Merge remote-tracking branch 'kiro/develop' into develop

Author: john-shaffer

CHANGELOG.md

@@ -49,6 +49,8 @@
     by the wordpress.org plugin guidelines.
 - Escape exception messages when
   `STATIC_DEPLOY_ESCAPE_EXCEPTIONS` is true.
+- Fix a security issue where the nonce was not verified
+  for some actions until after the action had been performed.
 
 ## 9.3.2 (2025-07-29)
 

bin/upgrade-deps

@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+bin_dir="$(dirname "$0")"
+repo_root="$(realpath "$bin_dir"/..)"
+
+"$bin_dir"/update-flakes
+
+cd "$repo_root"
+composer upgrade
+
+"$bin_dir"/update-hashes

composer.lock

@@ -24,14 +24,14 @@
           pname = "${name}-composer-deps";
           version = "1.0.0";
           src = composerSrc;
-          vendorHash = "sha256-OGd/3kXzSm0VP1SLlCymKnVgJ/U5Yt8xkKldGdErv74=";
+          vendorHash = "sha256-KluG1kecPRaLEbOHc6BOu9shOoE6yg/fIyWeztKC3jE=";
         });
         composerVendorDev = php.mkComposerVendor (finalAttrs: {
           composerNoDev = false;
           pname = "${name}-composer-deps-dev";
           version = "1.0.0";
           src = composerSrc;
-          vendorHash = "sha256-1quQI8iZqJ5LK3ADyuo9RW9SKhtewmZbGr68RLKMwu0=";
+          vendorHash = "sha256-UexpJEq/ULTsR9ogPt1rDXqee9U7AjZQXQE1Xgemrts=";
         });
         staticDeploySrc = pkgs.lib.cleanSourceWith {
           src = self;

