xarxaprod-wp-theme/vendor/wp-coding-standards/wpcs/WordPress/Sniffs/Security/NonceVerificationSniff.php

<?php
/**
 * WordPress Coding Standard.
 *
 * @package WPCS\WordPressCodingStandards
 * @link    https://github.com/WordPress/WordPress-Coding-Standards
 * @license https://opensource.org/licenses/MIT MIT
 */

namespace WordPressCS\WordPress\Sniffs\Security;

use WordPressCS\WordPress\Sniff;

/**
 * Checks that nonce verification accompanies form processing.
 *
 * @link    https://developer.wordpress.org/plugins/security/nonces/ Nonces on Plugin Developer Handbook
 *
 * @package WPCS\WordPressCodingStandards
 *
 * @since   0.5.0
 * @since   0.13.0 Class name changed: this class is now namespaced.
 * @since   1.0.0  This sniff has been moved from the `CSRF` category to the `Security` category.
 */
class NonceVerificationSniff extends Sniff {

	/**
	 * Superglobals to notify about when not accompanied by an nonce check.
	 *
	 * A value of `true` results in an error. A value of `false` in a warning.
	 *
	 * @since 0.12.0
	 *
	 * @var array
	 */
	protected $superglobals = array(
		'$_POST'    => true,
		'$_FILE'    => true,
		'$_GET'     => false,
		'$_REQUEST' => false,
	);

	/**
	 * Custom list of functions which verify nonces.
	 *
	 * @since 0.5.0
	 *
	 * @var string|string[]
	 */
	public $customNonceVerificationFunctions = array();

	/**
	 * Custom list of functions that sanitize the values passed to them.
	 *
	 * @since 0.11.0
	 *
	 * @var string|string[]
	 */
	public $customSanitizingFunctions = array();

	/**
	 * Custom sanitizing functions that implicitly unslash the values passed to them.
	 *
	 * @since 0.11.0
	 *
	 * @var string|string[]
	 */
	public $customUnslashingSanitizingFunctions = array();

	/**
	 * Cache of previously added custom functions.
	 *
	 * Prevents having to do the same merges over and over again.
	 *
	 * @since 0.5.0
	 * @since 0.11.0 - Changed from public static to protected non-static.
	 *               - Changed the format from simple bool to array.
	 *
	 * @var array
	 */
	protected $addedCustomFunctions = array(
		'nonce'           => array(),
		'sanitize'        => array(),
		'unslashsanitize' => array(),
	);

	/**
	 * Returns an array of tokens this test wants to listen for.
	 *
	 * @return array
	 */
	public function register() {

		return array(
			\T_VARIABLE,
		);
	}

	/**
	 * Processes this test, when one of its tokens is encountered.
	 *
	 * @param int $stackPtr The position of the current token in the stack.
	 *
	 * @return void
	 */
	public function process_token( $stackPtr ) {

		$instance = $this->tokens[ $stackPtr ];

		if ( ! isset( $this->superglobals[ $instance['content'] ] ) ) {
			return;
		}

		if ( $this->has_whitelist_comment( 'CSRF', $stackPtr ) ) {
			return;
		}

		if ( $this->is_assignment( $stackPtr ) ) {
			return;
		}

		$this->mergeFunctionLists();

		if ( $this->has_nonce_check( $stackPtr ) ) {
			return;
		}

		$error_code = 'Missing';
		if ( false === $this->superglobals[ $instance['content'] ] ) {
			$error_code = 'Recommended';
		}

		// If we're still here, no nonce-verification function was found.
		$this->addMessage(
			'Processing form data without nonce verification.',
			$stackPtr,
			$this->superglobals[ $instance['content'] ],
			$error_code
		);
	}

	/**
	 * Merge custom functions provided via a custom ruleset with the defaults, if we haven't already.
	 *
	 * @since 0.11.0 Split out from the `process()` method.
	 *
	 * @return void
	 */
	protected function mergeFunctionLists() {
		if ( $this->customNonceVerificationFunctions !== $this->addedCustomFunctions['nonce'] ) {
			$this->nonceVerificationFunctions = $this->merge_custom_array(
				$this->customNonceVerificationFunctions,
				$this->nonceVerificationFunctions
			);

			$this->addedCustomFunctions['nonce'] = $this->customNonceVerificationFunctions;
		}

		if ( $this->customSanitizingFunctions !== $this->addedCustomFunctions['sanitize'] ) {
			$this->sanitizingFunctions = $this->merge_custom_array(
				$this->customSanitizingFunctions,
				$this->sanitizingFunctions
			);

			$this->addedCustomFunctions['sanitize'] = $this->customSanitizingFunctions;
		}

		if ( $this->customUnslashingSanitizingFunctions !== $this->addedCustomFunctions['unslashsanitize'] ) {
			$this->unslashingSanitizingFunctions = $this->merge_custom_array(
				$this->customUnslashingSanitizingFunctions,
				$this->unslashingSanitizingFunctions
			);

			$this->addedCustomFunctions['unslashsanitize'] = $this->customUnslashingSanitizingFunctions;
		}
	}

}
first commit 2024-01-09 16:13:20 +01:00			`<?php`
			`/**`
			`* WordPress Coding Standard.`
			`*`
			`* @package WPCS\WordPressCodingStandards`
			`* @link https://github.com/WordPress/WordPress-Coding-Standards`
			`* @license https://opensource.org/licenses/MIT MIT`
			`*/`

