security audit

Author: mcguffin

.editorconfig

@@ -9,7 +9,7 @@ charset = utf-8
 trim_trailing_whitespace = true
 insert_final_newline = true
 
-[{package.json, .eslintrc, *.yml}]
+[{package.json, composer.json, .eslintrc, *.yml}]
 indent_style = space
 indent_size = 2
 

.gitignore

@@ -10,3 +10,8 @@
 .svnignore
 .sass-cache
 node_modules/
+vendor/
+!/include/vendor/
+
+# phpcs
+phpcs-report.txt

composer.json

@@ -4,12 +4,34 @@
   "type": "wordpress-plugin",
   "minimum-stability": "dev",
   "license": "GPL-3.0-or-later",
+  "homepage": "https://github.com/mcguffin/acf-customizer",
+  "keywords": [
+    "ACF",
+    "Repeater",
+    "WordPress",
+    "Plugin"
+  ],
   "authors": [
-      {
-          "name": "Jörn Lund"
-      }
+    {
+      "name": "Jörn Lund"
+    }
   ],
   "require": {
-      "composer/installers": "~1.0"
+      "composer/installers": "~1.2",
+      "php": ">=5.6.0"
+  },
+  "require-dev": {
+    "squizlabs/php_codesniffer": "*",
+    "wp-coding-standards/wpcs": "*",
+    "phpcompatibility/php-compatibility": "*",
+	"pheromone/phpcs-security-audit":"*"
+  },
+  "scripts": {
+    "post-install-cmd": [
+      "[ -f vendor/bin/phpcs ] && \"vendor/bin/phpcs\" --config-set installed_paths vendor/wp-coding-standards/wpcs,vendor/pheromone/phpcs-security-audit || true"
+    ],
+    "post-update-cmd": [
+      "[ -f vendor/bin/phpcs ] && \"vendor/bin/phpcs\" --config-set installed_paths vendor/wp-coding-standards/wpcs,vendor/pheromone/phpcs-security-audit || true"
+    ]
   }
-}
+}

include/ACFCustomizer/Compat/ACF/Customize.php

@@ -107,9 +107,13 @@ public function get_section_id_by_fieldgroup_post_id( $field_group_key, $post_id
 	 *	@action customize_controls_enqueue_scripts
 	 */
 	public function enqueue_customize_scripts() {
-		add_action('acf/enqueue_scripts',array($this,'enqueue_assets'));
-		acf_enqueue_scripts();
-		acf_enqueue_uploader();
+		//if (did_action('acf/enqueue_scripts') <= 0) {
+			add_action('acf/enqueue_scripts',array($this,'enqueue_assets'));
+			acf_enqueue_scripts();
+			acf_enqueue_uploader();
+		// } else {
+		// 	$this->enqueue_assets();
+		// }
 	}
 
 

include/ACFCustomizer/Compat/ACF/CustomizePreview.php

@@ -39,7 +39,7 @@ protected function __construct() {
 	 */
 	public function partial_field( $selector, $post_id = null ) {
 		if ( $path = $this->build_path( $selector, $post_id ) ) {
-			echo $this->get_partial_button( $path );
+			echo $this->get_partial_button( $path ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
 		}
 	}
 
@@ -48,7 +48,7 @@ public function partial_field( $selector, $post_id = null ) {
 	 */
 	public function partial_row( ) {
 		if ( $path = $this->build_path( ) ) {
-			echo $this->get_partial_button( $path );
+			echo $this->get_partial_button( $path ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
 		}
 	}
 
@@ -58,7 +58,7 @@ public function partial_row( ) {
 	 */
 	public function partial_subfield( $selector ) {
 		if ( $path = $this->build_path( $selector ) ) {
-			echo $this->get_partial_button( $path );
+			echo $this->get_partial_button( $path ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
 		}
 	}
 
@@ -173,7 +173,11 @@ public function changeset_data( $manager ) {
 			return $data;
 		}
 
-		$customized = json_decode( wp_unslash( $_REQUEST['customized'] ), true );
+		$customized = json_decode( wp_unslash( $_REQUEST['customized'] ), true ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
+
+		if ( ! is_array( $customized ) ) {
+			return $data;
+		}
 
 		foreach ( $customized as $key => $value ) {
 

include/ACFCustomizer/Compat/ACF/FieldgroupControl.php

@@ -39,7 +39,11 @@ public function __construct( $manager, $id, $args = array() ) {
 	 *	@action wp_ajax_load_customizer_field_groups_{$this->id}
 	 */
 	public function load_field_groups() {
-
+		if ( ! isset( $_REQUEST['_nonce'] ) ) {
+			wp_send_json_error( array(
+				'message' => __( 'Nonce missing.', 'acf-customizer' ),
+			) );
+		}
 		// check nonce
 		if ( ! wp_verify_nonce($_REQUEST['_nonce'],'load-field-group') ) {
 			wp_send_json_error( array(
@@ -69,7 +73,7 @@ public function load_field_groups() {
 
