%s</p>',
+					esc_html__( 'An error has occurred.', 'rest_oauth1' ),
+					esc_html__( 'Invalid consumer ID', 'rest_oauth1' )
+				),
+				'',
+				array( 'response' => (int) $code )
 			);
 		}
 
@@ -458,19 +470,23 @@ public static function handle_regenerate() {
 		if ( ! current_user_can( 'edit_post', $id ) ) {
 			$code = is_user_logged_in() ? 403 : 401;
 			wp_die(
-				'<h1>' . __( 'An error has occurred.', 'rest_oauth1' ) . '</h1>' .
-				'<p>' . __( 'You are not allowed to edit this application.', 'rest_oauth1' ) . '</p>',
-				$code
+				sprintf(
+					'<h1>%s</h1><p>%s</p>',
+					esc_html__( 'An error has occurred.', 'rest_oauth1' ),
+					esc_html__( 'You are not allowed to edit this application.', 'rest_oauth1' )
+				),
+				'',
+				array( 'response' => (int) $code )
 			);
 		}
 
 		$client = WP_REST_OAuth1_Client::get( $id );
 		if ( is_wp_error( $client ) ) {
-			wp_die( $client );
+			wp_die( $client ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
 		}
 		$result = $client->regenerate_secret();
 		if ( is_wp_error( $result ) ) {
-			wp_die( $result );
+			wp_die( $result ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
 		}
 
 		wp_safe_redirect(
diff --git a/lib/class-wp-rest-oauth1-client.php b/lib/class-wp-rest-oauth1-client.php
index 698ed6a..af4608c 100644
--- a/lib/class-wp-rest-oauth1-client.php
+++ b/lib/class-wp-rest-oauth1-client.php
@@ -52,12 +52,15 @@ protected static function get_type() {
 	 */
 	public function delete() {
 		global $wpdb;
-		$results       = $wpdb->get_results( "SELECT * FROM $wpdb->options WHERE option_name LIKE 'oauth1_access_%' OR option_name LIKE 'oauth1_request_%'", ARRAY_A );
+		$results       = $wpdb->get_col( "SELECT option_name FROM $wpdb->options WHERE option_name LIKE 'oauth1_access_%' OR option_name LIKE 'oauth1_request_%'", ARRAY_A ); // phpcs:ignore WordPress.DB.DirectDatabaseQuery
 		$delete_option = array();
-		foreach ( $results as $result ) {
-			$row = unserialize( $result['option_value'] );
-			if ( $this->post->ID === $row['consumer'] ) {
-				$delete_option[] = $result['option_name'];
+		foreach ( $results as $option_name ) {
+			$option = get_option( $option_name );
+			if ( ! is_array( $option ) || ! isset( $option['consumer'] ) ) {
+				continue;
+			}
+			if ( $this->post->ID === $option['consumer'] ) {
+				$delete_option[] = $option_name;
 			}
 		}
 
diff --git a/lib/class-wp-rest-oauth1-ui.php b/lib/class-wp-rest-oauth1-ui.php
index b74798f..5d1cd16 100644
--- a/lib/class-wp-rest-oauth1-ui.php
+++ b/lib/class-wp-rest-oauth1-ui.php
@@ -155,8 +155,8 @@ public function handle_callback_redirect( $verifier ) {
 			login_header( __( 'Access Token', 'rest_oauth1' ) );
 			echo '<p>' . sprintf(
 				/* translators: %s: verifier **/
-				__( 'Your verification token is <code>%s</code>', 'rest_oauth1' ),
-				$verifier
+				wp_kses( __( 'Your verification token is <code>%s</code>', 'rest_oauth1' ), array( 'code' ) ),
+				esc_html( $verifier )
 			) .
 				'</p>';
 			login_footer();
@@ -183,8 +183,7 @@ public function handle_callback_redirect( $verifier ) {
 
 		// Offsite, so skip safety check.
 		wp_redirect( $callback );
-
-		return null;
+		exit;
 	}
 
 	/**
diff --git a/lib/class-wp-rest-oauth1.php b/lib/class-wp-rest-oauth1.php
index 742a709..48563db 100644
--- a/lib/class-wp-rest-oauth1.php
+++ b/lib/class-wp-rest-oauth1.php
@@ -84,7 +84,7 @@ public function parse_header( $header ) {
 	 */
 	public function get_authorization_header() {
 		if ( ! empty( $_SERVER['HTTP_AUTHORIZATION'] ) ) {
-			return wp_unslash( $_SERVER['HTTP_AUTHORIZATION'] );
+			return sanitize_text_field( wp_unslash( $_SERVER['HTTP_AUTHORIZATION'] ) );
 		}
 
 		if ( function_exists( 'getallheaders' ) ) {
@@ -695,7 +695,7 @@ public function check_oauth_signature( $consumer, $oauth_params, $token = null )
 
 		$params = array_merge( $params, $oauth_params );
 
