sdc-build-wp 4.1.0 → 4.1.2

package/vendor/wp-coding-standards/wpcs/WordPress/Sniffs/Security/NonceVerificationSniff.php

@@ -1,422 +0,0 @@
-<?php
-/**
- * WordPress Coding Standard.
- *
- * @package WPCS\WordPressCodingStandards
- * @link    https://github.com/WordPress/WordPress-Coding-Standards
- * @license https://opensource.org/licenses/MIT MIT
- */
-
-namespace WordPressCS\WordPress\Sniffs\Security;
-
-use PHPCSUtils\Tokens\Collections;
-use PHPCSUtils\Utils\Conditions;
-use PHPCSUtils\Utils\Context;
-use PHPCSUtils\Utils\Lists;
-use PHPCSUtils\Utils\MessageHelper;
-use PHPCSUtils\Utils\Scopes;
-use WordPressCS\WordPress\Helpers\ContextHelper;
-use WordPressCS\WordPress\Helpers\RulesetPropertyHelper;
-use WordPressCS\WordPress\Helpers\SanitizationHelperTrait;
-use WordPressCS\WordPress\Helpers\UnslashingFunctionsHelper;
-use WordPressCS\WordPress\Helpers\VariableHelper;
-use WordPressCS\WordPress\Sniff;
-
-/**
- * Checks that nonce verification accompanies form processing.
- *
- * @link https://developer.wordpress.org/plugins/security/nonces/ Nonces on Plugin Developer Handbook
- *
- * @since 0.5.0
- * @since 0.13.0 Class name changed: this class is now namespaced.
- * @since 1.0.0  This sniff has been moved from the `CSRF` category to the `Security` category.
- * @since 3.0.0  This sniff has received significant updates to its logic and structure.
- *
- * @uses \WordPressCS\WordPress\Helpers\SanitizationHelperTrait::$customSanitizingFunctions
- * @uses \WordPressCS\WordPress\Helpers\SanitizationHelperTrait::$customUnslashingSanitizingFunctions
- */
-class NonceVerificationSniff extends Sniff {
-
-	use SanitizationHelperTrait;
-
-	/**
-	 * Superglobals to notify about when not accompanied by an nonce check.
-	 *
-	 * A value of `true` results in an error. A value of `false` in a warning.
-	 *
-	 * @since 0.12.0
-	 *
-	 * @var array
-	 */
-	protected $superglobals = array(
-		'$_POST'    => true,
-		'$_FILES'   => true,
-		'$_GET'     => false,
-		'$_REQUEST' => false,
-	);
-
-	/**
-	 * Custom list of functions which verify nonces.
-	 *
-	 * @since 0.5.0
-	 *
-	 * @var string[]
-	 */
-	public $customNonceVerificationFunctions = array();
-
-	/**
-	 * List of the functions which verify nonces.
-	 *
-	 * @since 0.5.0
-	 * @since 0.11.0 Changed from public static to protected non-static.
-	 * @since 3.0.0  - Moved from the generic `Sniff` class to this class.
-	 *               - Visibility changed from `protected` to `private.
-	 *
-	 * @var array
-	 */
-	private $nonceVerificationFunctions = array(
-		'wp_verify_nonce'     => true,
-		'check_admin_referer' => true,
-		'check_ajax_referer'  => true,
-	);
-
-	/**
-	 * Cache of previously added custom functions.
-	 *
-	 * Prevents having to do the same merges over and over again.
-	 *
-	 * @since 0.5.0
-	 * @since 0.11.0 - Changed from public static to protected non-static.
-	 *               - Changed the format from simple bool to array.
-	 * @since 3.0.0  - Property rename from `$addedCustomFunctions` to `$addedCustomNonceFunctions`.
-	 *               - Visibility changed from `protected` to `private.
-	 *               - Format changed from a multi-dimensional array to a single-dimensional array.
-	 *
-	 * @var array
-	 */
-	private $addedCustomNonceFunctions = array();
-
-	/**
-	 * Information on the all scopes that were checked to find a nonce verification in a particular file.
-	 *
-	 * The array will be in the following format:
-	 * ```
-	 * array(
-	 *   'file'  => (string) The name of the file.
-	 *   'cache' => (array) array(
-	 *     # => array(             The key is the token pointer to the "start" position.
-	 *       'end'   => (int)      The token pointer to the "end" position.
-	 *       'nonce' => (int|bool) The token pointer where n nonce check
-	 *                             was found, or false if none was found.
