From 7eabe1b4036376a8601b587c7667e7beb19ddf38 Mon Sep 17 00:00:00 2001
From: jrfnl <jrfnl@users.noreply.github.com>
Date: Tue, 22 Aug 2023 16:55:42 +0200
Subject: [PATCH] Performance/BatcacheWhitelistedParams: remove the sniff

* Remove the sniff.
* Remove the related test in the `WordPressVIPMinimum/ruleset-test.inc` file.
* Remove the error silencing from VIP-Go.
* Remove the related test in the `WordPress-VIP-Go/ruleset-test.inc` file.
    This one is a little more involved. Basically the call to `wp_verify_nonce()`, which is being removed, was "silencing" the nonce verification error for other tests as well, most notably for the tests on line 83-85, due to most tests being in the global scope.
    Looking at it more closely, turns out that line 83 wasn't testing what it was supposed to be testing.
    The error which was previously being thrown on line 83 was about the nonce verification being missing, while the test is annotated to be about the `WordPress.Security.ValidatedSanitizedInput[.InputNotSanitized]` error, which wasn't being thrown.
    Adding a nonce verification check on some empty lines above these tests gets rid of the nonce verification errors, but now left line 83 not testing anything at all (as no key is accessed in the superglobal).
    Adding a random key gets us the error which was intended to be thrown on this line, but now also adds the "missing validation" error. IMO, this is correct (better than it was before), so I'm also updating the test expectations for line 83.
---
 WordPress-VIP-Go/ruleset-test.inc             |  14 +--
 WordPress-VIP-Go/ruleset-test.php             |   1 +
 WordPress-VIP-Go/ruleset.xml                  |   4 -
 .../BatcacheWhitelistedParamsSniff.php        | 113 ------------------
 .../BatcacheWhitelistedParamsUnitTest.inc     |   9 --
 .../BatcacheWhitelistedParamsUnitTest.php     |  41 -------
 WordPressVIPMinimum/ruleset-test.inc          |   6 +-
 WordPressVIPMinimum/ruleset-test.php          |   1 -
 8 files changed, 11 insertions(+), 178 deletions(-)
 delete mode 100644 WordPressVIPMinimum/Sniffs/Performance/BatcacheWhitelistedParamsSniff.php
 delete mode 100644 WordPressVIPMinimum/Tests/Performance/BatcacheWhitelistedParamsUnitTest.inc
 delete mode 100644 WordPressVIPMinimum/Tests/Performance/BatcacheWhitelistedParamsUnitTest.php

diff --git a/WordPress-VIP-Go/ruleset-test.inc b/WordPress-VIP-Go/ruleset-test.inc
index a5c9f6e5..fc4324f4 100644
--- a/WordPress-VIP-Go/ruleset-test.inc
+++ b/WordPress-VIP-Go/ruleset-test.inc
@@ -56,8 +56,8 @@ $x = sanitize_key( $_COOKIE['bar'] ); // phpcs:ignore WordPress.Security.Validat
 if ( isset( $_SERVER['HTTP_USER_AGENT'] ) && $_SERVER['HTTP_USER_AGENT'] === 'some_value' ) { // Error.
 }
 
-
-
+// Make sure nonce verification is done in global scope to silence notices about use of superglobals without later on in the file.
+isset( $_GET['my_nonce'] ) && wp_verify_nonce( sanitize_text_field( $_GET['my_nonce'] ) );
 
 // WordPress.WP.AlternativeFunctions.file_system_read_fopen
 fopen( 'file.txt', 'r' ); // Warning + Message.
@@ -80,7 +80,7 @@ function foo_bar() {
 }
 
 // WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
-do_something( $_POST ); // Error.
+do_something( $_POST['key'] ); // Error + warning.
 if ( isset( $_POST['foo2'] ) ) {
 	bar( wp_unslash( $_POST['foo2'] ) ); // Warning.
 }
@@ -279,10 +279,10 @@ $args( [
 $query = new WP_Query( ['meta_key' => 'foo' ] ); // Ok.
 $args = 'foo=bar&meta_key=foo'; // Ok.
 
