422 lines
13 KiB
PHP
422 lines
13 KiB
PHP
<?php
|
|
/**
|
|
* WordPress Coding Standard.
|
|
*
|
|
* @package WPCS\WordPressCodingStandards
|
|
* @link https://github.com/WordPress/WordPress-Coding-Standards
|
|
* @license https://opensource.org/licenses/MIT MIT
|
|
*/
|
|
|
|
namespace WordPressCS\WordPress\Sniffs\Security;
|
|
|
|
use PHPCSUtils\Tokens\Collections;
|
|
use PHPCSUtils\Utils\Conditions;
|
|
use PHPCSUtils\Utils\Context;
|
|
use PHPCSUtils\Utils\Lists;
|
|
use PHPCSUtils\Utils\MessageHelper;
|
|
use PHPCSUtils\Utils\Scopes;
|
|
use WordPressCS\WordPress\Helpers\ContextHelper;
|
|
use WordPressCS\WordPress\Helpers\RulesetPropertyHelper;
|
|
use WordPressCS\WordPress\Helpers\SanitizationHelperTrait;
|
|
use WordPressCS\WordPress\Helpers\UnslashingFunctionsHelper;
|
|
use WordPressCS\WordPress\Helpers\VariableHelper;
|
|
use WordPressCS\WordPress\Sniff;
|
|
|
|
/**
|
|
* Checks that nonce verification accompanies form processing.
|
|
*
|
|
* @link https://developer.wordpress.org/plugins/security/nonces/ Nonces on Plugin Developer Handbook
|
|
*
|
|
* @since 0.5.0
|
|
* @since 0.13.0 Class name changed: this class is now namespaced.
|
|
* @since 1.0.0 This sniff has been moved from the `CSRF` category to the `Security` category.
|
|
* @since 3.0.0 This sniff has received significant updates to its logic and structure.
|
|
*
|
|
* @uses \WordPressCS\WordPress\Helpers\SanitizationHelperTrait::$customSanitizingFunctions
|
|
* @uses \WordPressCS\WordPress\Helpers\SanitizationHelperTrait::$customUnslashingSanitizingFunctions
|
|
*/
|
|
class NonceVerificationSniff extends Sniff {
|
|
|
|
use SanitizationHelperTrait;
|
|
|
|
/**
|
|
* Superglobals to notify about when not accompanied by an nonce check.
|
|
*
|
|
* A value of `true` results in an error. A value of `false` in a warning.
|
|
*
|
|
* @since 0.12.0
|
|
*
|
|
* @var array
|
|
*/
|
|
protected $superglobals = array(
|
|
'$_POST' => true,
|
|
'$_FILES' => true,
|
|
'$_GET' => false,
|
|
'$_REQUEST' => false,
|
|
);
|
|
|
|
/**
|
|
* Custom list of functions which verify nonces.
|
|
*
|
|
* @since 0.5.0
|
|
*
|
|
* @var string[]
|
|
*/
|
|
public $customNonceVerificationFunctions = array();
|
|
|
|
/**
|
|
* List of the functions which verify nonces.
|
|
*
|
|
* @since 0.5.0
|
|
* @since 0.11.0 Changed from public static to protected non-static.
|
|
* @since 3.0.0 - Moved from the generic `Sniff` class to this class.
|
|
* - Visibility changed from `protected` to `private.
|
|
*
|
|
* @var array
|
|
*/
|
|
private $nonceVerificationFunctions = array(
|
|
'wp_verify_nonce' => true,
|
|
'check_admin_referer' => true,
|
|
'check_ajax_referer' => true,
|
|
);
|
|
|
|
/**
|
|
* Cache of previously added custom functions.
|
|
*
|
|
* Prevents having to do the same merges over and over again.
|
|
*
|
|
* @since 0.5.0
|
|
* @since 0.11.0 - Changed from public static to protected non-static.
|
|
* - Changed the format from simple bool to array.
|
|
* @since 3.0.0 - Property rename from `$addedCustomFunctions` to `$addedCustomNonceFunctions`.
|
|
* - Visibility changed from `protected` to `private.
|
|
* - Format changed from a multi-dimensional array to a single-dimensional array.
|
|
*
|
|
* @var array
|
|
*/
|
|
private $addedCustomNonceFunctions = array();
|
|
|
|
/**
|
|
* Information on the all scopes that were checked to find a nonce verification in a particular file.
|
|
*
|
|
* The array will be in the following format:
|
|
* ```
|
|
* array(
|
|
* 'file' => (string) The name of the file.
