search

WordPress / two-factor

Two-Factor Authentication for WordPress.
https://wordpress.org/plugins/two-factor/
GNU General Public License v2.0
726 stars 152 forks source link

PHP doesn't pass the WordPress coding standards #437

Open kasparsd opened 2 years ago

kasparsd commented 2 years ago

The codebase currently reports several critical issues when checked against the WPCS rulesets.

FILE: providers/class-two-factor-email.php
----------------------------------------------------------------------
FOUND 0 ERRORS AND 2 WARNINGS AFFECTING 2 LINES
----------------------------------------------------------------------
 299 | WARNING | Processing form data without nonce verification.
     |         | (WordPress.Security.NonceVerification.Recommended)
 316 | WARNING | Processing form data without nonce verification.
     |         | (WordPress.Security.NonceVerification.Recommended)
----------------------------------------------------------------------

FILE: providers/class-two-factor-backup-codes.php
----------------------------------------------------------------------
FOUND 2 ERRORS AFFECTING 1 LINE
----------------------------------------------------------------------
 307 | ERROR | Processing form data without nonce verification.
     |       | (WordPress.Security.NonceVerification.Missing)
 307 | ERROR | Processing form data without nonce verification.
     |       | (WordPress.Security.NonceVerification.Missing)
----------------------------------------------------------------------

FILE: providers/class-two-factor-fido-u2f-admin.php
----------------------------------------------------------------------
FOUND 2 ERRORS AND 4 WARNINGS AFFECTING 3 LINES
----------------------------------------------------------------------
 [24](https://github.com/WordPress/two-factor/runs/5678917495?check_suite_focus=true#step:8:24)0 | WARNING | Detected usage of a non-sanitized input variable:
     |         | $_POST['u2f_response']
     |         | (WordPress.Security.ValidatedSanitizedInput.InputNotSanitized)
 240 | ERROR   | Detected usage of a possibly undefined superglobal
     |         | array index: $_POST['u2f_response']. Use isset() or
     |         | empty() to check the index exists before using
     |         | it
     |         | (WordPress.Security.ValidatedSanitizedInput.InputNotValidated)
 [27](https://github.com/WordPress/two-factor/runs/5678917495?check_suite_focus=true#step:8:27)7 | WARNING | Processing form data without nonce verification.
      |         | (WordPress.Security.NonceVerification.Recommended)
  885 | WARNING | Processing form data without nonce
      |         | verification.
      |         | (WordPress.Security.NonceVerification.Recommended)
  885 | WARNING | Detected usage of a non-sanitized input variable:
      |         | $_REQUEST['redirect_to']
      |         | (WordPress.Security.ValidatedSanitizedInput.InputNotSanitized)
  885 | ERROR   | Detected usage of a possibly undefined superglobal
      |         | array index: $_REQUEST['redirect_to']. Use isset()
      |         | or empty() to check the index exists before using
      |         | it
      |         | (WordPress.Security.ValidatedSanitizedInput.InputNotValidated)
  885 | WARNING | Processing form data without nonce
      |         | verification.
      |         | (WordPress.Security.NonceVerification.Recommended)
  885 | WARNING | Detected usage of a non-sanitized input variable:
      |         | $_REQUEST['redirect_to']
      |         | (WordPress.Security.ValidatedSanitizedInput.InputNotSanitized)
  885 | ERROR   | Detected usage of a possibly undefined superglobal
      |         | array index: $_REQUEST['redirect_to']. Use isset()
      |         | or empty() to check the index exists before using
      |         | it
      |         | (WordPress.Security.ValidatedSanitizedInput.InputNotValidated)
 1024 | WARNING | Detected usage of a non-sanitized input variable:
      |         | $_POST[self::ENABLED_PROVIDERS_USER_META_KEY]
      |         | (WordPress.Security.ValidatedSanitizedInput.InputNotSanitized)
 10[31](https://github.com/WordPress/two-factor/runs/5678917495?check_suite_focus=true#step:8:31) | WARNING | Detected usage of a non-sanitized input variable:
      |         | $_POST[self::PROVIDER_USER_META_KEY]
      |         | (WordPress.Security.ValidatedSanitizedInput.InputNotSanitized)
 10[46](https://github.com/WordPress/two-factor/runs/5678917495?check_suite_focus=true#step:8:46) | WARNING | Processing form data without nonce
      |         | verification.
      |         | (WordPress.Security.NonceVerification.Recommended)
----------------------------------------------------------------------
kasparsd commented 2 years ago

Related to #6.

kasparsd commented 2 years ago

The linter reporting during CI is currently silenced here:

https://github.com/WordPress/two-factor/blob/991ef3c8e8614325c53073c5d255cce63a575ec9/.github/workflows/test.yml#L35-L36