From 4df6e693e0fffb6eaf6cee970be48a94d38dc753 Mon Sep 17 00:00:00 2001 From: Paul Schreiber Date: Tue, 21 Mar 2023 22:20:10 -0400 Subject: [PATCH 01/18] Add --include-root parameter Allows warning for unexpected files in ABSPATH. --- src/Checksum_Core_Command.php | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/src/Checksum_Core_Command.php b/src/Checksum_Core_Command.php index 572a777b..52e8a1fb 100644 --- a/src/Checksum_Core_Command.php +++ b/src/Checksum_Core_Command.php @@ -25,6 +25,9 @@ class Checksum_Core_Command extends Checksum_Base_Command { * * ## OPTIONS * + * [--include-root] + * : Verify all files in the root directory. + * * [--version=] * : Verify checksums against a specific version of WordPress. * @@ -58,8 +61,9 @@ class Checksum_Core_Command extends Checksum_Base_Command { * @when before_wp_load */ public function __invoke( $args, $assoc_args ) { - $wp_version = ''; - $locale = ''; + $wp_version = ''; + $locale = ''; + $this->include_root = false; if ( ! empty( $assoc_args['version'] ) ) { $wp_version = $assoc_args['version']; @@ -69,6 +73,10 @@ public function __invoke( $args, $assoc_args ) { $locale = $assoc_args['locale']; } + if ( ! empty( $assoc_args['include-root'] ) ) { + $this->include_root = true; + } + if ( empty( $wp_version ) ) { $details = self::get_wp_details(); $wp_version = $details['wp_version']; @@ -135,7 +143,11 @@ public function __invoke( $args, $assoc_args ) { * * @return bool */ - protected function filter_file( $filepath ) { + protected function filter_file( $filepath, $include_root = false ) { + if ( true === $this->include_root ) { + return true; + } + return ( 0 === strpos( $filepath, 'wp-admin/' ) || 0 === strpos( $filepath, 'wp-includes/' ) || 1 === preg_match( '/^wp-(?!config\.php)([^\/]*)$/', $filepath ) From 1893b47690e02c2c31286692a7a4bfe5337d2934 Mon Sep 17 00:00:00 2001 From: Paul Schreiber Date: Wed, 22 Mar 2023 09:12:35 -0400 Subject: [PATCH 02/18] Add test for --include-root parameter --- features/checksum-core.feature | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/features/checksum-core.feature b/features/checksum-core.feature index ce6d796c..ff228217 100644 --- a/features/checksum-core.feature +++ b/features/checksum-core.feature @@ -114,6 +114,24 @@ Feature: Validate checksums for WordPress install """ And the return code should be 0 + Scenario: Verify core checksums when extra files are included in WordPress root and --include-root is passed + Given a WP install + And a extra-file.php file: + """ + hello world + """ + + When I try `wp core verify-checksums --include-root` + Then STDERR should be: + """ + Warning: File should not exist: extra-file.php + """ + And STDOUT should be: + """ + Success: WordPress installation verifies against checksums. + """ + And the return code should be 0 + Scenario: Verify core checksums with a plugin that has wp-admin Given a WP install And a wp-content/plugins/akismet/wp-admin/extra-file.txt file: From 31f15fcd753176f4e01ad43d0b22452e2527dd09 Mon Sep 17 00:00:00 2001 From: Paul Schreiber Date: Wed, 22 Mar 2023 09:53:59 -0400 Subject: [PATCH 03/18] when --allow-root is set, do not warn about wp-config.php and wp-contents/plugins/* --- src/Checksum_Core_Command.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Checksum_Core_Command.php b/src/Checksum_Core_Command.php index 52e8a1fb..f1598013 100644 --- a/src/Checksum_Core_Command.php +++ b/src/Checksum_Core_Command.php @@ -145,7 +145,7 @@ public function __invoke( $args, $assoc_args ) { */ protected function filter_file( $filepath, $include_root = false ) { if ( true === $this->include_root ) { - return true; + return ( 1 !== preg_match( '/^(wp-config\.php|wp-content\/plugins)$/', $filepath ) ); } return ( 0 === strpos( $filepath, 'wp-admin/' ) From e00b62f94bb29139d61c9de3d2740b17705d5878 Mon Sep 17 00:00:00 2001 From: Paul Schreiber Date: Wed, 22 Mar 2023 10:00:03 -0400 Subject: [PATCH 04/18] PHPCS: align equals signs --- src/Checksum_Core_Command.