|
|
* 'cache' => (array) array(
|
|
* # => array( The key is the token pointer to the "start" position.
|
|
* 'end' => (int) The token pointer to the "end" position.
|
|
* 'nonce' => (int|bool) The token pointer where n nonce check
|
|
* was found, or false if none was found.
|
|
* )
|
|
* )
|
|
* )
|
|
* ```
|
|
*
|
|
* @since 3.0.0
|
|
*
|
|
* @var array<string, mixed>
|
|
*/
|
|
private $cached_results;
|
|
|
|
/**
|
|
* Returns an array of tokens this test wants to listen for.
|
|
*
|
|
* @return array
|
|
*/
|
|
public function register() {
|
|
$targets = array( \T_VARIABLE => \T_VARIABLE );
|
|
$targets += Collections::listOpenTokensBC(); // We need to skip over lists.
|
|
|
|
return $targets;
|
|
}
|
|
|
|
/**
|
|
* Processes this test, when one of its tokens is encountered.
|
|
*
|
|
* @param int $stackPtr The position of the current token in the stack.
|
|
*
|
|
* @return int|void Integer stack pointer to skip forward or void to continue
|
|
* normal file processing.
|
|
*/
|
|
public function process_token( $stackPtr ) {
|
|
// Skip over lists as whatever is in those will always be assignments.
|
|
if ( isset( Collections::listOpenTokensBC()[ $this->tokens[ $stackPtr ]['code'] ] ) ) {
|
|
$open_close = Lists::getOpenClose( $this->phpcsFile, $stackPtr );
|
|
$skip_to = $stackPtr;
|
|
if ( false !== $open_close ) {
|
|
$skip_to = $open_close['closer'];
|
|
}
|
|
|
|
return $skip_to;
|
|
}
|
|
|
|
if ( ! isset( $this->superglobals[ $this->tokens[ $stackPtr ]['content'] ] ) ) {
|
|
return;
|
|
}
|
|
|
|
if ( Scopes::isOOProperty( $this->phpcsFile, $stackPtr ) ) {
|
|
// Property with the same name as a superglobal. Not our target.
|
|
return;
|
|
}
|
|
|
|
// Determine the cache keys for this item.
|
|
$cache_keys = array(
|
|
'file' => $this->phpcsFile->getFilename(),
|
|
'start' => 0,
|
|
'end' => $stackPtr,
|
|
);
|
|
|
|
// If we're in a function, only look inside of it.
|
|
// This doesn't take arrow functions into account as those are "open".
|
|
$functionPtr = Conditions::getLastCondition( $this->phpcsFile, $stackPtr, array( \T_FUNCTION, \T_CLOSURE ) );
|
|
if ( false !== $functionPtr ) {
|
|
$cache_keys['start'] = $this->tokens[ $functionPtr ]['scope_opener'];
|
|
}
|
|
|
|
$this->mergeFunctionLists();
|
|
|
|
$needs_nonce = $this->needs_nonce_check( $stackPtr, $cache_keys );
|
|
if ( false === $needs_nonce ) {
|
|
return;
|
|
}
|
|
|
|
if ( $this->has_nonce_check( $stackPtr, $cache_keys, ( 'after' === $needs_nonce ) ) ) {
|
|
return;
|
|
}
|
|
|
|
// If we're still here, no nonce-verification function was found.
|
|
$error_code = 'Missing';
|
|
if ( false === $this->superglobals[ $this->tokens[ $stackPtr ]['content'] ] ) {
|
|
$error_code = 'Recommended';
|
|
}
|
|
|
|
MessageHelper::addMessage(
|
|
$this->phpcsFile,
|
|
'Processing form data without nonce verification.',
|
|
$stackPtr,
|
|
$this->superglobals[ $this->tokens[ $stackPtr ]['content'] ],
|
|
$error_code
|
|
);
|
|
}
|
|
|
|
/**
|
|
* Determine whether or not a nonce check is needed for the current superglobal.
|
|
*
|
|
* @since 3.0.0
|
|
*
|
|
* @param int $stackPtr The position of the current token in the stack of tokens.
|
|
* @param array $cache_keys The keys for the applicable cache (to potentially set).
|
|
*
|
|
* @return string|false String "before" or "after" if a nonce check is needed.
|
|
* FALSE when no nonce check is needed.
