Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PHP doesn't pass the WordPress coding standards #437

Open
kasparsd opened this issue Mar 24, 2022 · 2 comments
Open

PHP doesn't pass the WordPress coding standards #437

kasparsd opened this issue Mar 24, 2022 · 2 comments

Comments

@kasparsd
Copy link
Collaborator

kasparsd commented Mar 24, 2022

The codebase currently reports several critical issues when checked against the WPCS rulesets.

FILE: providers/class-two-factor-email.php
----------------------------------------------------------------------
FOUND 0 ERRORS AND 2 WARNINGS AFFECTING 2 LINES
----------------------------------------------------------------------
 299 | WARNING | Processing form data without nonce verification.
     |         | (WordPress.Security.NonceVerification.Recommended)
 316 | WARNING | Processing form data without nonce verification.
     |         | (WordPress.Security.NonceVerification.Recommended)
----------------------------------------------------------------------


FILE: providers/class-two-factor-backup-codes.php
----------------------------------------------------------------------
FOUND 2 ERRORS AFFECTING 1 LINE
----------------------------------------------------------------------
 307 | ERROR | Processing form data without nonce verification.
     |       | (WordPress.Security.NonceVerification.Missing)
 307 | ERROR | Processing form data without nonce verification.
     |       | (WordPress.Security.NonceVerification.Missing)
----------------------------------------------------------------------


FILE: providers/class-two-factor-fido-u2f-admin.php
----------------------------------------------------------------------
FOUND 2 ERRORS AND 4 WARNINGS AFFECTING 3 LINES
----------------------------------------------------------------------
 [24](https://github.com/WordPress/two-factor/runs/5678917495?check_suite_focus=true#step:8:24)0 | WARNING | Detected usage of a non-sanitized input variable:
     |         | $_POST['u2f_response']
     |         | (WordPress.Security.ValidatedSanitizedInput.InputNotSanitized)
 240 | ERROR   | Detected usage of a possibly undefined superglobal
     |         | array index: $_POST['u2f_response']. Use isset() or
     |         | empty() to check the index exists before using
     |         | it
     |         | (WordPress.Security.ValidatedSanitizedInput.InputNotValidated)
 [27](https://github.com/WordPress/two-factor/runs/5678917495?check_suite_focus=true#step:8:27)7 | WARNING | Processing form data without nonce verification.
      |         | (WordPress.Security.NonceVerification.Recommended)
  885 | WARNING | Processing form data without nonce
      |         | verification.
      |         | (WordPress.Security.NonceVerification.Recommended)
  885 | WARNING | Detected usage of a non-sanitized input variable:
      |         | $_REQUEST['redirect_to']
      |         | (WordPress.Security.ValidatedSanitizedInput.InputNotSanitized)
  885 | ERROR   | Detected usage of a possibly undefined superglobal
      |         | array index: $_REQUEST['redirect_to']. Use isset()
      |         | or empty() to check the index exists before using
      |         | it
      |         | (WordPress.Security.ValidatedSanitizedInput.InputNotValidated)
  885 | WARNING | Processing form data without nonce
      |         | verification.
      |         | (WordPress.Security.NonceVerification.Recommended)
  885 | WARNING | Detected usage of a non-sanitized input variable:
      |         | $_REQUEST['redirect_to']
      |         | (WordPress.Security.ValidatedSanitizedInput.InputNotSanitized)
  885 | ERROR   | Detected usage of a possibly undefined superglobal
      |         | array index: $_REQUEST['redirect_to']. Use isset()
      |         | or empty() to check the index exists before using
      |         | it
      |         | (WordPress.Security.ValidatedSanitizedInput.InputNotValidated)
 1024 | WARNING | Detected usage of a non-sanitized input variable:
      |         | $_POST[self::ENABLED_PROVIDERS_USER_META_KEY]
      |         | (WordPress.Security.ValidatedSanitizedInput.InputNotSanitized)
 10[31](https://github.com/WordPress/two-factor/runs/5678917495?check_suite_focus=true#step:8:31) | WARNING | Detected usage of a non-sanitized input variable:
      |         | $_POST[self::PROVIDER_USER_META_KEY]
      |         | (WordPress.Security.ValidatedSanitizedInput.InputNotSanitized)
 10[46](https://github.com/WordPress/two-factor/runs/5678917495?check_suite_focus=true#step:8:46) | WARNING | Processing form data without nonce
      |         | verification.
      |         | (WordPress.Security.NonceVerification.Recommended)
----------------------------------------------------------------------
@kasparsd
Copy link
Collaborator Author

Related to #6.

@kasparsd
Copy link
Collaborator Author

The linter reporting during CI is currently silenced here:

- name: Lint PHP
run: npm run lint:php || true # Ignore for now.

@jeffpaul jeffpaul added this to the Future Release milestone Mar 2, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants