InputNotSanitized should not report when doing numeric operations

Question

InputNotSanitized should not report when doing numeric operations

kkmuffme opened this issue 2 years ago · 2 comments

Bug Description

When using unsanitized input with numeric operations, wpcs should not report WordPress.Security.ValidatedSanitizedInput.InputNotSanitized

Minimal Code Snippet

$request_duration = microtime( true ) - $_SERVER['REQUEST_TIME_FLOAT'];

Error Code

WordPress.Security.ValidatedSanitizedInput.InputNotSanitized

Environment

Question	Answer
PHP version	7.4.0
WPCS version	2.3.0

Tested Against `develop` branch?

I have verified the issue still exists in the develop branch of WPCS.

Answer 1 · 2023-02-27T00:48:34.000Z

I don't think the criteria should be "numeric operations", but rather, make an exception for the REQUEST_TIME and REQUEST_TIME_FLOAT keys, which AFAIK are the only two guaranteed numeric values.

What do you think ?

Answer 2 · 2023-02-27T08:14:40.000Z

That's possible too, however

a) those variables, as any superglobal, could be overwritten and can be unsafe for other "uses" (non-numeric)

b) if you have code like:

if ( isset( $_POST['some_number'] ) && is_numeric( $_POST['some_number'] ) ) {
    $total += $_POST['some_number'];
}

the error would be unnecessary too for $_POST['some_number']

So I think sticking to "numeric" (+-/*%) operations is the better approach here?

Bug Description

Minimal Code Snippet

Error Code

Environment

Tested Against develop branch?

Tested Against `develop` branch?