WordPress/two-factor

PHP doesn't pass the WordPress coding standards

kasparsd opened this issue · 2 comments

kasparsd commented

The codebase currently reports several critical issues when checked against the WPCS rulesets.

FILE: providers/class-two-factor-email.php
----------------------------------------------------------------------
FOUND 0 ERRORS AND 2 WARNINGS AFFECTING 2 LINES
----------------------------------------------------------------------
 299 | WARNING | Processing form data without nonce verification.
     |         | (WordPress.Security.NonceVerification.Recommended)
 316 | WARNING | Processing form data without nonce verification.
     |         | (WordPress.Security.NonceVerification.Recommended)
----------------------------------------------------------------------


FILE: providers/class-two-factor-backup-codes.php
----------------------------------------------------------------------
FOUND 2 ERRORS AFFECTING 1 LINE
----------------------------------------------------------------------
 307 | ERROR | Processing form data without nonce verification.
     |       | (WordPress.Security.NonceVerification.Missing)
 307 | ERROR | Processing form data without nonce verification.
     |       | (WordPress.Security.NonceVerification.Missing)
----------------------------------------------------------------------


FILE: providers/class-two-factor-fido-u2f-admin.php
----------------------------------------------------------------------
FOUND 2 ERRORS AND 4 WARNINGS AFFECTING 3 LINES
----------------------------------------------------------------------
 [24](https://github.com/WordPress/two-factor/runs/5678917495?check_suite_focus=true#step:8:24)0 | WARNING | Detected usage of a non-sanitized input variable:
     |         | $_POST['u2f_response']
     |         | (WordPress.Security.ValidatedSanitizedInput.InputNotSanitized)
 240 | ERROR   | Detected usage of a possibly undefined superglobal
     |         | array index: $_POST['u2f_response']. Use isset() or
     |         | empty() to check the index exists before using
     |         | it
     |         | (WordPress.Security.ValidatedSanitizedInput.InputNotValidated)
 [27](https://github.com/WordPress/two-factor/runs/5678917495?check_suite_focus=true#step:8:27)7 | WARNING | Processing form data without nonce verification.
      |         | (WordPress.Security.NonceVerification.Recommended)
  885 | WARNING | Processing form data without nonce
      |         | verification.
      |         | (WordPress.Security.NonceVerification.Recommended)
  885 | WARNING | Detected usage of a non-sanitized input variable:
      |         | $_REQUEST['redirect_to']
      |         | (WordPress.Security.ValidatedSanitizedInput.InputNotSanitized)
  885 | ERROR   | Detected usage of a possibly undefined superglobal
      |         | array index: $_REQUEST['redirect_to']. Use isset()
      |         | or empty() to check the index exists before using
      |         | it
      |         | (WordPress.Security.ValidatedSanitizedInput.InputNotValidated)
  885 | WARNING | Processing form data without nonce
      |         | verification.
      |         | (WordPress.Security.NonceVerification.Recommended)
  885 | WARNING | Detected usage of a non-sanitized input variable:
      |         | $_REQUEST['redirect_to']
      |         | (WordPress.Security.ValidatedSanitizedInput.InputNotSanitized)
  885 | ERROR   | Detected usage of a possibly undefined superglobal
      |         | array index: $_REQUEST['redirect_to']. Use isset()
      |         | or empty() to check the index exists before using
      |         | it
      |         | (WordPress.Security.ValidatedSanitizedInput.InputNotValidated)
 1024 | WARNING | Detected usage of a non-sanitized input variable:
      |         | $_POST[self::ENABLED_PROVIDERS_USER_META_KEY]
      |         | (WordPress.Security.ValidatedSanitizedInput.InputNotSanitized)
 10[31](https://github.com/WordPress/two-factor/runs/5678917495?check_suite_focus=true#step:8:31) | WARNING | Detected usage of a non-sanitized input variable:
      |         | $_POST[self::PROVIDER_USER_META_KEY]
      |         | (WordPress.Security.ValidatedSanitizedInput.InputNotSanitized)
 10[46](https://github.com/WordPress/two-factor/runs/5678917495?check_suite_focus=true#step:8:46) | WARNING | Processing form data without nonce
      |         | verification.
      |         | (WordPress.Security.NonceVerification.Recommended)
----------------------------------------------------------------------
kasparsd commented

Related to #6.

kasparsd commented

The linter reporting during CI is currently silenced here:

two-factor/.github/workflows/test.yml

Lines 35 to 36 in 991ef3c

- name: Lint PHP
run: npm run lint:php || true # Ignore for now.