search

woocommerce / action-scheduler

A scalable, traceable job queue for background processing large queues of tasks in WordPress. Specifically designed for distribution in WordPress plugins (and themes) - no server access required.
https://actionscheduler.org
GNU General Public License v3.0
627 stars 113 forks source link

PHPCS Issues in ActionScheduler_DBStore.php #663

Closed amberhinds closed 2 years ago

amberhinds commented 3 years ago

Hello!

We've included Action Scheduler in one of our plugins (thank you!) and while doing security audits on our plugin, identified problems related to Action Scheduler.

We ran the plugin through WP Engine's linting test which helps identify best practices and potential problems. For this process, we are using PHP Codesniffer with rules derived from both the WordPress Coding Standards and PHPCompatibility rulesets. Below is a detailed line-by-line report of the sniff violation.

Can you please let me know if these are actual errors that require fixes? If so, we may be able to submit a pull request with fixes.

FILE: /includes/action-scheduler/classes/data-stores/ActionScheduler_DBStore.php
------------------------------------------------------------------------------------------------------------------------------------------
FOUND 21 ERRORS AFFECTING 18 LINES
------------------------------------------------------------------------------------------------------------------------------------------
 250 | ERROR | Use placeholders and $wpdb->prepare(); found $query (WordPress.DB.PreparedSQL.NotPrepared)
 252 | ERROR | Use placeholders and $wpdb->prepare(); found $query (WordPress.DB.PreparedSQL.NotPrepared)
 390 | ERROR | Use placeholders and $wpdb->prepare(); found $sql (WordPress.DB.PreparedSQL.NotPrepared)
 410 | ERROR | Use placeholders and $wpdb->prepare(); found $sql (WordPress.DB.PreparedSQL.NotPrepared)
 410 | ERROR | Use placeholders and $wpdb->prepare(); found $sql (WordPress.DB.PreparedSQL.NotPrepared)
 428 | ERROR | Use placeholders and $wpdb->prepare(); found $sql (WordPress.DB.PreparedSQL.NotPrepared)
 529 | ERROR | Use placeholders and $wpdb->prepare(); found interpolated variable $query_in at "UPDATE {$wpdb->actionscheduler_actions}
     |       | SET status = %s WHERE action_id IN {$query_in}" (WordPress.DB.PreparedSQL.NotPrepared)
 671 | ERROR | Use placeholders and $wpdb->prepare(); found interpolated variable $update at "{$update} {$where} {$order}"
     |       | (WordPress.DB.PreparedSQL.NotPrepared)
 671 | ERROR | Use placeholders and $wpdb->prepare(); found interpolated variable $where at "{$update} {$where} {$order}"
     |       | (WordPress.DB.PreparedSQL.NotPrepared)
 671 | ERROR | Use placeholders and $wpdb->prepare(); found interpolated variable $order at "{$update} {$where} {$order}"
     |       | (WordPress.DB.PreparedSQL.NotPrepared)
 673 | ERROR | Use placeholders and $wpdb->prepare(); found $sql (WordPress.DB.PreparedSQL.NotPrepared)
 690 | ERROR | Use placeholders and $wpdb->prepare(); found $sql (WordPress.DB.PreparedSQL.NotPrepared)
 692 | ERROR | Use placeholders and $wpdb->prepare(); found $sql (WordPress.DB.PreparedSQL.NotPrepared)
 706 | ERROR | Use placeholders and $wpdb->prepare(); found $sql (WordPress.DB.PreparedSQL.NotPrepared)
 708 | ERROR | Use placeholders and $wpdb->prepare(); found $sql (WordPress.DB.PreparedSQL.NotPrepared)
 723 | ERROR | Use placeholders and $wpdb->prepare(); found $sql (WordPress.DB.PreparedSQL.NotPrepared)
 725 | ERROR | Use placeholders and $wpdb->prepare(); found $sql (WordPress.DB.PreparedSQL.NotPrepared)
 793 | ERROR | Use placeholders and $wpdb->prepare(); found $sql (WordPress.DB.PreparedSQL.NotPrepared)
 794 | ERROR | Use placeholders and $wpdb->prepare(); found $sql (WordPress.DB.PreparedSQL.NotPrepared)
 834 | ERROR | Use placeholders and $wpdb->prepare(); found $sql (WordPress.DB.PreparedSQL.NotPrepared)
 835 | ERROR | Use placeholders and $wpdb->prepare(); found $sql (WordPress.DB.PreparedSQL.NotPrepared)
------------------------------------------------------------------------------------------------------------------------------------------
barryhughes commented 3 years ago

HI @amberhinds—thanks for reporting this!

:memo: As a friendly note for the future, I'd ask first of all that you report any other security issues via HackerOne. This is our preferred way to handle possible security issues (and I'll make a note to update our readme file to make this clearer, as I don't think we currently cover this).

In most of these cases we are in fact using $wpdb->prepare() but we could still make some changes to reduce noise. For instance, we could add an appropriate // phpcs:ignore <rule> comment in the relevant places, and/or we could possibly restructure the code in some of those spots.

If you're happy to submit a pull request for this that would be great, or else we can aim to circle back ourselves.