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/Checksum_Core_Command.php b/src/Checksum_Core_Command.php index f1598013..0603f60d 100644 --- a/src/Checksum_Core_Command.php +++ b/src/Checksum_Core_Command.php @@ -61,8 +61,8 @@ class Checksum_Core_Command extends Checksum_Base_Command { * @when before_wp_load */ public function __invoke( $args, $assoc_args ) { - $wp_version = ''; - $locale = ''; + $wp_version = ''; + $locale = ''; $this->include_root = false; if ( ! empty( $assoc_args['version'] ) ) { From 81ea66225480d8078b5360be57487aaca6062d7a Mon Sep 17 00:00:00 2001 From: Paul Schreiber Date: Thu, 23 Mar 2023 08:37:20 -0400 Subject: [PATCH 05/18] Update src/Checksum_Core_Command.php Co-authored-by: Daniel Bachhuber --- src/Checksum_Core_Command.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Checksum_Core_Command.php b/src/Checksum_Core_Command.php index 0603f60d..8a117cd8 100644 --- a/src/Checksum_Core_Command.php +++ b/src/Checksum_Core_Command.php @@ -26,7 +26,7 @@ class Checksum_Core_Command extends Checksum_Base_Command { * ## OPTIONS * * [--include-root] - * : Verify all files in the root directory. + * : Verify all files in the root directory, and warn if any non-WordPress files are found. * * [--version=] * : Verify checksums against a specific version of WordPress. From e3e19368d4e24a982bd58965ee3b7fbb7fbbc8e4 Mon Sep 17 00:00:00 2001 From: Paul Schreiber Date: Thu, 23 Mar 2023 08:43:34 -0400 Subject: [PATCH 06/18] when --include-root is enabled, skip entire wp-content directory from extra file checks --- src/Checksum_Core_Command.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Checksum_Core_Command.php b/src/Checksum_Core_Command.php index 8a117cd8..71d0a781 100644 --- a/src/Checksum_Core_Command.php +++ b/src/Checksum_Core_Command.php @@ -145,7 +145,7 @@ public function __invoke( $args, $assoc_args ) { */ protected function filter_file( $filepath, $include_root = false ) { if ( true === $this->include_root ) { - return ( 1 !== preg_match( '/^(wp-config\.php|wp-content\/plugins)$/', $filepath ) ); + return ( 1 !== preg_match( '/^(wp-config\.php$|wp-content\/)/', $filepath ) ); } return ( 0 === strpos( $filepath, 'wp-admin/' ) From 56e5ab8809ea80bd5d9b07375dbf4862a04d8800 Mon Sep 17 00:00:00 2001 From: Paul Schreiber Date: Thu, 23 Mar 2023 08:49:25 -0400 Subject: [PATCH 07/18] add private $include_root variable --- src/Checksum_Core_Command.php | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/src/Checksum_Core_Command.php b/src/Checksum_Core_Command.php index 71d0a781..a34c084d 100644 --- a/src/Checksum_Core_Command.php +++ b/src/Checksum_Core_Command.php @@ -10,6 +10,13 @@ */ class Checksum_Core_Command extends Checksum_Base_Command { + /** + * Whether or not to verify contents of the root directory. + * + * @var boolean + */ + private $include_root = false; + /** * Verifies WordPress files against WordPress.org's checksums. * @@ -61,9 +68,8 @@ class Checksum_Core_Command extends Checksum_Base_Command { * @when before_wp_load */ public function __invoke( $args, $assoc_args ) { - $wp_version = ''; - $locale = ''; - $this->include_root = false; + $wp_version = ''; + $locale = ''; if ( ! empty( $assoc_args['version'] ) ) { $wp_version = $assoc_args['version']; From 5653679e9c67335866ed41531d5db949bccaf26b Mon Sep 17 00:00:00 2001 From: Paul Schreiber Date: Thu, 23 Mar 2023 08:49:50 -0400 Subject: [PATCH 08/18] update help text to indicate it looks for files and folders --- src/Checksum_Core_Command.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Checksum_Core_Command.php b/src/Checksum_Core_Command.php index a34c084d..5a9c14af 100644 --- a/src/Checksum_Core_Command.php +++ b/src/Checksum_Core_Command.php @@ -33,7 +33,7 @@ class Checksum_Core_Command extends Checksum_Base_Command { * ## OPTIONS * * [--include-root] - * : Verify all files in the root directory, and warn if any non-WordPress files are found. + * : Verify all files and folders in the root directory, and warn if any non-WordPress items are found. * * [--version=] * : Verify checksums against a specific version of WordPress. From 962472f090221d5edad211e94d1f830c70ec7b6c Mon Sep 17 00:00:00 2001 From: Paul Schreiber