-	 *     )
-	 *   )
-	 * )
-	 * ```
-	 *
-	 * @since 3.0.0
-	 *
-	 * @var array<string, mixed>
-	 */
-	private $cached_results;
-
-	/**
-	 * Returns an array of tokens this test wants to listen for.
-	 *
-	 * @return array
-	 */
-	public function register() {
-		$targets  = array( \T_VARIABLE => \T_VARIABLE );
-		$targets += Collections::listOpenTokensBC(); // We need to skip over lists.
-
-		return $targets;
-	}
-
-	/**
-	 * Processes this test, when one of its tokens is encountered.
-	 *
-	 * @param int $stackPtr The position of the current token in the stack.
-	 *
-	 * @return int|void Integer stack pointer to skip forward or void to continue
-	 *                  normal file processing.
-	 */
-	public function process_token( $stackPtr ) {
-		// Skip over lists as whatever is in those will always be assignments.
-		if ( isset( Collections::listOpenTokensBC()[ $this->tokens[ $stackPtr ]['code'] ] ) ) {
-			$open_close = Lists::getOpenClose( $this->phpcsFile, $stackPtr );
-			$skip_to    = $stackPtr;
-			if ( false !== $open_close ) {
-				$skip_to = $open_close['closer'];
-			}
-
-			return $skip_to;
-		}
-
-		if ( ! isset( $this->superglobals[ $this->tokens[ $stackPtr ]['content'] ] ) ) {
-			return;
-		}
-
-		if ( Scopes::isOOProperty( $this->phpcsFile, $stackPtr ) ) {
-			// Property with the same name as a superglobal. Not our target.
-			return;
-		}
-
-		// Determine the cache keys for this item.
-		$cache_keys = array(
-			'file'  => $this->phpcsFile->getFilename(),
-			'start' => 0,
-			'end'   => $stackPtr,
-		);
-
-		// If we're in a function, only look inside of it.
-		// This doesn't take arrow functions into account as those are "open".
-		$functionPtr = Conditions::getLastCondition( $this->phpcsFile, $stackPtr, array( \T_FUNCTION, \T_CLOSURE ) );
-		if ( false !== $functionPtr ) {
-			$cache_keys['start'] = $this->tokens[ $functionPtr ]['scope_opener'];
-		}
-
-		$this->mergeFunctionLists();
-
-		$needs_nonce = $this->needs_nonce_check( $stackPtr, $cache_keys );
-		if ( false === $needs_nonce ) {
-			return;
-		}
-
-		if ( $this->has_nonce_check( $stackPtr, $cache_keys, ( 'after' === $needs_nonce ) ) ) {
-			return;
-		}
-
-		// If we're still here, no nonce-verification function was found.
-		$error_code = 'Missing';
-		if ( false === $this->superglobals[ $this->tokens[ $stackPtr ]['content'] ] ) {
-			$error_code = 'Recommended';
-		}
-
-		MessageHelper::addMessage(
-			$this->phpcsFile,
-			'Processing form data without nonce verification.',
-			$stackPtr,
-			$this->superglobals[ $this->tokens[ $stackPtr ]['content'] ],
-			$error_code
-		);
-	}
-
-	/**
-	 * Determine whether or not a nonce check is needed for the current superglobal.
-	 *
-	 * @since 3.0.0
-	 *
-	 * @param int   $stackPtr   The position of the current token in the stack of tokens.
-	 * @param array $cache_keys The keys for the applicable cache (to potentially set).
-	 *
-	 * @return string|false String "before" or "after" if a nonce check is needed.
-	 *                      FALSE when no nonce check is needed.
-	 */
-	protected function needs_nonce_check( $stackPtr, array $cache_keys ) {
-		$in_nonce_check = ContextHelper::is_in_function_call( $this->phpcsFile, $stackPtr, $this->nonceVerificationFunctions );
-		if ( false !== $in_nonce_check ) {
-			// This *is* the nonce check, so bow out, but do store to cache.
-			// @todo Change to use arg unpacking once PHP < 5.6 has been dropped.
-			$this->set_cache( $cache_keys['file'], $cache_keys['start'], $cache_keys['end'], $in_nonce_check );
-			return false;
-		}
-
-		if ( Context::inUnset( $this->phpcsFile, $stackPtr ) ) {
-			// Variable is only being unset, no nonce check needed.
-			return false;
-		}
-
-		if ( VariableHelper::is_assignment( $this->phpcsFile, $stackPtr, false ) ) {
-			// Overwriting the value of a superglobal.