-// WordPressVIPMinimum.Performance.BatcacheWhitelistedParams
-if ( isset( $_GET['migSource'] ) && wp_verify_nonce( sanitize_text_field( $_GET['migSource'] ) ) ) {
-	$test = sanitize_text_field( $_GET['migSource'] ); // Ok.
-}
+
+
+
+
 
 
 
diff --git a/WordPress-VIP-Go/ruleset-test.php b/WordPress-VIP-Go/ruleset-test.php
index 694ee5fa..5a4070cd 100644
--- a/WordPress-VIP-Go/ruleset-test.php
+++ b/WordPress-VIP-Go/ruleset-test.php
@@ -134,6 +134,7 @@
 		47  => 1,
 		63  => 1,
 		66  => 1,
+		83  => 1,
 		85  => 1,
 		90  => 1,
 		94  => 1,
diff --git a/WordPress-VIP-Go/ruleset.xml b/WordPress-VIP-Go/ruleset.xml
index 93c6bd81..9ea7f34f 100644
--- a/WordPress-VIP-Go/ruleset.xml
+++ b/WordPress-VIP-Go/ruleset.xml
@@ -243,10 +243,6 @@
 		<!-- We are silencing this one because VIP Go has a combined index on meta_key, meta_value-->
 		<severity>0</severity>
 	</rule>
-	<rule ref="WordPressVIPMinimum.Performance.BatcacheWhitelistedParams">
-		<!-- We are silencing this one because VIP Go does not use Batcache-->
-		<severity>0</severity>
-	</rule>
 	<rule ref="Generic.PHP.DisallowShortOpenTag.EchoFound">
 		<severity>0</severity>
 	</rule>
diff --git a/WordPressVIPMinimum/Sniffs/Performance/BatcacheWhitelistedParamsSniff.php b/WordPressVIPMinimum/Sniffs/Performance/BatcacheWhitelistedParamsSniff.php
deleted file mode 100644
index af2103b5..00000000
--- a/WordPressVIPMinimum/Sniffs/Performance/BatcacheWhitelistedParamsSniff.php
+++ /dev/null
@@ -1,113 +0,0 @@
-<?php
-/**
- * WordPress-VIP-Minimum Coding Standard.
- *
- * @package VIPCS\WordPressVIPMinimum
- * @link https://github.com/Automattic/VIP-Coding-Standards
- */
-
-namespace WordPressVIPMinimum\Sniffs\Performance;
-
-use WordPressVIPMinimum\Sniffs\Sniff;
-use PHP_CodeSniffer\Util\Tokens;
-
-/**
- * Checks whether code tries to refer to a batcache URL parameter.
- *
- *  @package VIPCS\WordPressVIPMinimum
- */
-class BatcacheWhitelistedParamsSniff extends Sniff {
-
-	/**
-	 * List of whitelisted Batcache params.
-	 *
-	 * @var array
-	 */
-	public $whitelistes_batcache_params = [
-		'hpt',
-		'eref',
-		'iref',
-		'fbid',
-		'om_rid',
-		'utm',
-		'utm_source',
-		'utm_content',
-		'utm_medium',
-		'utm_campaign',
-		'utm_term',
-		'fb_xd_bust',
-		'fb_xd_fragment',
-		'npt',
-		'module',
-		'iid',
-		'cid',
-		'icid',
-		'ncid',
-		'snapid',
-		'_',
-		'fb_ref',
-		'fb_source',
-		'omcamp',
-		'affiliate',
-		'utm_affiliate',
-		'utm_subid',
-		'utm_keyword',
-		'migAgencyId',
-		'migSource',
-		'migTrackDataExt',
-		'migRandom',
-		'migTrackFmtExt',
-		'bust',
-		'linkId',
-		'_ga',
-		'xid',
-		'hootPostID',
-		'pretty',
-		'__lsa',
-		'rpx_response',
-		'__rmid',
-		'sr_share',
-		'ia_share_url',
-	];
-
-	/**
-	 * Returns an array of tokens this test wants to listen for.
-	 *
-	 * @return array
-	 */
-	public function register() {
-		return [ T_VARIABLE ];
-	}
-
-	/**
-	 * Process this test when one of its tokens is encountered
-	 *
-	 * @param int $stackPtr The position of the current token in the stack passed in $tokens.
-	 *
-	 * @return void
-	 */
-	public function process_token( $stackPtr ) {
-
-		if ( $this->tokens[ $stackPtr ]['content'] !== '$_GET' ) {
-			return;
-		}
-
-		$key = $this->phpcsFile->findNext( array_merge( Tokens::$emptyTokens, [ T_OPEN_SQUARE_BRACKET ] ), $stackPtr + 1, null, true );
-