dev/flake.lock

@@ -10,8 +10,8 @@
   -->
   <arg name="colors" />
   <arg name="tab-width" value="2" />
-  <!-- Custom line length validation -->
   <rule ref="Squiz.PHP.DiscouragedFunctions" />
+  <!-- Custom line length validation -->
   <rule ref="Generic.Files.LineLength">
     <properties>
       <property name="lineLimit" value="100" />
@@ -33,62 +33,34 @@
     <exclude name="Squiz.Commenting.LongConditionClosingComment"/>
   </rule>
   <rule ref="WordPress">
-    <exclude name="Generic.CodeAnalysis.ForLoopWithTestFunctionCall.NotAllowed" />
     <exclude name="Generic.Commenting.DocComment.ShortNotCapital" />
     <exclude name="Generic.Commenting.DocComment.MissingShort" />
     <exclude name="Generic.Formatting.MultipleStatementAlignment.NotSameWarning" />
     <exclude name="Generic.Functions.OpeningFunctionBraceKernighanRitchie.BraceOnNewLine" />
-    <exclude name="Generic.PHP.NoSilencedErrors.Discouraged" />
-    <exclude name="Generic.Strings.UnnecessaryStringConcat.Found" />
     <exclude name="Generic.WhiteSpace.DisallowSpaceIndent" />
-    <exclude name="PSR2.Methods.MethodDeclaration.Underscore" />
     <exclude name="Squiz.Commenting.ClassComment.Missing" />
-    <exclude name="Squiz.Commenting.FileComment.Missing" />
     <exclude name="Squiz.Commenting.FunctionComment.ParamCommentFullStop" />
-    <exclude name="Squiz.Commenting.FunctionComment.ThrowsNoFullStop" />
     <exclude name="Squiz.Commenting.FunctionCommentThrowTag" />
     <exclude name="Squiz.Commenting.InlineComment.InvalidEndChar" />
-    <exclude name="Squiz.Commenting.LongConditionClosingComment.SpacingBefore" />
     <exclude name="Squiz.Commenting.PostStatementComment.Found" />
-    <exclude name="Squiz.Commenting.VariableComment.Missing" />
     <exclude name="Squiz.PHP.CommentedOutCode.Found" />
     <exclude name="Squiz.PHP.DisallowMultipleAssignments.Found" />
-    <exclude name="Squiz.PHP.EmbeddedPhp.ContentAfterOpen" />
-    <exclude name="Squiz.PHP.EmbeddedPhp.ContentAfterEnd" />
-    <exclude name="Squiz.PHP.EmbeddedPhp.ContentBeforeOpen" />
     <exclude name="Squiz.PHP.EmbeddedPhp.ContentBeforeEnd" />
-    <exclude name="Squiz.PHP.NonExecutableCode.Unreachable" />
     <exclude name="WordPress.Arrays.MultipleStatementAlignment.DoubleArrowNotAligned" />
-    <exclude name="WordPress.CodeAnalysis.AssignmentInCondition.Found" />
-    <exclude name="WordPress.CodeAnalysis.AssignmentInCondition.FoundInWhileCondition" />
     <exclude name="WordPress.DB.DirectDatabaseQuery.DirectQuery" />
     <exclude name="WordPress.DB.DirectDatabaseQuery.NoCaching" />
     <exclude name="WordPress.DB.DirectDatabaseQuery.SchemaChange" />
-    <exclude name="WordPress.DB.PreparedSQL" />
     <exclude name="WordPress.Files.FileName.InvalidClassFileName" />
     <exclude name="WordPress.Files.FileName.NotHyphenatedLowercase" />
-    <exclude name="WordPress.NamingConventions.ValidFunctionName.FunctionNameInvalid" />
     <exclude name="WordPress.NamingConventions.ValidFunctionName.MethodNameInvalid" />
-    <exclude name="WordPress.NamingConventions.ValidVariableName.MemberNotSnakeCase" />
-    <exclude name="WordPress.NamingConventions.ValidVariableName.NotSnakeCase" />
-    <exclude name="WordPress.NamingConventions.ValidVariableName.NotSnakeCaseMemberVar" />
-    <exclude name="WordPress.PHP.DevelopmentFunctions.prevent_path_disclosure_error_reporting" />
     <exclude name="WordPress.PHP.DiscouragedPHPFunctions" />
-    <!-- TODO: refactor to eliminate use of `exec` for compatibility w/shared hosts -->
-    <exclude name="WordPress.PHP.DiscouragedPHPFunctions.system_calls_exec" />
-    <!-- TODO: refactor to eliminate use of `shell_exec` for compat w/shared hosts -->
-    <exclude name="WordPress.PHP.DontExtract.extract_extract" />
-    <exclude name="WordPress.PHP.StrictComparisons.LooseComparison" />
-    <exclude name="WordPress.PHP.StrictInArray.MissingTrueStrict" />
     <exclude name="WordPress.PHP.YodaConditions.NotYoda" />
     <!-- Forcing exceptions to be escaped is bad practice.
      See: https://github.com/WordPress/WordPress-Coding-Standards/issues/2374 -->
     <exclude name="WordPress.Security.EscapeOutput.ExceptionNotEscaped"/>
     <exclude name="WordPress.Security.EscapeOutput.OutputNotEscaped" />
-    <exclude name="WordPress.Security.NonceVerification" />
     <exclude name="WordPress.Security.ValidatedSanitizedInput" />
     <exclude name="WordPress.WP.AlternativeFunctions" />
-    <exclude name="Generic.Arrays.DisallowShortArraySyntax" />
     <exclude name="Universal.Arrays.DisallowShortArraySyntax.Found" />
   </rule>
   <rule ref="Generic.Arrays.DisallowLongArraySyntax"/>

flake.lock

@@ -39,14 +39,18 @@ public static function registerAddon(
 
         global $wpdb;
 