-			return false;
-		}
-
-		$needs_nonce = 'before';
-		if ( ContextHelper::is_in_isset_or_empty( $this->phpcsFile, $stackPtr )
-			|| ContextHelper::is_in_type_test( $this->phpcsFile, $stackPtr )
-			|| VariableHelper::is_comparison( $this->phpcsFile, $stackPtr )
-			|| VariableHelper::is_assignment( $this->phpcsFile, $stackPtr, true )
-			|| ContextHelper::is_in_array_comparison( $this->phpcsFile, $stackPtr )
-			|| ContextHelper::is_in_function_call( $this->phpcsFile, $stackPtr, UnslashingFunctionsHelper::get_functions() ) !== false
-			|| $this->is_only_sanitized( $this->phpcsFile, $stackPtr )
-		) {
-			$needs_nonce = 'after';
-		}
-
-		return $needs_nonce;
-	}
-
-	/**
-	 * Check if this token has an associated nonce check.
-	 *
-	 * @since 0.5.0
-	 * @since 3.0.0 - Moved from the generic `Sniff` class to this class.
-	 *              - Visibility changed from `protected` to `private.
-	 *              - New `$cache_keys` parameter.
-	 *              - New `$allow_nonce_after` parameter.
-	 *
-	 * @param int   $stackPtr          The position of the current token in the stack of tokens.
-	 * @param array $cache_keys        The keys for the applicable cache.
-	 * @param bool  $allow_nonce_after Whether the nonce check _must_ be before the $stackPtr or
-	 *                                 is allowed _after_ the $stackPtr.
-	 *
-	 * @return bool
-	 */
-	private function has_nonce_check( $stackPtr, array $cache_keys, $allow_nonce_after = false ) {
-		$start = $cache_keys['start'];
-		$end   = $cache_keys['end'];
-
-		// We allow for certain actions, such as an isset() check to come before the nonce check.
-		// If this superglobal is inside such a check, look for the nonce after it as well,
-		// all the way to the end of the scope.
-		if ( true === $allow_nonce_after ) {
-			$end = ( 0 === $start ) ? $this->phpcsFile->numTokens : $this->tokens[ $start ]['scope_closer'];
-		}
-
-		// Check against the cache.
-		$current_cache = $this->get_cache( $cache_keys['file'], $start );
-		if ( false !== $current_cache['nonce'] ) {
-			// If we have already found a nonce check in this scope, we just
-			// need to check whether it comes before this token. It is OK if the
-			// check is after the token though, if this was only an isset() check.
-			return ( true === $allow_nonce_after || $current_cache['nonce'] < $stackPtr );
-		} elseif ( $end <= $current_cache['end'] ) {
-			// If not, we can still go ahead and return false if we've already
-			// checked to the end of the search area.
-			return false;
-		}
-
-		$search_start = $start;
-		if ( $current_cache['end'] > $start ) {
-			// We haven't checked this far yet, but we can still save work by
-			// skipping over the part we've already checked.
-			$search_start = $this->cached_results['cache'][ $start ]['end'];
-		}
-
-		// Loop through the tokens looking for nonce verification functions.
-		for ( $i = $search_start; $i < $end; $i++ ) {
-			// Skip over nested closed scope constructs.
-			if ( isset( Collections::closedScopes()[ $this->tokens[ $i ]['code'] ] )
-				|| \T_FN === $this->tokens[ $i ]['code']
-			) {
-				if ( isset( $this->tokens[ $i ]['scope_closer'] ) ) {
-					$i = $this->tokens[ $i ]['scope_closer'];
-				}
-				continue;
-			}
-
-			// If this isn't a function name, skip it.
-			if ( \T_STRING !== $this->tokens[ $i ]['code'] ) {
-				continue;
-			}
-
-			// If this is one of the nonce verification functions, we can bail out.
-			if ( isset( $this->nonceVerificationFunctions[ $this->tokens[ $i ]['content'] ] ) ) {
-				/*
-				 * Now, make sure it is a call to a global function.
-				 */
-				if ( ContextHelper::has_object_operator_before( $this->phpcsFile, $i ) === true ) {
-					continue;
-				}
-
-				if ( ContextHelper::is_token_namespaced( $this->phpcsFile, $i ) === true ) {
-					continue;
-				}
-
-				$this->set_cache( $cache_keys['file'], $start, $end, $i );
-				return true;
-			}
-		}
-
-		// We're still here, so no luck.
-		$this->set_cache( $cache_keys['file'], $start, $end, false );
-
-		return false;
-	}
-
-	/**
-	 * Helper function to retrieve results from the cache.