|
|
*/
|
|
protected function needs_nonce_check( $stackPtr, array $cache_keys ) {
|
|
$in_nonce_check = ContextHelper::is_in_function_call( $this->phpcsFile, $stackPtr, $this->nonceVerificationFunctions );
|
|
if ( false !== $in_nonce_check ) {
|
|
// This *is* the nonce check, so bow out, but do store to cache.
|
|
// @todo Change to use arg unpacking once PHP < 5.6 has been dropped.
|
|
$this->set_cache( $cache_keys['file'], $cache_keys['start'], $cache_keys['end'], $in_nonce_check );
|
|
return false;
|
|
}
|
|
|
|
if ( Context::inUnset( $this->phpcsFile, $stackPtr ) ) {
|
|
// Variable is only being unset, no nonce check needed.
|
|
return false;
|
|
}
|
|
|
|
if ( VariableHelper::is_assignment( $this->phpcsFile, $stackPtr, false ) ) {
|
|
// Overwriting the value of a superglobal.
|
|
return false;
|
|
}
|
|
|
|
$needs_nonce = 'before';
|
|
if ( ContextHelper::is_in_isset_or_empty( $this->phpcsFile, $stackPtr )
|
|
|| ContextHelper::is_in_type_test( $this->phpcsFile, $stackPtr )
|
|
|| VariableHelper::is_comparison( $this->phpcsFile, $stackPtr )
|
|
|| VariableHelper::is_assignment( $this->phpcsFile, $stackPtr, true )
|
|
|| ContextHelper::is_in_array_comparison( $this->phpcsFile, $stackPtr )
|
|
|| ContextHelper::is_in_function_call( $this->phpcsFile, $stackPtr, UnslashingFunctionsHelper::get_functions() ) !== false
|
|
|| $this->is_only_sanitized( $this->phpcsFile, $stackPtr )
|
|
) {
|
|
$needs_nonce = 'after';
|
|
}
|
|
|
|
return $needs_nonce;
|
|
}
|
|
|
|
/**
|
|
* Check if this token has an associated nonce check.
|
|
*
|
|
* @since 0.5.0
|
|
* @since 3.0.0 - Moved from the generic `Sniff` class to this class.
|
|
* - Visibility changed from `protected` to `private.
|
|
* - New `$cache_keys` parameter.
|
|
* - New `$allow_nonce_after` parameter.
|
|
*
|
|
* @param int $stackPtr The position of the current token in the stack of tokens.
|
|
* @param array $cache_keys The keys for the applicable cache.
|
|
* @param bool $allow_nonce_after Whether the nonce check _must_ be before the $stackPtr or
|
|
* is allowed _after_ the $stackPtr.
|
|
*
|
|
* @return bool
|
|
*/
|
|
private function has_nonce_check( $stackPtr, array $cache_keys, $allow_nonce_after = false ) {
|
|
$start = $cache_keys['start'];
|
|
$end = $cache_keys['end'];
|
|
|
|
// We allow for certain actions, such as an isset() check to come before the nonce check.
|
|
// If this superglobal is inside such a check, look for the nonce after it as well,
|
|
// all the way to the end of the scope.
|
|
if ( true === $allow_nonce_after ) {
|
|
$end = ( 0 === $start ) ? $this->phpcsFile->numTokens : $this->tokens[ $start ]['scope_closer'];
|
|
}
|
|
|
|
// Check against the cache.
|
|
$current_cache = $this->get_cache( $cache_keys['file'], $start );
|
|
if ( false !== $current_cache['nonce'] ) {
|
|
// If we have already found a nonce check in this scope, we just
|
|
// need to check whether it comes before this token. It is OK if the
|
|
// check is after the token though, if this was only an isset() check.
|
|
return ( true === $allow_nonce_after || $current_cache['nonce'] < $stackPtr );
|
|
} elseif ( $end <= $current_cache['end'] ) {
|
|
// If not, we can still go ahead and return false if we've already
|
|
// checked to the end of the search area.
|
|
return false;
|
|
}
|
|
|
|
$search_start = $start;
|
|
if ( $current_cache['end'] > $start ) {
|
|
// We haven't checked this far yet, but we can still save work by
|
|
// skipping over the part we've already checked.
|
|
$search_start = $this->cached_results['cache'][ $start ]['end'];
|
|
}
|
|
|
|
// Loop through the tokens looking for nonce verification functions.
|
|
for ( $i = $search_start; $i < $end; $i++ ) {
|
|
// Skip over nested closed scope constructs.
