ValidatedSanitizedInput: add unit tests for null coalesce (equals) operators

jrfnl · jrfnl · commit 1a79eae7dccb · 2019-04-01T21:42:26.000+02:00
diff --git a/WordPress/Tests/Security/ValidatedSanitizedInputUnitTest.inc b/WordPress/Tests/Security/ValidatedSanitizedInputUnitTest.inc
@@ -161,7 +161,7 @@ some string {$_POST[some_var]} {$_GET['evil']}
 EOD
 ); // Bad x2.
 
-if ( ( $_POST['foo'] ?? 'post' ) === 'post' ) {} // OK.
+if ( ( $_POST['foo'] ?? 'post' ) === 'post' ) {} // Bad x2 - unslash, sanitize - more complex compares are not handled.
 if ( ( $_POST['foo'] <=> 'post' ) === 0 ) {} // OK.
 
 // Test whitespace independent isset/empty detection.
@@ -289,3 +289,36 @@ function test_recognize_array_comparison_functions_as_such() {
 	if ( array_keys( $_POST['form_fields'], 'my_form_hidden_field_value', true ) ) {} // OK.
 	if ( array_keys( $_POST['form_fields'] ) ) {} // Bad x2.
 }
+
+/*
+ * Test recognition of validation via null coalesce, while still checking the var for sanitization.
+ */
+function test_null_coalesce_1() {
+	$var = sanitize_text_field( wp_unslash( $_POST['foo'] ?? '' ) ); // OK.
+	$var = sanitize_text_field( wp_unslash( $_POST['fool'] ?? $_POST['secondary'] ?? '' ) ); // OK.
+	$var = sanitize_text_field( wp_unslash( $_POST['bar']['sub'] ?? '' ) ); // OK.
+	$var = sanitize_text_field( $_POST['foobar'] ?? '' ); // Bad x1 - unslash.
+}
+
+// The below two sets should give the same errors.
+function test_null_coalesce_2() {
+	$var = $_POST['foo'] ?? ''; // Bad x2 - sanitize + unslash.
+	$var = $_POST['bar']['sub'] ?? ''; // Bad x2 - sanitize + unslash.
+	$var = ( $_POST['foobar']['sub'] ?? '' ); // Bad x2 - sanitize + unslash.
+
+	$var = isset( $_POST['_foo'] ) ? $_POST['_foo'] : ''; // Bad x2 - sanitize + unslash.
+	$var = isset( $_POST['_bar']['_sub'] ) ? $_POST['_bar']['_sub'] : ''; // Bad x2 - sanitize + unslash.
+	$var = ( isset( $_POST['_foobar']['_sub'] ) ? $_POST['_foobar']['_sub'] : '' ); // Bad x2 - sanitize + unslash.
+}
+
+function test_null_coalesce_validation() {
+	$_POST['key'] = $_POST['key'] ?? 'default'; // OK, assignment & Bad x2 - unslash, sanitize.
+	$key            = sanitize_text_field( wp_unslash( $_POST['key'] ) ); // OK, validated via null coalesce.
+	$another_key    = sanitize_text_field( wp_unslash( $_POST['another_key'] ) ); // Bad, not validated, different key.
+}
+
+function test_null_coalesce_equals_validation() {
+	$_POST['key'] ??= 'default'; // OK, assignment.
+	$key            = sanitize_text_field( wp_unslash( $_POST['key'] ) ); // OK, validated via null coalesce equals.
+	$another_key    = sanitize_text_field( wp_unslash( $_POST['another_key'] ) ); // Bad, not validated, different key.
+}
diff --git a/WordPress/Tests/Security/ValidatedSanitizedInputUnitTest.php b/WordPress/Tests/Security/ValidatedSanitizedInputUnitTest.php
@@ -54,6 +54,7 @@ public function getErrorList() {
 			138 => 1,
 			150 => 2,
 			160 => 2,
+			164 => 2,
 			189 => 1,
 			202 => 1,
 			206 => 1,
@@ -68,6 +69,16 @@ public function getErrorList() {
 			266 => 1,
 			277 => 1,
 			290 => 2,
+			300 => 1,
+			305 => 2,
+			306 => 2,
+			307 => 2,
+			309 => 2,
+			310 => 2,
+			311 => 2,
+			315 => 2,
+			317 => 1,
+			323 => 1,
 		);
 	}
 