-	 *
-	 * @since 3.0.0
-	 *
-	 * @param string $filename The name of the current file.
-	 * @param int    $start    The stack pointer searches started from.
-	 *
-	 * @return array<string, mixed>
-	 */
-	private function get_cache( $filename, $start ) {
-		if ( is_array( $this->cached_results )
-			&& $filename === $this->cached_results['file']
-			&& isset( $this->cached_results['cache'][ $start ] )
-		) {
-			return $this->cached_results['cache'][ $start ];
-		}
-
-		return array(
-			'end'   => 0,
-			'nonce' => false,
-		);
-	}
-
-	/**
-	 * Helper function to store results to the cache.
-	 *
-	 * @since 3.0.0
-	 *
-	 * @param string   $filename The name of the current file.
-	 * @param int      $start    The stack pointer searches started from.
-	 * @param int      $end      The stack pointer searched stopped at.
-	 * @param int|bool $nonce    Stack pointer to the nonce verification function call or false if none was found.
-	 *
-	 * @return void
-	 */
-	private function set_cache( $filename, $start, $end, $nonce ) {
-		if ( is_array( $this->cached_results ) === false
-			|| $filename !== $this->cached_results['file']
-		) {
-			$this->cached_results = array(
-				'file'  => $filename,
-				'cache' => array(
-					$start => array(
-						'end'   => $end,
-						'nonce' => $nonce,
-					),
-				),
-			);
-			return;
-		}
-
-		// Okay, so we know the current cache is for the current file. Check if we've seen this start pointer before.
-		if ( isset( $this->cached_results['cache'][ $start ] ) === false ) {
-			$this->cached_results['cache'][ $start ] = array(
-				'end'   => $end,
-				'nonce' => $nonce,
-			);
-			return;
-		}
-
-		// Update existing entry.
-		if ( $end > $this->cached_results['cache'][ $start ]['end'] ) {
-			$this->cached_results['cache'][ $start ]['end'] = $end;
-		}
-
-		$this->cached_results['cache'][ $start ]['nonce'] = $nonce;
-	}
-
-	/**
-	 * Merge custom functions provided via a custom ruleset with the defaults, if we haven't already.
-	 *
-	 * @since 0.11.0 Split out from the `process()` method.
-	 *
-	 * @return void
-	 */
-	protected function mergeFunctionLists() {
-		if ( $this->customNonceVerificationFunctions !== $this->addedCustomNonceFunctions ) {
-			$this->nonceVerificationFunctions = RulesetPropertyHelper::merge_custom_array(
-				$this->customNonceVerificationFunctions,
-				$this->nonceVerificationFunctions
-			);
-
-			$this->addedCustomNonceFunctions = $this->customNonceVerificationFunctions;
-		}
-	}
-}

package/vendor/wp-coding-standards/wpcs/WordPress/Sniffs/Security/PluginMenuSlugSniff.php

@@ -1,126 +0,0 @@
-<?php
-/**
- * WordPress Coding Standard.
- *
- * @package WPCS\WordPressCodingStandards
- * @link    https://github.com/WordPress/WordPress-Coding-Standards
- * @license https://opensource.org/licenses/MIT MIT
- */
-
-namespace WordPressCS\WordPress\Sniffs\Security;
-
-use PHPCSUtils\Utils\PassedParameters;
-use WordPressCS\WordPress\AbstractFunctionParameterSniff;
-
-/**
- * Warn about __FILE__ for page registration.
- *
- * @link https://vip.wordpress.com/documentation/vip-go/code-review-blockers-warnings-notices/#using-__file__-for-page-registration
- *
- * @since 0.3.0
- * @since 0.11.0 Refactored to extend the new WordPressCS native
- *               `AbstractFunctionParameterSniff` class.
- * @since 0.13.0 Class name changed: this class is now namespaced.
- * @since 1.0.0  This sniff has been moved from the `VIP` category to the `Security` category.
- */
-final class PluginMenuSlugSniff extends AbstractFunctionParameterSniff {
-
-	/**
-	 * The group name for this group of functions.
-	 *
-	 * @since 0.11.0
-	 *
-	 * @var string
-	 */
-	protected $group_name = 'add_menu_functions';
-
-	/**
-	 * Functions which can be used to add pages to the WP Admin menu.
-	 *
-	 * @since 0.3.0
-	 * @since 0.11.0 Renamed from $add_menu_functions to $target_functions
-	 *               and changed visibility to protected.