|
|
if ( isset( Collections::closedScopes()[ $this->tokens[ $i ]['code'] ] )
|
|
|| \T_FN === $this->tokens[ $i ]['code']
|
|
) {
|
|
if ( isset( $this->tokens[ $i ]['scope_closer'] ) ) {
|
|
$i = $this->tokens[ $i ]['scope_closer'];
|
|
}
|
|
continue;
|
|
}
|
|
|
|
// If this isn't a function name, skip it.
|
|
if ( \T_STRING !== $this->tokens[ $i ]['code'] ) {
|
|
continue;
|
|
}
|
|
|
|
// If this is one of the nonce verification functions, we can bail out.
|
|
if ( isset( $this->nonceVerificationFunctions[ $this->tokens[ $i ]['content'] ] ) ) {
|
|
/*
|
|
* Now, make sure it is a call to a global function.
|
|
*/
|
|
if ( ContextHelper::has_object_operator_before( $this->phpcsFile, $i ) === true ) {
|
|
continue;
|
|
}
|
|
|
|
if ( ContextHelper::is_token_namespaced( $this->phpcsFile, $i ) === true ) {
|
|
continue;
|
|
}
|
|
|
|
$this->set_cache( $cache_keys['file'], $start, $end, $i );
|
|
return true;
|
|
}
|
|
}
|
|
|
|
// We're still here, so no luck.
|
|
$this->set_cache( $cache_keys['file'], $start, $end, false );
|
|
|
|
return false;
|
|
}
|
|
|
|
/**
|
|
* Helper function to retrieve results from the cache.
|
|
*
|
|
* @since 3.0.0
|
|
*
|
|
* @param string $filename The name of the current file.
|
|
* @param int $start The stack pointer searches started from.
|
|
*
|
|
* @return array<string, mixed>
|
|
*/
|
|
private function get_cache( $filename, $start ) {
|
|
if ( is_array( $this->cached_results )
|
|
&& $filename === $this->cached_results['file']
|
|
&& isset( $this->cached_results['cache'][ $start ] )
|
|
) {
|
|
return $this->cached_results['cache'][ $start ];
|
|
}
|
|
|
|
return array(
|
|
'end' => 0,
|
|
'nonce' => false,
|
|
);
|
|
}
|
|
|
|
/**
|
|
* Helper function to store results to the cache.
|
|
*
|
|
* @since 3.0.0
|
|
*
|
|
* @param string $filename The name of the current file.
|
|
* @param int $start The stack pointer searches started from.
|
|
* @param int $end The stack pointer searched stopped at.
|
|
* @param int|bool $nonce Stack pointer to the nonce verification function call or false if none was found.
|
|
*
|
|
* @return void
|
|
*/
|
|
private function set_cache( $filename, $start, $end, $nonce ) {
|
|
if ( is_array( $this->cached_results ) === false
|
|
|| $filename !== $this->cached_results['file']
|
|
) {
|
|
$this->cached_results = array(
|
|
'file' => $filename,
|
|
'cache' => array(
|
|
$start => array(
|
|
'end' => $end,
|
|
'nonce' => $nonce,
|
|
),
|
|
),
|
|
);
|
|
return;
|
|
}
|
|
|
|
// Okay, so we know the current cache is for the current file. Check if we've seen this start pointer before.
|
|
if ( isset( $this->cached_results['cache'][ $start ] ) === false ) {
|
|
$this->cached_results['cache'][ $start ] = array(
|
|
'end' => $end,
|
|
'nonce' => $nonce,
|
|
);
|
|
return;
|
|
}
|
|
|
|
// Update existing entry.
|
|
if ( $end > $this->cached_results['cache'][ $start ]['end'] ) {
|
|
$this->cached_results['cache'][ $start ]['end'] = $end;
|
|
}
|
|
|
|
$this->cached_results['cache'][ $start ]['nonce'] = $nonce;
|
|
}
|
|
|
|
/**
|
|
* Merge custom functions provided via a custom ruleset with the defaults, if we haven't already.
|
|
*
|
|
* @since 0.11.0 Split out from the `process()` method.
|
|
*
|
|
* @return void
|
|
*/
|
|
protected function mergeFunctionLists() {
|
|
if ( $this->customNonceVerificationFunctions !== $this->addedCustomNonceFunctions ) {
|
|
$this->nonceVerificationFunctions = RulesetPropertyHelper::merge_custom_array(
|
|
$this->customNonceVerificationFunctions,
|
|
$this->nonceVerificationFunctions
|
|
);
|
|
|
|
$this->addedCustomNonceFunctions = $this->customNonceVerificationFunctions;
|
|
}
|
|
}
|
|
}
|