Date: Thu, 23 Mar 2023 08:57:07 -0400 Subject: [PATCH 09/18] Add test for wp-cli.yml --- features/checksum-core.feature | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/features/checksum-core.feature b/features/checksum-core.feature index ff228217..04a4a1a1 100644 --- a/features/checksum-core.feature +++ b/features/checksum-core.feature @@ -27,6 +27,30 @@ Feature: Validate checksums for WordPress install When I run `rm readme.html` Then STDERR should be empty + When I try `wp core verify-checksums` + Then STDOUT should be: + """ + Success: WordPress installation verifies against checksums. + """ + + Scenario: Core checksums don't verify because wp-cli.yml is present + Given a WP install + And a wp-cli.yml file is present + + When I try `wp core verify-checksums` + Then STDERR should be: + """ + Warning: File should not exist: wp-includes/extra-file.txt + """ + And STDOUT should be: + """ + Success: WordPress installation verifies against checksums. + """ + And the return code should be 0 + + When I run `rm wp-cli.yml` + Then STDERR should be empty + When I try `wp core verify-checksums` Then STDERR should be: """ From b13398578a7230f92205819804d91b3dce448561 Mon Sep 17 00:00:00 2001 From: Paul Schreiber Date: Thu, 23 Mar 2023 10:37:34 -0400 Subject: [PATCH 10/18] Update features/checksum-core.feature Co-authored-by: Daniel Bachhuber --- features/checksum-core.feature | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/features/checksum-core.feature b/features/checksum-core.feature index 04a4a1a1..32919ec5 100644 --- a/features/checksum-core.feature +++ b/features/checksum-core.feature @@ -27,7 +27,7 @@ Feature: Validate checksums for WordPress install When I run `rm readme.html` Then STDERR should be empty - When I try `wp core verify-checksums` + When I run `wp core verify-checksums` Then STDOUT should be: """ Success: WordPress installation verifies against checksums. From 63fd9e7168fff3f322ea7f26f6929a2a6058b430 Mon Sep 17 00:00:00 2001 From: Daniel Bachhuber Date: Fri, 24 Mar 2023 10:40:11 -0700 Subject: [PATCH 11/18] Fix Scenario indentation --- features/checksum-core.feature | 70 +++++++++++++++++----------------- 1 file changed, 35 insertions(+), 35 deletions(-) diff --git a/features/checksum-core.feature b/features/checksum-core.feature index 32919ec5..07608a82 100644 --- a/features/checksum-core.feature +++ b/features/checksum-core.feature @@ -120,41 +120,41 @@ Feature: Validate checksums for WordPress install """ And the return code should be 0 - Scenario: Verify core checksums when extra files prefixed with 'wp-' are included in WordPress root - Given a WP install - And a wp-extra-file.php file: - """ - hello world - """ - - When I try `wp core verify-checksums` - Then STDERR should be: - """ - Warning: File should not exist: wp-extra-file.php - """ - And STDOUT should be: - """ - Success: WordPress installation verifies against checksums. - """ - And the return code should be 0 - - Scenario: Verify core checksums when extra files are included in WordPress root and --include-root is passed - Given a WP install - And a extra-file.php file: - """ - hello world - """ - - When I try `wp core verify-checksums --include-root` - Then STDERR should be: - """ - Warning: File should not exist: extra-file.php - """ - And STDOUT should be: - """ - Success: WordPress installation verifies against checksums. - """ - And the return code should be 0 + Scenario: Verify core checksums when extra files prefixed with 'wp-' are included in WordPress root + Given a WP install + And a wp-extra-file.php file: + """ + hello world + """ + + When I try `wp core verify-checksums` + Then STDERR should be: + """ + Warning: File should not exist: wp-extra-file.php + """ + And STDOUT should be: + """ + Success: WordPress installation verifies against checksums. + """ + And the return code should be 0 + + Scenario: Verify core checksums when extra files are included in WordPress root and --include-root is passed + Given a WP install + And a extra-file.php file: + """ + hello world + """ + + When I try `wp core verify-checksums --include-root` + Then STDERR should be: + """ + Warning: File should not exist: extra-file.php + """ + And STDOUT should be: + """ + Success: WordPress installation verifies against checksums. + """ + And the return code should be 0 Scenario: Verify core checksums with a plugin that has wp-admin Given a WP install From d755af78d68c8a64677c3b46d0ffae700ecb7acd Mon Sep 17 00:00:00 2001 From: Daniel Bachhuber Date: Fri, 24 Mar 2023 11:08:14 -0700 Subject: [PATCH 12/18] Add more tests to clarify expected behavior --- features/checksum-core.feature | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/features/checksum-core.feature b/features/checksum-core.feature index 07608a82..ab07061b 100644 --- a/features/checksum-core.feature +++ b/features/checksum-core.feature @@ -138,16 +138,43 @@ Feature: Validate checksums for WordPress install """ And the return code should be 0 + @daniel Scenario: Verify core checksums when extra files are included in WordPress root and --include-root is passed Given a WP install And a extra-file.php file: """ hello world """ + And a unknown-folder/unknown-file.php file: + """ + taco burrito + """ + And a wp-content/unknown-file.php file: + """ + foobar + """ When I try `wp core verify-checksums --include-root` Then STDERR should be: """ + Warning: File should not exist: unknown-folder/unknown-file.php + Warning: File should not exist: extra-file.php + """ + And STDERR should not contain: + """ + Warning: File should not exist: wp-content/unknown-file.php + """ + And STDOUT should be: + """ + Success: WordPress installation verifies against checksums. + """ + And the return code should be 0 + + When I run `wp core verify-checksums` + Then STDERR should not contain: + """ + Warning: File should not exist: wp-content/unknown-file.php + Warning: File should not exist: unknown-folder/unknown-file.php Warning: File should not exist: extra-file.php """ And STDOUT should be: From e69798eac7b9cb0a5b0cb049f5e37b1c4792fe17 Mon Sep 17 00:00:00 2001 From: Daniel Bachhuber Date: Fri, 24 Mar 2023 11:09:45 -0700 Subject: [PATCH 13/18] Remove extraneous helper --- features/checksum-core.feature | 1 - 1 file changed, 1 deletion(-) diff --git a/features/checksum-core.feature b/features/checksum-core.feature index ab07061b..1ca0d397 100644 --- a/features/checksum-core.feature +++ b/features/checksum-core.feature @@ -138,7 +138,6 @@ Feature: Validate checksums for WordPress install """ And the return code should be 0 - @daniel Scenario: Verify core checksums when extra files are included in WordPress root and --include-root is passed Given a WP install And a extra-file.php file: From 7176faf8c943a78fadd64234ba37ea8bdc6c31ff Mon Sep 17 00:00:00 2001 From: Daniel Bachhuber Date: Fri, 24 Mar 2023 11:15:13 -0700 Subject: [PATCH 14/18] Clean up `wp-cli.yml` scenario --- features/checksum-core.feature | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/features/checksum-core.feature b/features/checksum-core.feature index 1ca0d397..37d2f934 100644 --- a/features/checksum-core.feature +++ b/features/checksum-core.feature @@ -35,12 +35,16 @@ Feature: Validate checksums for WordPress install Scenario: Core checksums don't verify because wp-cli.yml is present Given a WP install - And a wp-cli.yml file is present + And a wp-cli.yml file: + """ + plugin install: + - user-switching + """ When I try `wp core verify-checksums` Then STDERR should be: """ - Warning: File should not exist: wp-includes/extra-file.txt + Warning: File should not exist: wp-cli.yml """ And STDOUT should be: """ @@ -51,12 +55,13 @@ Feature: Validate checksums for WordPress install When I run `rm wp-cli.yml` Then STDERR should be empty - When I try `wp core verify-checksums` - Then STDERR should be: + When I run `wp core verify-checksums` + Then STDERR should be empty + And STDOUT should be: """ - Warning: File doesn't exist: readme.html - Error: WordPress installation doesn't verify against checksums. + Success: WordPress installation verifies against checksums. """ + And the return code should be 0 Scenario: Verify core checksums without loading WordPress Given an empty directory From 71c327fa6b025169a589c7c2e861ad5ebff59034 Mon Sep 17 00:00:00 2001 From: Daniel Bachhuber Date: Fri, 24 Mar 2023 11:17:45 -0700 Subject: [PATCH 15/18] Rebuild README with new flag --- README.