 		foreach ( $this->setting->field_groups as $field_group_key ) {
 			$field_group = acf_get_field_group( $field_group_key );
-			printf( '<div data-key="%s">', $field_group_key );
+			printf( '<div data-key="%s">', esc_attr( $field_group_key ) );
 			$field_group['label_placement'] = 'top';
 			$fields = acf_get_fields( $field_group );
 

include/ACFCustomizer/Compat/ACF/FieldgroupSection.php

@@ -58,7 +58,7 @@ public function __construct( $manager, $id, $args = array() ) {
 			*/
 			$this->context = json_decode( wp_unslash( $_REQUEST['acf_customize_context'] ) );
 		} else {
-
+			// ???
 		}
 
 	}

include/ACFCustomizer/Compat/ACF/Storage/Storage.php

@@ -77,7 +77,7 @@ protected function set_context() {
 				type: term|post
 			]
 			*/
-			if ( $context = json_decode( wp_unslash( $_REQUEST['acf_customize_context'] ), true ) ) {
+			if ( $context = json_decode( wp_unslash( $_REQUEST['acf_customize_context'] ), true ) ) { // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
 				extract( $context );
 				$type = in_array( $type, [ 'term', 'post' ] ) ? $type : '';
 				$id = intval( $id );
@@ -171,7 +171,7 @@ protected function get_changeset_value( $field_key, $fallback = null, $post_id =
 
 		if ( ! $changeset_data ) {
 			$changeset_data = $this->manager->changeset_data();
-			$changeset_data = array_map( [$this, '_flatten_value' ], $changeset_data );
+			$changeset_data = array_map( [ $this, '_flatten_value' ], $changeset_data );
 		}
 		// options an theme_mods are stored under their post id
 		if ( ! is_null( $post_id ) ) {

package.json

@@ -9,7 +9,8 @@
     "dev-test": "./src/run/dev-test.sh",
     "dashicons": "node ./src/run/dashicons.js",
     "rollback": "git reset --hard HEAD~ && git push origin +master",
-    "i18n": "wp i18n make-pot . languages/acf-customizer.pot --domain=acf-customizer --exclude=tmp/*"
+    "i18n": "wp i18n make-pot . languages/acf-customizer.pot --domain=acf-customizer --exclude=tmp/*",
+    "audit": "./vendor/squizlabs/php_codesniffer/bin/phpcs . --report=code --standard=./phpcs-security.ruleset.xml -n -s > ./phpcs-report.txt || exit 0"
   },
   "repository": {
     "type": "git",
@@ -105,4 +106,4 @@
   "browserify-shim": {
     "jquery": "global:jQuery"
   }
-}
+}

phpcs-security.ruleset.xml

@@ -0,0 +1,37 @@
+<?xml version="1.0"?>
+<ruleset name="WordPress Security">
+
+	<!-- Set a description for this ruleset. -->
+	<description>A WordPress Ruleset to check application safety.</description>
+
+	<exclude-pattern>assets/*</exclude-pattern>
+	<exclude-pattern>node_modules/*</exclude-pattern>
+	<exclude-pattern>test/*</exclude-pattern>
+	<exclude-pattern>vendor/*</exclude-pattern>
+	<exclude-pattern>*.min.js</exclude-pattern>
+	<exclude-pattern>js/*.js</exclude-pattern>
+	<exclude-pattern>css/*.css</exclude-pattern>
+
+	<rule ref="Generic.PHP.Syntax"/>
+
+	<!-- Include the WordPress ruleset, with exclusions. -->
+	<rule ref="WordPress.CodeAnalysis">
+	</rule>
+	<rule ref="WordPress.DB">
+	</rule>
+	<rule ref="WordPress.NamingConventions.PrefixAllGlobals"/>
+	<rule ref="WordPress.PHP">
+		<!-- omit non security sniffs -->
+		<exclude name="WordPress.PHP.DontExtract"/>
+		<exclude name="WordPress.PHP.YodaConditions"/>
+	</rule>
+	<rule ref="WordPress.Security">
+	</rule>
+	<rule ref="WordPress.Utils">
+	</rule>
+	<rule ref="WordPress.WP">
+		<exclude name="WordPress.WP.I18n.MixedOrderedPlaceholders"/>
+		<exclude name="WordPress.WP.I18n.UnorderedPlaceholders"/>
+		<exclude name="WordPress.WP.I18n.NonSingularStringLiteralText"/>
+	</rule>
+</ruleset>