search

WordPress / WordPress-Coding-Standards

PHP_CodeSniffer rules (sniffs) to enforce WordPress coding conventions
MIT License
2.54k stars 479 forks source link

Custom sanitizing rules ignored #1766

Open paulschreiber opened 5 years ago

paulschreiber commented 5 years ago

Bug Description

When I run vendor/bin/phpcs class-foo.php, I get this error:

------------------------------------------------------------------------------
FOUND 1 ERROR AFFECTING 1 LINE
------------------------------------------------------------------------------
 11 | ERROR | Detected usage of a non-sanitized input variable: $_POST['foo']
------------------------------------------------------------------------------

I would expect the error to be suppressed because sanitize_promos_array is whitelisted.

Minimal Code Snippet

<?php

class Foo {

    public static function sanitize_promos_array( $input ) {
        // sanitize me
        return $input;
    }

    public static function bar() {
        $taxonomies = isset( $_POST['foo'] ) ? self::sanitize_promos_array( wp_unslash( $_POST['foo'] ) ) : []; // phpcs:ignore WordPress.VIP.SuperGlobalInputUsage.AccessDetected,WordPress.Security.NonceVerification.Missing
    }

}

phpcs.xml:

<?xml version="1.0"?>
<ruleset name="MyRuleSet">
    <rule ref="WordPress-Extra" />
    <rule ref="WordPress.Security.ValidatedSanitizedInput">
        <properties>
            <property name="customSanitizingFunctions" type="array">
                <element value="sanitize_promos_array" />
                <element value="sanitize_announcements_array" />
            </property>
        </properties>
    </rule>
</ruleset>

Environment

Question Answer
PHP version 7.3.3
PHP_CodeSniffer version 3.4.2
WPCS version 2.1.1
WPCS install type Composer project local

Additional Context (optional)

This worked fine with WPCS 1.x. The rule was defined like so:
    <rule ref="WordPress.Security.ValidatedSanitizedInput">
        <properties>
            <property name="customSanitizingFunctions" value="sanitize_promos_array,sanitize_announcements_array" type="array" />
        </properties>
    </rule>
GaryJones commented 5 years ago

You seem to be sanitizing with self::sanitize_promos_array(), rather than the global sanitize_promos_array(). I'm not sure if there is a way to define non-global sanitizing functions (methods). @jrfnl?

paulschreiber commented 5 years ago

Yes, we are using a class method. This worked with WPCS 1.x.

Also with WPCS 1, putting self::sanitize_promos_array() in the ruleset did not work.

freddiemixell commented 5 years ago

@paulschreiber I'm not sure if my issue is related to this, I have the following error.

"Detected usage of a non-sanitized input variable" with $_POST['taxonomoy_ordering_data']

This is an array of numbers that are being sanitized using filter_var_array

filter_var_array( wp_unslash( $_POST['taxonomy_ordering_data'] ), FILTER_SANITIZE_NUMBER_INT )