-		if ( $this->tokens[ $key ]['code'] !== T_CONSTANT_ENCAPSED_STRING ) {
-			return;
-		}
-
-		$variable_name = $this->tokens[ $key ]['content'];
-
-		$variable_name = substr( $variable_name, 1, -1 );
-
-		if ( in_array( $variable_name, $this->whitelistes_batcache_params, true ) === true ) {
-			$message = 'Batcache whitelisted GET param, `%s`, found. Batcache whitelisted parameters get stripped and are not available in PHP.';
-			$data    = [ $variable_name ];
-			$this->phpcsFile->addWarning( $message, $stackPtr, 'StrippedGetParam', $data );
-
-			return;
-		}
-	}
-}
diff --git a/WordPressVIPMinimum/Tests/Performance/BatcacheWhitelistedParamsUnitTest.inc b/WordPressVIPMinimum/Tests/Performance/BatcacheWhitelistedParamsUnitTest.inc
deleted file mode 100644
index 5b199444..00000000
--- a/WordPressVIPMinimum/Tests/Performance/BatcacheWhitelistedParamsUnitTest.inc
+++ /dev/null
@@ -1,9 +0,0 @@
-<?php
-
-if ( isset( $_GET['utm_medium'] ) && 'email' === $_GET["utm_medium"] ) { // 2 warnings.
-
-}
-
-$hello = $_GET['migSource']; // Warning.
-
-$hey = $_GET['ThisIsOkay']; // OK.
\ No newline at end of file
diff --git a/WordPressVIPMinimum/Tests/Performance/BatcacheWhitelistedParamsUnitTest.php b/WordPressVIPMinimum/Tests/Performance/BatcacheWhitelistedParamsUnitTest.php
deleted file mode 100644
index d9395b11..00000000
--- a/WordPressVIPMinimum/Tests/Performance/BatcacheWhitelistedParamsUnitTest.php
+++ /dev/null
@@ -1,41 +0,0 @@
-<?php
-/**
- * Unit test class for WordPressVIPMinimum Coding Standard.
- *
- * @package VIPCS\WordPressVIPMinimum
- */
-
-namespace WordPressVIPMinimum\Tests\Performance;
-
-use PHP_CodeSniffer\Tests\Standards\AbstractSniffUnitTest;
-
-/**
- * Unit test class for the BatcacheWhitelistedParams sniff.
- *
- * @package VIPCS\WordPressVIPMinimum
- *
- * @covers \WordPressVIPMinimum\Sniffs\Performance\BatcacheWhitelistedParamsSniff
- */
-class BatcacheWhitelistedParamsUnitTest extends AbstractSniffUnitTest {
-
-	/**
-	 * Returns the lines where errors should occur.
-	 *
-	 * @return array <int line number> => <int number of errors>
-	 */
-	public function getErrorList() {
-		return [];
-	}
-
-	/**
-	 * Returns the lines where warnings should occur.
-	 *
-	 * @return array <int line number> => <int number of warnings>
-	 */
-	public function getWarningList() {
-		return [
-			3 => 2,
-			7 => 1,
-		];
-	}
-}
diff --git a/WordPressVIPMinimum/ruleset-test.inc b/WordPressVIPMinimum/ruleset-test.inc
index 38617dd0..454ede29 100644
--- a/WordPressVIPMinimum/ruleset-test.inc
+++ b/WordPressVIPMinimum/ruleset-test.inc
@@ -442,9 +442,9 @@ add_filter( 'robots_txt', function() { // Warning.
 	return 'test';
 } );
 
-// WordPressVIPMinimum.Performance.BatcacheWhitelistedParams
-// phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotValidated
-$test = sanitize_text_field( $_GET["utm_medium"] ); // Warning.
+
+
+
 
 // WordPressVIPMinimum.Performance.CacheValueOverride
 $bad_wp_users = wp_cache_get( md5( self::CACHE_KEY . '_wp_users'), self::CACHE_GROUP );
diff --git a/WordPressVIPMinimum/ruleset-test.php b/WordPressVIPMinimum/ruleset-test.php
index 58e54c38..69e039ab 100644
--- a/WordPressVIPMinimum/ruleset-test.php
+++ b/WordPressVIPMinimum/ruleset-test.php
@@ -273,7 +273,6 @@
 		439 => 1,
 		440 => 1,
 		441 => 1,
-		447 => 1,
 		454 => 1,
 		457 => 1,
 		458 => 1,