-
-
Notifications
You must be signed in to change notification settings - Fork 461
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sniff for nonce verification #325
Conversation
At first glance, I didn't think this was going to be stable, but you've captured the typical format of functions well, good job. Another todo item please - support |
@GaryJones I don't think |
It might not be used in Core, but nothing in the standards say it can't be used in themes and plugin development. As a start, it passes the sanitisation checks that WPCS makes, since superglobals are not used directly. |
@GaryJones yeah, but I'm not sure if such a sniff enabled by default in |
Yeah, I think it might be better as a separate sniff. We can abstract out parts of this one if needed. |
This makes it available to other sniffs. Two can use it already.
Previously all input vars after the first one would be flagged.
This makes the sniff more efficient.
I've added support for whitelisting comments. There is one more thing that needs to be done, and that is allow for some sanitization functions to be called on input before an nonce check. This is needed for code like this: $slug = sanitize_key( $_POST['thing_slug'] );
check_admin_referer( 'something_' . $slug ); I'll work on that, and try to have this ready to merge right after 0.4.0 is released. That way it will get plenty of time in |
It will give an error by default.
It’s no longer necessary to pass these values around now that they are properties of the class. (See `WordPress_Sniff::init()`).
But if sanitization occurs within a function call, that isn’t allowed.
Done. This is ready to be merged as soon as |
This is the first pass at a sniff that checks for the use of nonce verification where needed.
It works by checking for the usage of the
$_GET
,$_REQUEST
, and$_POST
superglobals. Wherever these are used, it checks to make sure that an nonce verification function is used in the same scope.Whether to give a warning or an error can be configured per-superglobal. Currently the default is to give errors for the
$_POST
super global, and only warnings for$_GET
and$_REQUST
. This can be changed via XML config:It is also possible to add to the list of nonce verification functions via an XML config file like this:
By default, the list includes only
wp_verify_nonce()
,check_admin_referer()
, andcheck_ajax_referer()
.Even if a function contains an nonce check, any use of the superglobals within the function before that point will be flagged, except within
isset()
orempty()
checks:I've added this sniff to the
WordPress-VIP
andWordPress-Extra
rulesets. Possibly theerrorForSuperGlobals
config should be set differently from the default for VIP.TODO:
// comment
.Related: #73