Automatically Catching Bugs in Plugins

A Problem

There are times when it’s difficult for a pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party developer to know the most secure way to implement something (e.g., preparing a SQL query with conditional clauses), and it can be easy to overlook bugs and bad practices when there are thousands of lines of codeLines of Code Lines of code. This is sometimes used as a poor metric for developer productivity, but can also have other uses..

That creates bad experiences for users when something breaks or their site is hacked.

A Potential Solution

Static code analysisStatic code analysis "...the analysis of computer software that is performed without actually executing programs, in contrast with dynamic analysis, which is analysis performed on programs while they are executing." - Wikipedia could help to catch bugs, and inform developers how to fix them. It could also reduce the amount of time the Plugin team spends doing manual reviews.

The Coding Standards project has already built an extensive set of PHPCSPHP Code Sniffer PHP Code Sniffer, a popular tool for analyzing code quality. The WordPress Coding Standards rely on PHPCS. sniffssniff A module for PHP Code Sniffer that analyzes code for a specific problem. Multiple stiffs are combined to create a PHPCS standard. The term is named because it detects code smells, similar to how a dog would "sniff" out food., and the MetaMeta Meta is a term that refers to the inside workings of a group. For us, this is the team that works on internal WordPress sites like WordCamp Central and Make WordPress. team has prototyped a custom PHPCS standard for the Plugin Repository.

Would something like that be useful? If so, what exactly should it check for?

Feedback

  1. At a high level, what concerns need to be addressed? e.g., security, backwards/forwards-compatibility, best practices?
  2. At a lower level, what specific things should be reported? e.g., escaped database queries & HTMLHTML HTML is an acronym for Hyper Text Markup Language. It is a markup language that is used in the development of web pages and websites. output, using CoreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress. APIs where available, avoiding deprecated functions?
    • What existing sniffs should be included from WPCSWPCS The collection of PHP_CodeSniffer rules (sniffs) used to format and validate PHP code developed for WordPress according to the WordPress Coding Standards. May also be an acronym referring to the Accessibility, PHP, JavaScript, CSS, HTML, etc. coding standards as published in the WordPress Coding Standards Handbook.?
    • What new sniffs need to be developed?
    • What should be treated as an error, and what should just be a recommendation?
  3. What are the current gaps in documentation? e.g., piecing together complex MySQLMySQL MySQL is a relational database management system. A database is a structured collection of data where content, configuration and other options are stored. https://www.mysql.com/. queries with multiple variables. We’ll need good documentation to help devs understand a problem in their code, and fix it the right way.
  4. What are the current gaps in functionality that Core provides to plugins? e.g., escaping table and column names, native MySQL prepared statements, an HTML templating language. It’ll be easier for plugins to meet the standard if they don’t have to create their own implementations of common functionality.
  5. What metrics should we track to determine if code quality is improving enough?
  6. What metrics should we track to determine if we’re saving the Plugin Team enough time?

If you’re interested in similar conversations, check out the #core-coding-standards channel in our Slack workspace.

+make.wordpress.org/plugins/ +make.wordpress.orgWordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org//docs/ +make.wordpress.org/core/

cc @dingo_d, @westonruter, @jdgrimes, @jeffpaul

#coding-standards, #phpcs, #security

Security Audit for WordCamp Remote CSS Plugin

UPDATE: The pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party has been deployed, so please disclose any vulnerabilities privately, either on Hacker1, or by pinging me privately on Slack.


The WordCamp Remote CSS plugin is ready to deployDeploy Launching code from a local development environment to the production web server, so that it's available to visitors., but before I do that, I want to get some extra eyes on a few potential attack vectors.

The plugin lets organizers develop their CSSCSS CSS is an acronym for cascading style sheets. This is what controls the design or look and feel of a site. with any tools/environments/platforms they want (rather than in a browser with Jetpack’s CSS editor), and then the plugin will download a copy of the CSS file from a remote server, sanitize it, cache it locally, and enqueue it as an extra stylesheet.

You can browse the source on GitHub. (It’ll be moved to the MetaMeta Meta is a term that refers to the inside workings of a group. For us, this is the team that works on internal WordPress sites like WordCamp Central and Make WordPress. repo before it’s deployedDeploy Launching code from a local development environment to the production web server, so that it's available to visitors..)

These are what I see as the weakest points, and why I think they’re safe:

  • validate_remote_css_url() – This makes sure the file we’re about to download meets our expectations. If this allowed any URLURL A specific web address of a website or web page on the Internet, such as a website’s URL www.wordpress.org, it’d be open to SSRF attacks. To avoid that, only specific platforms (like GitHubGitHub GitHub is a website that offers online implementation of git repositories that can easily be shared, copied and modified by other developers. Public repositories are free to host, private repositories require a paid subscription. GitHub introduced the concept of the ‘pull request’ where code changes done in branches by contributors can be reviewed and discussed before being merged be the repository owner. https://github.com/) are supported. Additionally, only URLs with a .css extension are allowed.
  • output_cached_css() – This outputs the user’s CSS on the front-end, after it’s been sanitized. There’s no escaping, because it’s CSS, but it’s already been sanitized. The correct content-type headerHeader The header of your site is typically the first thing people will experience. The masthead or header art located across the top of your page is part of the look and feel of your website. It can influence a visitor’s opinion about your content and you/ your organization’s brand. It may also look different on different screen sizes. is sent, to prevent browsers from interpreting it as HTMLHTML HTML is an acronym for Hyper Text Markup Language. It is a markup language that is used in the development of web pages and websites.. I guess if the database is compromised, the content could be manipulated, but if that happens then there’s probably a hundred different things the attacker could do, so I don’t think there’s really anything to do in that case.
  • webhook_handler() – This listens for notifications from webhooks that a repository has been updated, and refreshes the cache. It doesn’t require any authentication, because the worst an attacker could do would be to force us to unnecessarily refresh the cache. To avoid too many requests, though, it is rate-limited.

Does anyone see anything I’ve missed there, or anywhere else?

If you’d like to test it live, you’ll need to cherry pick 2955-jetpack.

 

cc @kovshenin

#code-review, #security, #wordcamp-org