-		$request_path = parse_url( $_SERVER['REQUEST_URI'], PHP_URL_PATH );
+		$request_path = parse_url( $_SERVER['REQUEST_URI'], PHP_URL_PATH ); // phpcs:ignore WordPress.WP.AlternativeFunctions.parse_url_parse_url
 		$wp_base      = get_home_url( null, '/', 'relative' );
 		if ( substr( $request_path, 0, strlen( $wp_base ) ) === $wp_base ) {
 			$request_path = substr( $request_path, strlen( $wp_base ) );
diff --git a/oauth-server.php b/oauth-server.php
index c7b5b07..20d4dc7 100644
--- a/oauth-server.php
+++ b/oauth-server.php
@@ -145,13 +145,13 @@ function rest_oauth1_loaded() {
 		}
 
 		status_header( $status );
-		echo $response->get_error_message();
+		echo $response->get_error_message(); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
 		die();
 	}
 
 	$response = http_build_query( $response, '', '&' );
 
-	echo $response;
+	echo $response;  // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
 
 	// Finish off our request.
 	die();
diff --git a/phpcs.xml.dist b/phpcs.xml.dist
index 8b269f3..92ba002 100644
--- a/phpcs.xml.dist
+++ b/phpcs.xml.dist
@@ -11,9 +11,35 @@
 	</rule>
 
     <rule ref="WordPress-Core"/>
-	<rule ref="WordPress-Docs">
-        <exclude-pattern>lib/class-wp-rest-oauth1-cli.php</exclude-pattern>
-     </rule>
+    <rule ref="WordPress-VIP-Go"/>
+
+	<rule ref="WordPress.DB.SlowDBQuery">
+		<exclude-pattern>lib/class-wp-rest-oauth1-listtable.php</exclude-pattern>
+		<exclude-pattern>lib/class-wp-rest-client.php</exclude-pattern>
+	</rule>
+
+	<rule ref="WordPress.Security.ValidatedSanitizedInput">
+        <exclude-pattern>*.php</exclude-pattern>
+        <exclude-pattern>lib/*</exclude-pattern>
+    </rule>
+
+    <rule ref="WordPress.Security.NonceVerification">
+        <exclude-pattern>*.php</exclude-pattern>
+        <exclude-pattern>lib/*</exclude-pattern>
+    </rule>
+
+    <rule ref="WordPressVIPMinimum.Classes.RestrictedExtendClasses.wp_cli">
+     	 <exclude-pattern>lib/class-wp-rest-oauth1-cli.php</exclude-pattern>
+    </rule>
+
+ 	<rule ref="WordPressVIPMinimum.Functions.RestrictedFunctions.flush_rewrite_rules_flush_rewrite_rules">
+ 	    <exclude-pattern>oauth-server.php</exclude-pattern>
+ 	</rule>
+
+ 	<rule ref="WordPress.WP.GlobalVariablesOverride.Prohibited">
+        <exclude-pattern>oauth-server.php</exclude-pattern>
+        <exclude-pattern>lib/class-wp-rest-oauth1-admin.php</exclude-pattern>
+    </rule>
 
     <rule ref="WordPress.WP.I18n">
 		<properties>
@@ -27,15 +53,8 @@
 		<properties>
 			<property name="allowUnusedParametersBeforeUsed" value="true"/>
 		</properties>
-		<exclude-pattern>theme/*.php</exclude-pattern>
-		<exclude-pattern>lib/class-wp-rest-oauth1-ui.php</exclude-pattern>
 	</rule>
 
-	<rule ref="Squiz.Commenting.FileComment.Missing">
- 		<exclude-pattern>*.php</exclude-pattern>
- 		<exclude-pattern>lib/*</exclude-pattern>
-    </rule>
-
     <rule ref="PEAR.Functions.FunctionCallSignature">
 		<properties>
 			<property name="allowMultipleArguments" value="false"/>
diff --git a/theme/oauth1-authorize.php b/theme/oauth1-authorize.php
index f2cf1d8..9d4f11f 100644
--- a/theme/oauth1-authorize.php
+++ b/theme/oauth1-authorize.php
@@ -16,7 +16,7 @@
 	$errors
 );
 
-$current_user = wp_get_current_user();
+$this_user = wp_get_current_user();
 
 $url = site_url( 'wp-login.php?action=oauth1_authorize', 'login_post' );
 $url = add_query_arg( 'oauth_token', $token_key, $url );
@@ -77,16 +77,16 @@
 
 	<div class="login-info">
 
-		<?php echo get_avatar( $current_user->ID, '78' ); ?>
+		<?php echo get_avatar( $this_user->ID, '78' ); ?>
 
 		<p>
 		<?php
 			printf(
 				// translators: 1: username. 2: consumer name.
-				__( 'Howdy <strong>%1$s</strong>,<br/> "%2$s" would like to connect to %3$s.', 'rest_oauth1' ),
-				$current_user->user_login,
-				$consumer->post_title,
-				get_bloginfo( 'name' )
+				wp_kses( __( 'Howdy <strong>%1$s</strong>,<br/> "%2$s" would like to connect to %3$s.', 'rest_oauth1' ), array( 'strong', 'br' ) ),
+				esc_html( $this_user->user_login ),
+				esc_html( $consumer->post_title ),
+				esc_html( get_bloginfo( 'name' ) )
 			)
 			?>
 		</p>
@@ -120,7 +120,7 @@
 	 *
 	 * @param string $registration_url Registration URL.
 	 */
-	echo ' | ' . apply_filters( 'register', $registration_url );
+	echo ' | ' . esc_url( apply_filters( 'register', $registration_url ) );
 endif;
 ?>
 </p>