Security/Underscorejs: bug fixes and enhancements #595
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
So far, only single quoted text strings, heredocs and inline HTML were sniffed. However, there are two more text string token types: nowdoc and double quoted strings. This adds these tokens to the `register()` method to be sniffed. This commit also ensures that there is at least one unit test in place for each of these token types and that the tests use a variety of whitespace.
So far, the sniff would throw one error per text string, independently of how often the unescaped output notation would occur in the text string.
While for simple text strings, this is not much of an issue, for long and complex text strings, it may be more difficult to spot all the unescaped output notations in the text string.
This changes the sniff to:
* Throw a warning for each occurrence of the unescaped output notation in a text string.
* Include a snippet from the text string with the details of the unescaped output notation.
Old: `Found Underscore.js unescaped output notation: "<%=".`
New: `Found Underscore.js unescaped output notation: "<%= post_url %>".`
To allow the sniff to also match on a text string being concatenated together, the regex has to also match when `<%=` occurs at the end of the text string and will only display `<%=` in that case.
To this end, we also need to remove the text string quotes (if they exist) from the token content.
Add a basic JS test case file. Tests for `interpolate` will be added in a follow-up commit.
The `interpolate` property in JS can be set using various syntaxes. While the current check will in no way catch them all, the changes now made should improve the accuracy of detecting a change in the delimiter via `interpolate` in JS files. Notes: * Add checking for `T_STRING` to detect `_.templateSettings.interpolate =` syntax. This was previously not detected (false negative). * Add some defensive coding to prevent false positives when the `interpolate` keyword is used in another context than underscorejs. * Limit the check for `T_STRING` and `T_PROPERTY` to Javascript files only to prevent false positives when scanning PHP files. * Limit the check for `interpolate` in text strings to PHP only. This prevents false positives when the keyword is used in a text string in JS. Includes unit tests covering all the above.
Match the `interpolate` property in PHP files with the similar precision as in JS files. Includes unit tests.
Prevent triggering a warning when the variable being printed is escaped using `_.escape()`. Includes unit tests. Fixes 345
These are configuration files and not part of the production code. This check does not verify whether this file is in the project root as we don't know what the project root is. It will plainly ignore any file called `Gruntfile.js` in a case-insensitive manner. Includes unit tests.
…ents Add a new check for the JS native `print` command and the `_p+=` variation, when used without being combined with `_.escape()`. Includes unit tests.
51 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Result of a review of the
WordPressVIPMinimum.Security.Underscorejssniff.Not claiming completeness as JS, like PHP, can be written in lots of different ways - think ternaries, method chaining etc - and my JS is a bit rusty ;-).
Consider this a first round of improvements.
Input regarding underscores syntaxes based on:
Code samples largely based on samples found via:
Fixes #546
Commit details
Security/Underscorejs: sniff all text string tokens
So far, only single quoted text strings, heredocs and inline HTML were sniffed.
However, there are two more text string token types: nowdoc and double quoted strings.
This adds these tokens to the
register()method to be sniffed.This commit also ensures that there is at least one unit test in place for each of these token types and that the tests use a variety of whitespace.
Security/Underscorejs: throw an error for each violation
So far, the sniff would throw one error per text string, independently of how often the unescaped output notation would occur in the text string.
While for simple text strings, this is not much of an issue, for long and complex text strings, it may be more difficult to spot all the unescaped output notations in the text string.
This changes the sniff to:
Old:
Found Underscore.js unescaped output notation: "<%=".New:
Found Underscore.js unescaped output notation: "<%= post_url %>".To allow the sniff to also match on a text string being concatenated together, the regex has to also match when
<%=occurs at the end of the text string and will only display<%=in that case.To this end, we also need to remove the text string quotes (if they exist) from the token content.
Security/Underscorejs: add JS test case file
Add a basic JS test case file.
Tests for
interpolatewill be added in a follow-up commit.Security/Underscorejs: improve check for
interpolatein JS filesThe
interpolateproperty in JS can be set using various syntaxes. While the current check will in no way catch them all, the changes now made should improve the accuracy of detecting a change in the delimiter viainterpolatein JS files.Notes:
T_STRINGto detect_.templateSettings.interpolate =syntax. This was previously not detected (false negative).interpolatekeyword is used in another context than underscorejs.T_STRINGandT_PROPERTYto Javascript files only to prevent false positives when scanning PHP files.interpolatein text strings to PHP only. This prevents false positives when the keyword is used in a text string in JS.Includes unit tests covering all the above.
Security/Underscorejs: improve check for
interpolatein PHP filesMatch the
interpolateproperty in PHP files with the similar precision as in JS files.Includes unit tests.
Security/Underscorejs: bug fix - don't error when variable is escaped
Prevent triggering a warning when the variable being printed is escaped using
_.escape().Includes unit tests.
Fixes #345
Security/Underscorejs: ignore Gruntfile.js files
These are configuration files and not part of the production code.
This check does not verify whether this file is in the project root as we don't know what the project root is. It will plainly ignore any file called
Gruntfile.jsin a case-insensitive manner.Includes unit tests.
Security/Underscorejs: enhancement - check for print execution statements
Add a new check for the JS native
printcommand and the_p+=variation, when used without being combined with_.escape().Includes unit tests.