			`namespace WordPressCS\WordPress\Sniffs\Security;`

			`use WordPressCS\WordPress\Sniff;`

			`/**`
			`* Checks that nonce verification accompanies form processing.`
			`*`
			`* @link https://developer.wordpress.org/plugins/security/nonces/ Nonces on Plugin Developer Handbook`
			`*`
			`* @package WPCS\WordPressCodingStandards`
			`*`
			`* @since 0.5.0`
			`* @since 0.13.0 Class name changed: this class is now namespaced.`
			* @since 1.0.0 This sniff has been moved from the `CSRF` category to the `Security` category.
			`*/`
			`class NonceVerificationSniff extends Sniff {`

			`/**`
			`* Superglobals to notify about when not accompanied by an nonce check.`
			`*`
			* A value of `true` results in an error. A value of `false` in a warning.
			`*`
			`* @since 0.12.0`
			`*`
			`* @var array`
			`*/`
			`protected $superglobals = array(`
			`'$_POST' => true,`
			`'$_FILE' => true,`
			`'$_GET' => false,`
			`'$_REQUEST' => false,`
			`);`

			`/**`
			`* Custom list of functions which verify nonces.`
			`*`
			`* @since 0.5.0`
			`*`
			`* @var string\|string[]`
			`*/`
			`public $customNonceVerificationFunctions = array();`

			`/**`
			`* Custom list of functions that sanitize the values passed to them.`
			`*`
			`* @since 0.11.0`
			`*`
			`* @var string\|string[]`
			`*/`
			`public $customSanitizingFunctions = array();`

			`/**`
			`* Custom sanitizing functions that implicitly unslash the values passed to them.`
			`*`
			`* @since 0.11.0`
			`*`
			`* @var string\|string[]`
			`*/`
			`public $customUnslashingSanitizingFunctions = array();`

			`/**`
			`* Cache of previously added custom functions.`
			`*`
			`* Prevents having to do the same merges over and over again.`
			`*`
			`* @since 0.5.0`
			`* @since 0.11.0 - Changed from public static to protected non-static.`
			`* - Changed the format from simple bool to array.`
			`*`
			`* @var array`
			`*/`
			`protected $addedCustomFunctions = array(`
			`'nonce' => array(),`
			`'sanitize' => array(),`
			`'unslashsanitize' => array(),`
			`);`

			`/**`
			`* Returns an array of tokens this test wants to listen for.`
			`*`
			`* @return array`
			`*/`
			`public function register() {`

			`return array(`
			`\T_VARIABLE,`
			`);`
			`}`

			`/**`
			`* Processes this test, when one of its tokens is encountered.`
			`*`
			`* @param int $stackPtr The position of the current token in the stack.`
			`*`
			`* @return void`
			`*/`
			`public function process_token( $stackPtr ) {`

			`$instance = $this->tokens[ $stackPtr ];`

			`if ( ! isset( $this->superglobals[ $instance['content'] ] ) ) {`
			`return;`
			`}`

			`if ( $this->has_whitelist_comment( 'CSRF', $stackPtr ) ) {`
			`return;`
			`}`

			`if ( $this->is_assignment( $stackPtr ) ) {`
			`return;`
			`}`

			`$this->mergeFunctionLists();`

			`if ( $this->has_nonce_check( $stackPtr ) ) {`
			`return;`
			`}`

			`$error_code = 'Missing';`
			`if ( false === $this->superglobals[ $instance['content'] ] ) {`
			`$error_code = 'Recommended';`
			`}`

			`// If we're still here, no nonce-verification function was found.`
			`$this->addMessage(`
			`'Processing form data without nonce verification.',`
			`$stackPtr,`
			`$this->superglobals[ $instance['content'] ],`
			`$error_code`
			`);`
			`}`

			`/**`
			`* Merge custom functions provided via a custom ruleset with the defaults, if we haven't already.`
			`*`
			* @since 0.11.0 Split out from the `process()` method.
			`*`
			`* @return void`
			`*/`
			`protected function mergeFunctionLists() {`
			`if ( $this->customNonceVerificationFunctions !== $this->addedCustomFunctions['nonce'] ) {`
			`$this->nonceVerificationFunctions = $this->merge_custom_array(`
			`$this->customNonceVerificationFunctions,`
			`$this->nonceVerificationFunctions`
			`);`

			`$this->addedCustomFunctions['nonce'] = $this->customNonceVerificationFunctions;`
			`}`

			`if ( $this->customSanitizingFunctions !== $this->addedCustomFunctions['sanitize'] ) {`
			`$this->sanitizingFunctions = $this->merge_custom_array(`
			`$this->customSanitizingFunctions,`
			`$this->sanitizingFunctions`
			`);`

			`$this->addedCustomFunctions['sanitize'] = $this->customSanitizingFunctions;`
			`}`

			`if ( $this->customUnslashingSanitizingFunctions !== $this->addedCustomFunctions['unslashsanitize'] ) {`
			`$this->unslashingSanitizingFunctions = $this->merge_custom_array(`
			`$this->customUnslashingSanitizingFunctions,`
			`$this->unslashingSanitizingFunctions`
			`);`

			`$this->addedCustomFunctions['unslashsanitize'] = $this->customUnslashingSanitizingFunctions;`
			`}`
			`}`

			`}`