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index f2c70cec..d7e79677 100644 --- a/README.md +++ b/README.md @@ -16,7 +16,7 @@ This package implements the following commands: Verifies WordPress files against WordPress.org's checksums. ~~~ -wp core verify-checksums [--version=] [--locale=] [--insecure] +wp core verify-checksums [--include-root] [--version=] [--locale=] [--insecure] ~~~ Downloads md5 checksums for the current version from WordPress.org, and @@ -31,6 +31,9 @@ site. **OPTIONS** + [--include-root] + Verify all files and folders in the root directory, and warn if any non-WordPress items are found. + [--version=] Verify checksums against a specific version of WordPress. From a59cc2e7aa120309e6a1f08d71a9e81cbc060e43 Mon Sep 17 00:00:00 2001 From: Daniel Bachhuber Date: Fri, 24 Mar 2023 11:22:12 -0700 Subject: [PATCH 16/18] Avoid random test failures when the order changes --- features/checksum-core.feature | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/features/checksum-core.feature b/features/checksum-core.feature index 37d2f934..3de06072 100644 --- a/features/checksum-core.feature +++ b/features/checksum-core.feature @@ -159,9 +159,12 @@ Feature: Validate checksums for WordPress install """ When I try `wp core verify-checksums --include-root` - Then STDERR should be: + Then STDERR should contain: """ Warning: File should not exist: unknown-folder/unknown-file.php + """ + And STDERR should contain: + """ Warning: File should not exist: extra-file.php """ And STDERR should not contain: @@ -177,10 +180,16 @@ Feature: Validate checksums for WordPress install When I run `wp core verify-checksums` Then STDERR should not contain: """ - Warning: File should not exist: wp-content/unknown-file.php Warning: File should not exist: unknown-folder/unknown-file.php + """ + And STDERR should not contain: + """ Warning: File should not exist: extra-file.php """ + And STDERR should not contain: + """ + Warning: File should not exist: wp-content/unknown-file.php + """ And STDOUT should be: """ Success: WordPress installation verifies against checksums. From a03bee19f292c3add62479fcc769a246b9d9f125 Mon Sep 17 00:00:00 2001 From: Daniel Bachhuber Date: Fri, 24 Mar 2023 11:25:52 -0700 Subject: [PATCH 17/18] Remove extraneous argument --- src/Checksum_Core_Command.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Checksum_Core_Command.php b/src/Checksum_Core_Command.php index 5a9c14af..ca57f667 100644 --- a/src/Checksum_Core_Command.php +++ b/src/Checksum_Core_Command.php @@ -149,7 +149,7 @@ public function __invoke( $args, $assoc_args ) { * * @return bool */ - protected function filter_file( $filepath, $include_root = false ) { + protected function filter_file( $filepath ) { if ( true === $this->include_root ) { return ( 1 !== preg_match( '/^(wp-config\.php$|wp-content\/)/', $filepath ) ); } From dc03bc8fa504e3716fffd273072d1fbbb513e5f5 Mon Sep 17 00:00:00 2001 From: Daniel Bachhuber Date: Fri, 24 Mar 2023 13:48:03 -0700 Subject: [PATCH 18/18] Fix these assertions --- features/checksum-core.feature | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/features/checksum-core.feature b/features/checksum-core.feature index 3de06072..fffcc0b2 100644 --- a/features/checksum-core.feature +++ b/features/checksum-core.feature @@ -27,11 +27,13 @@ Feature: Validate checksums for WordPress install When I run `rm readme.html` Then STDERR should be empty - When I run `wp core verify-checksums` - Then STDOUT should be: + When I try `wp core verify-checksums` + Then STDERR should be: """ - Success: WordPress installation verifies against checksums. + Warning: File doesn't exist: readme.html + Error: WordPress installation doesn't verify against checksums. """ + And the return code should be 1 Scenario: Core checksums don't verify because wp-cli.yml is present Given a WP install