WordPress.Security.NonceVerification.Missing not reported when using filter_input

[kkmuffme]

Bug Description

When using filter_input with INPUT_GET or INPUT_POST or INPUT_COOKIE, it's like accessing the $_GET/$_POST superglobals.
Therefore a nonce validation is required.

Minimal Code Snippet

The issue happens when running this command:

./bin/phpcs --config-set installed_paths ../wpcs

... over a file containing this code:

// should report an error
$foo = filter_input( INPUT_POST, 'email', FILTER_SANITIZE_EMAIL );
update_option( 'abc', $foo, false );

// correctly reports an error:
$foo = $_POST['email'];
update_option( 'def', $foo, false );

Error Code

WordPress.Security.NonceVerification.Missing

Environment

Question	Answer
PHP version	7.4
PHP_CodeSniffer version	3.7.2
WPCS version	2.3.0
WPCS install type	https://github.com/WordPress/WordPress-Coding-Standards#standalone

Tested Against develop branch?

• I have verified the issue still exists in the develop branch of WPCS.

[kkmuffme]

Just saw that this was requested by @GaryJones when this rule was added initially: #325 (comment)

While back then someone said that filter_input was discouraged, using filter_input is actually the safer method, compared to (some) WP sanitizing functions, since the INPUT_ is out of scope of userland (e.g. $_POST['foo'] might have been modified somewhere/by any plugin already, while INPUT_POST, 'foo' is guaranteed to be unmodified) and some sanitizers are more secure than what WP can provide (e.g. for host names)

[kkmuffme]

Same issue also for filter_has_var and filter_input_array

[jrfnl]

@johnstonphilip Please don't spam issues with "+1"'s which don't contribute anything useful to the discussion. You can use the emoji response on the first post for that.

[johnstonphilip]

I didn't intend to spam. My apologies. I'm just wanting to note that this is a very important issue to me. Thanks, and my apologies again!