-        $table_name = self::getTableName();
-
-        $sql = "INSERT IGNORE INTO {$table_name} (slug,type,name,docs_url,description)" .
-            ' VALUES (%s,%s,%s,%s,%s)';
-
-        $sql = $wpdb->prepare( $sql, $slug, $type, $name, $docs_url, $description );
-
-        $wpdb->query( $sql );
+        $wpdb->query(
+            $wpdb->prepare(
+                'INSERT IGNORE INTO %i (slug,type,name,docs_url,description)' .
+                ' VALUES (%s,%s,%s,%s,%s)',
+                self::getTableName(),
+                $slug,
+                $type,
+                $name,
+                $docs_url,
+                $description,
+            ),
+        );
     }
 
     /**
@@ -59,17 +63,22 @@ public static function getAll( string $type = 'all' ): array {
 
         $table_name = self::getTableName();
 
-        $query_string = "SELECT * FROM $table_name";
-        $query_params = [];
         if ( $type !== 'all' ) {
-            $query_string .= ' WHERE type = %s';
-            $query_params[] = $type;
+            return $wpdb->get_results(
+                $wpdb->prepare(
+                    'SELECT * FROM %i WHERE type = %s ORDER BY type DESC',
+                    $table_name,
+                    $type
+                )
+            );
+        } else {
+            return $wpdb->get_results(
+                $wpdb->prepare(
+                    'SELECT * FROM %i ORDER BY type DESC',
+                    $table_name
+                )
+            );
         }
-        $query_string .= ' ORDER BY type DESC';
-
-        return $wpdb->get_results(
-            $wpdb->prepare( $query_string, $query_params )
-        );
     }
 
     /**
@@ -81,14 +90,13 @@ public static function getAll( string $type = 'all' ): array {
     public static function getType( string $type ): array {
         global $wpdb;
 
-        $table_name = self::getTableName();
-
-        $query = $wpdb->prepare(
-            "SELECT * FROM $table_name WHERE type = %s AND enabled = 1 ORDER BY slug",
-            $type
+        return $wpdb->get_results(
+            $wpdb->prepare(
+                'SELECT * FROM %i WHERE type = %s AND enabled = 1 ORDER BY slug',
+                self::getTableName(),
+                $type,
+            ),
         );
-
-        return $wpdb->get_results( $query );
     }
 
     /**
@@ -99,7 +107,7 @@ public static function truncate(): void {
 
         $table_name = self::getTableName();
 
-        $wpdb->query( "TRUNCATE TABLE $table_name" );
+        $wpdb->query( $wpdb->prepare( 'TRUNCATE TABLE %i', $table_name ) );
 
         WsLog::l( 'Deregistered all Addons' );
     }

flake.nix

@@ -71,7 +71,7 @@ public static function afterAdminBarRender(): void {
         $ajax_job_queue_url = Controller::getAdminAjaxUrl( 'job_queue' );
         ?>
     <script>
-    var static_deploy_job_queue_url = "<?php echo esc_url( $ajax_job_queue_url ); ?>";
+    var static_deploy_job_queue_url = "<?php echo esc_js( $ajax_job_queue_url ); ?>";
     var static_deploy_last_interval = 30000;
     var static_deploy_job_type_labels = {
         detect: "Detecting URLs",
@@ -213,8 +213,10 @@ public static function getJobsInProgress(): array {
         $table_name = JobQueue::getTableName();
 
         return $wpdb->get_results(
-            "SELECT * FROM $table_name
-            WHERE status = 'processing'"
+            $wpdb->prepare(
+                "SELECT * FROM %i WHERE status = 'processing'",
+                $table_name
+            )
         );
     }
 

phpcs.xml

@@ -259,7 +259,7 @@ public function options(
         $value = $args[2] ?? null;
         $reveal_sensitive_values = isset( $assoc_args['reveal-sensitive-values'] );
 
-        if ( ! in_array( $action, [ 'get', 'set', 'list' ] ) ) {
+        if ( ! in_array( $action, [ 'get', 'set', 'list' ], true ) ) {
             WP_CLI::error( 'Missing required argument: <get|set|list>' );
         }