-	 * @since 3.0.0  The format of the value has changed from a numerically indexed
-	 *               array containing parameter positions to an array with the parameter
-	 *               position as the index and the parameter name as value.
-	 *
-	 * @var array<string, array<int, string|array>> Key is the name of the functions being targetted.
-	 *                                              Value is an array with parameter positions as the
-	 *                                              keys and parameter names as the values
-	 */
-	protected $target_functions = array(
-		'add_comments_page'   => array(
-			4 => 'menu_slug',
-		),
-		'add_dashboard_page'  => array(
-			4 => 'menu_slug',
-		),
-		'add_links_page'      => array(
-			4 => 'menu_slug',
-		),
-		'add_management_page' => array(
-			4 => 'menu_slug',
-		),
-		'add_media_page'      => array(
-			4 => 'menu_slug',
-		),
-		'add_menu_page'       => array(
-			4 => 'menu_slug',
-		),
-		'add_object_page'     => array(
-			4 => 'menu_slug',
-		),
-		'add_options_page'    => array(
-			4 => 'menu_slug',
-		),
-		'add_pages_page'      => array(
-			4 => 'menu_slug',
-		),
-		'add_plugins_page'    => array(
-			4 => 'menu_slug',
-		),
-		'add_posts_page'      => array(
-			4 => 'menu_slug',
-		),
-		'add_submenu_page'    => array(
-			1 => 'parent_slug',
-			5 => 'menu_slug',
-		),
-		'add_theme_page'      => array(
-			4 => 'menu_slug',
-		),
-		'add_users_page'      => array(
-			4 => 'menu_slug',
-		),
-		'add_utility_page'    => array(
-			4 => 'menu_slug',
-		),
-	);
-
-	/**
-	 * Process the parameters of a matched function.
-	 *
-	 * @since 0.11.0
-	 *
-	 * @param int    $stackPtr        The position of the current token in the stack.
-	 * @param string $group_name      The name of the group which was matched.
-	 * @param string $matched_content The token content (function name) which was matched
-	 *                                in lowercase.
-	 * @param array  $parameters      Array with information about the parameters.
-	 *
-	 * @return void
-	 */
-	public function process_parameters( $stackPtr, $group_name, $matched_content, $parameters ) {
-		foreach ( $this->target_functions[ $matched_content ] as $position => $param_name ) {
-			$found_param = PassedParameters::getParameterFromStack( $parameters, $position, $param_name );
-			if ( false === $found_param ) {
-				continue;
-			}
-
-			$file_constant = $this->phpcsFile->findNext( \T_FILE, $found_param['start'], ( $found_param['end'] + 1 ) );
-			if ( false !== $file_constant ) {
-				$this->phpcsFile->addWarning( 'Using __FILE__ for menu slugs risks exposing filesystem structure.', $file_constant, 'Using__FILE__' );
-			}
-		}
-	}
-}

package/vendor/wp-coding-standards/wpcs/WordPress/Sniffs/Security/SafeRedirectSniff.php

@@ -1,45 +0,0 @@
-<?php
-/**
- * WordPress Coding Standard.
- *
- * @package WPCS\WordPressCodingStandards
- * @link    https://github.com/WordPress/WordPress-Coding-Standards
- * @license https://opensource.org/licenses/MIT MIT
- */
-
-namespace WordPressCS\WordPress\Sniffs\Security;
-
-use WordPressCS\WordPress\AbstractFunctionRestrictionsSniff;
-
-/**
- * Encourages use of wp_safe_redirect() to avoid open redirect vulnerabilities.
- *
- * @since 1.0.0
- */
-final class SafeRedirectSniff extends AbstractFunctionRestrictionsSniff {
-
-	/**
-	 * Groups of functions to restrict.
-	 *
-	 * Example: groups => array(
-	 *  'lambda' => array(
-	 *      'type'      => 'error' | 'warning',
-	 *      'message'   => 'Use anonymous functions instead please!',
-	 *      'functions' => array( 'file_get_contents', 'create_function' ),
-	 *  )
-	 * )
-	 *
-	 * @return array
-	 */
-	public function getGroups() {
-		return array(
-			'wp_redirect' => array(
-				'type'      => 'warning',
-				'message'   => '%s() found. Using wp_safe_redirect(), along with the "allowed_redirect_hosts" filter if needed, can help avoid any chances of malicious redirects within code. It is also important to remember to call exit() after a redirect so that no other unwanted code is executed.',
-				'functions' => array(
-					'wp_redirect',
-				),
-			),
-		);
-	}
-}