From f9c2e8fe9096c9cc5caba951dc2ec4f2a33dcc0a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Denis=20=C5=BDoljom?= Date: Mon, 18 Sep 2023 11:24:36 +0200 Subject: [PATCH] Add defensive coding to posts per page sniff and add tests The posts per page sniff should bail out early if empty string is passed as a value. The tests were added for both posts per page sniff and slow db query sniff, to check if empty string is passed as a value. In the case of SlowDBQuery the sniff should flag cases where there is and isn't a value passed, as that sniff will always flag whenever meta_key and meta_value are used in a query. --- WordPress/Sniffs/DB/SlowDBQuerySniff.php | 1 + WordPress/Sniffs/WP/PostsPerPageSniff.php | 4 ++++ WordPress/Tests/DB/SlowDBQueryUnitTest.inc | 4 ++++ WordPress/Tests/DB/SlowDBQueryUnitTest.php | 3 +++ WordPress/Tests/WP/PostsPerPageUnitTest.inc | 14 ++++++++++++++ 5 files changed, 26 insertions(+) diff --git a/WordPress/Sniffs/DB/SlowDBQuerySniff.php b/WordPress/Sniffs/DB/SlowDBQuerySniff.php index 5cbd99ac61..e79a5917ed 100644 --- a/WordPress/Sniffs/DB/SlowDBQuerySniff.php +++ b/WordPress/Sniffs/DB/SlowDBQuerySniff.php @@ -9,6 +9,7 @@ namespace WordPressCS\WordPress\Sniffs\DB; +use PHPCSUtils\Utils\TextStrings; use WordPressCS\WordPress\AbstractArrayAssignmentRestrictionsSniff; /** diff --git a/WordPress/Sniffs/WP/PostsPerPageSniff.php b/WordPress/Sniffs/WP/PostsPerPageSniff.php index a3f8ce45a7..e2575cbd43 100644 --- a/WordPress/Sniffs/WP/PostsPerPageSniff.php +++ b/WordPress/Sniffs/WP/PostsPerPageSniff.php @@ -67,6 +67,10 @@ public function getGroups() { public function callback( $key, $val, $line, $group ) { $stripped_val = TextStrings::stripQuotes( $val ); + if ( '' === $stripped_val ) { + return false; + } + if ( $val !== $stripped_val ) { // The value was a text string. For text strings, we only accept purely numeric values. if ( preg_match( '`^[0-9]+$`', $stripped_val ) !== 1 ) { diff --git a/WordPress/Tests/DB/SlowDBQueryUnitTest.inc b/WordPress/Tests/DB/SlowDBQueryUnitTest.inc index fea1379591..883673d22e 100644 --- a/WordPress/Tests/DB/SlowDBQueryUnitTest.inc +++ b/WordPress/Tests/DB/SlowDBQueryUnitTest.inc @@ -21,3 +21,7 @@ $query = 'foo=bar&meta_key=foo&meta_value=bar'; if ( ! isset( $widget['params'][0] ) ) { $widget['params'][0] = array(); } + +$query = 'foo=bar&meta_key=&meta_value=bar'; +$query = 'foo=bar&meta_key=foo&meta_value='; +$query = 'foo=bar&meta_key=&meta_value='; diff --git a/WordPress/Tests/DB/SlowDBQueryUnitTest.php b/WordPress/Tests/DB/SlowDBQueryUnitTest.php index e0832726ae..46ba3204d1 100644 --- a/WordPress/Tests/DB/SlowDBQueryUnitTest.php +++ b/WordPress/Tests/DB/SlowDBQueryUnitTest.php @@ -44,6 +44,9 @@ public function getWarningList() { 15 => 1, 16 => 1, 19 => 2, + 25 => 2, + 26 => 2, + 27 => 2, ); } } diff --git a/WordPress/Tests/WP/PostsPerPageUnitTest.inc b/WordPress/Tests/WP/PostsPerPageUnitTest.inc index 7474ba6c3c..bb216bdfbd 100644 --- a/WordPress/Tests/WP/PostsPerPageUnitTest.inc +++ b/WordPress/Tests/WP/PostsPerPageUnitTest.inc @@ -124,3 +124,17 @@ $args = array( 'posts_per_page' => 75.0, // OK (75). 'posts_per_page' => 150.000, // Bad (150). ); + +$query = 'posts_per_page=' . (int) $_POST['limit']; // OK. + +$args = array( + 'posts_per_page' => '', // OK. +); + +_query_posts( 'nopaging=true&posts_per_page=' ); // OK. + +$query_args['posts_per_page'] = ''; // OK. + +$query_args[ + 'posts_per_page' +] = ''; // OK.