Merge pull request #569 from Automattic/fix/568-restrictedvariable-disregard-when-in-isset-or-empty

GaryJones · web-flow · commit a3334db0408d · 2020-07-30T14:14:02.000+01:00
RestrictedVariables: don't report on "use" in `isset()`
diff --git a/WordPress-VIP-Go/ruleset-test.inc b/WordPress-VIP-Go/ruleset-test.inc
@@ -53,7 +53,7 @@ setcookie( 'cookie[three]', 'cookiethree' ); // Error + Message.
 $x = sanitize_key( $_COOKIE['bar'] ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotValidated -- Error + Message.
 
 // WordPressVIPMinimum.Variables.RestrictedVariables.cache_constraints___SERVER__HTTP_USER_AGENT__
-if ( ! isset( $_SERVER['HTTP_USER_AGENT'] ) ) { // Error + Message.
+if ( isset( $_SERVER['HTTP_USER_AGENT'] ) && $_SERVER['HTTP_USER_AGENT'] === 'some_value' ) { // Error + Message.
 }
 
 // WordPress.WP.AlternativeFunctions.file_system_read_fclose
diff --git a/WordPressVIPMinimum/Sniffs/AbstractVariableRestrictionsSniff.php b/WordPressVIPMinimum/Sniffs/AbstractVariableRestrictionsSniff.php
@@ -143,6 +143,11 @@ public function process_token( $stackPtr ) {
 			}
 		}
 
+		if ( $this->is_in_isset_or_empty( $stackPtr ) === true ) {
+			// Checking whether a variable exists is not the same as using it.
+			return;
+		}
+
 		foreach ( $this->groups_cache as $groupName => $group ) {
 
 			if ( isset( $this->excluded_groups[ $groupName ] ) ) {
diff --git a/WordPressVIPMinimum/Tests/Variables/RestrictedVariablesUnitTest.inc b/WordPressVIPMinimum/Tests/Variables/RestrictedVariablesUnitTest.inc
@@ -10,8 +10,8 @@ $wp_db->update( $wpdb->usermeta, array( 'meta_value' => 'bar!' ), array( 'user_i
 
 $query = "SELECT * FROM $wpdb->posts"; // Ok.
 
-if ( isset( $_SERVER['REMOTE_ADDR'] ) ) { // Warning.
-	foo( $_SERVER['HTTP_USER_AGENT'] ); // Warning.
+if ( isset( $_SERVER['REMOTE_ADDR'] ) ) { // OK.
+	foo( $_SERVER['REMOTE_ADDR'] ); // Warning.
 }
 
 $x = $_COOKIE['bar']; // Warning.
@@ -35,3 +35,7 @@ $query = "SELECT * FROM $wpdb->usermeta"; // Ok, excluded.
 
 foo( $_SESSION ); // Error.
 foo( $_SESSION['bar'] ); // Error.
+
+if ( isset( $_SESSION ) ) { // OK.
+	$cache = false;
+}
diff --git a/WordPressVIPMinimum/Tests/Variables/RestrictedVariablesUnitTest.php b/WordPressVIPMinimum/Tests/Variables/RestrictedVariablesUnitTest.php
@@ -43,7 +43,6 @@ public function getErrorList() {
 	 */
 	public function getWarningList() {
 		return [
-			13 => 1,
 			14 => 1,
 			17 => 1,
 			28 => 1,

Original file line number	Diff line number	Diff line change
`@@ -53,7 +53,7 @@ setcookie( 'cookie[three]', 'cookiethree' ); // Error + Message.`
`53`	`53`	`$x = sanitize_key( $_COOKIE['bar'] ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotValidated -- Error + Message.`
`54`	`54`
`55`	`55`	`// WordPressVIPMinimum.Variables.RestrictedVariables.cache_constraints___SERVER__HTTP_USER_AGENT__`
`56`		`-if ( ! isset( $_SERVER['HTTP_USER_AGENT'] ) ) { // Error + Message.`
	`56`	`+if ( isset( $_SERVER['HTTP_USER_AGENT'] ) && $_SERVER['HTTP_USER_AGENT'] === 'some_value' ) { // Error + Message.`
`57`	`57`	`}`
`58`	`58`
`59`	`59`	`// WordPress.WP.AlternativeFunctions.file_system_read_fclose`
Original file line number	Diff line number	Diff line change
`@@ -143,6 +143,11 @@ public function process_token( $stackPtr ) {`
`143`	`143`	`}`
`144`	`144`	`}`
`145`	`145`
	`146`	`+ if ( $this->is_in_isset_or_empty( $stackPtr ) === true ) {`
	`147`	`+ // Checking whether a variable exists is not the same as using it.`
	`148`	`+ return;`
	`149`	`+ }`
	`150`	`+`
`146`	`151`	`foreach ( $this->groups_cache as $groupName => $group ) {`
`147`	`152`
`148`	`153`	`if ( isset( $this->excluded_groups[ $groupName ] ) ) {`