plugin-check icon indicating copy to clipboard operation
plugin-check copied to clipboard

Published 20 hours ago verified publisher icon WordPress

Create Nonce_Verification_Check

Open mehulkaklotar opened this issue 3 years ago • 2 comments
trafficstars

Description

Checks that nonce verification functions are used within form processing. This is a security check that ensures that core nonce functions are being used to verify the request to the server before processing. This will use the existing WordPress.Security.NonceVerification sniff in the WordPress Coding Standards.

Acceptance Criteria

  • Class Nonce_Verification_Check should be created and exists at includes/Checker/Checks
  • Class Nonce_Verification_Check should extend the Abstract_PHP_CodeSniffer_Check abstract class
  • Class should implement the public get_args() and return an associative array of the required PHPCS arguments
    • 'sniffs' => 'WordPress.Security.NonceVerification'
    • 'standard' => 'WordPress'
  • Add a sample code in the tests/testdata/plugins/test-plugin-with-errors\test-plugin-with-errors.php file, which will come under the WordPress.Security.NonceVerification error.

Tests Coverage

  • get_args() method returns the expected array of PHPCS arguments for the check
  • run() method adds warnings to the $check_result when checking an invalid file - check reference here
  • run() method does not add any warnings to the $check_result when checking a valid file - check reference here

mehulkaklotar avatar Nov 21 '22 14:11 mehulkaklotar

@felixarntz I have updated AC for this epic. It is ready for review now. Thanks!

vishalkakadiya avatar Feb 08 '23 05:02 vishalkakadiya

Looks like XML file has this ruled enabled already.

    <!-- Nonces. These are triggered on any GET/POST access items. -->
    <rule ref="WordPress.Security.NonceVerification">
      <!-- This is triggered on all GET/POST access, it can't be an error. -->
      <type>warning</type>
    </rule>

When I try to add separate check for this rule WordPress.Security.NonceVerification is displaying duplicate messages for same errors. Are we planning to create separate Check for this and remove the rule from XML file? Can someone please elaborate?

ernilambar avatar Dec 11 '23 05:12 ernilambar

There are already WordPress.Security.NonceVerification.Missing errors being reported as part of the plugin_review_phpcs / Plugin_Review_PHPCS_Check check. No need to create a separate duplicate check for this.

So this is already WAI.

swissspidy avatar Jun 10 '24 08:06 swissspidy