WordPress/Requests

Add input validation

jrfnl opened this issue · 1 comments

jrfnl commented

This is just an issue to track which classes have been reviewed for missing input validation and the associated PRs adding the input validation.

Input validation is being added to all entry point methods for each class with an InvalidArgument exception being thrown for invalid parameter types. As this may break existing uses of Requests, this input validation needs to be added in the 2.0.0 release.

Action list

  • WpOrg\Requests\Auth\Basic - PR #574
  • WpOrg\Requests\Autoload - No additional input validation needed, the Autoload::load() method should only ever by called by PHP itself.
  • WpOrg\Requests\Cookie - PR #609
  • WpOrg\Requests\Cookie\Jar - PR #610
  • WpOrg\Requests\Hooks - PR #573
  • WpOrg\Requests\IdnaEncoder - PR #592 (only typical entry point, other methods deemed unnecessary)
  • WpOrg\Requests\Ipv6 - PR #601
  • WpOrg\Requests\Iri - PR #602
  • WpOrg\Requests\Port - Input validation was included when the class was introduced in PR #538
  • WpOrg\Requests\Proxy\Http - PR #611
  • WpOrg\Requests\Requests - PR #621
  • WpOrg\Requests\Response - PR #603
  • WpOrg\Requests\Response\Headers - PR #605
  • WpOrg\Requests\Session - PR #620
  • WpOrg\Requests\Ssl - PR #572
  • WpOrg\Requests\Transport\Curl - PR #629
  • WpOrg\Requests\Transport\Fsockopen - PR #629
  • WpOrg\Requests\Utility\CaseInsensitiveDictionary - No changes needed.
    - The __construct() method already has a type declared for the parameter.
    - The offset*() methods are part of ArrayAccess() and they should not be called directly, but only indirectly and when called that way, will receive the correct input type.
    - The remaining methods don't take parameters.
  • WpOrg\Requests\Utility\FilteredIterator - PR #604
  • WpOrg\Requests\Utility\InputValidator - Not applicable.
  • WpOrg\Requests\Exception - I'm going to leave this as-is. The important parameters are validated via the PHP native Exception class, that should be enough.
  • WpOrg\Requests\Exception\ArgumentCount - Only intended for internal use.
  • WpOrg\Requests\Exception\Http - Uses sensible defaults.
  • WpOrg\Requests\Exception\InvalidArgument - Only intended for internal use.
  • WpOrg\Requests\Exception\Transport - Does not contain methods.
  • WpOrg\Requests\Exception\Transport\Curl - Uses sensible defaults.
  • WpOrg\Requests\Exception\Http\Status### - No changes needed, these classes do not contain methods.
  • WpOrg\Requests\Exception\Http\StatusUnknown - Uses sensible defaults.

Note: the Requests native Exception classes are already exceptions, so rather than throwing another exception on invalid input, these should defer to sensible default values when invalid input is passed.

jrfnl commented

Closing as all related PRs have been merged.