REST API Enhancements: fix code standards compliance issues

sjinks · sjinks · commit e36ac8443dd7 · 2021-10-13T09:34:26.000+03:00
diff --git a/rest-api/vip-endpoints.php b/rest-api/vip-endpoints.php
@@ -1,24 +1,24 @@
 <?php
 /*
- Plugin Name: VIP REST API Endpoints
- Plugin URI: https://wpvip.com
- Description: Add custom REST API endpoints for VIP requests; N.B. these endpoints are subject to change without notice, and should be considered "private".
- Author: Erick Hitter, Automattic
- Version: 0.1
- */
+Plugin Name: VIP REST API Endpoints
+Plugin URI: https://wpvip.com
+Description: Add custom REST API endpoints for VIP requests; N.B. these endpoints are subject to change without notice, and should be considered "private".
+Author: Erick Hitter, Automattic
+Version: 0.1
+*/
 
 class WPCOM_VIP_REST_API_Endpoints {
 	/**
 	 * SINGLETON
 	 */
-	private static $__instance = null;
+	private static $instance = null;
 
 	public static function instance() {
-		if ( ! is_a( self::$__instance, __CLASS__ ) ) {
-			self::$__instance = new self;
+		if ( ! is_a( self::$instance, __CLASS__ ) ) {
+			self::$instance = new self();
 		}
 
-		return self::$__instance;
+		return self::$instance;
 	}
 
 	/**
@@ -80,16 +80,19 @@ public function rest_api_init() {
 	public function force_authorized_access( $result ) {
 		global $wp_rewrite;
 
+		// phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
+		$request_uri = $_SERVER['REQUEST_URI'] ?? '';
+
 		if ( $wp_rewrite->using_permalinks() ) {
 			$rest_prefix = rest_get_url_prefix();
 
 			// Expected request.
 			$expected_namespace = get_rest_url( null, $this->namespace );
 			$expected_namespace = trailingslashit( $expected_namespace );
-			$expected_namespace = parse_url( $expected_namespace, PHP_URL_PATH );
+			$expected_namespace = wp_parse_url( $expected_namespace, PHP_URL_PATH );
 
 			// Actual request.
-			$request_parts = explode( '/', $_SERVER['REQUEST_URI'] );
+			$request_parts = explode( '/', $request_uri );
 
 			// Drop undesirable leading bits to rebuild namespace from request.
 			foreach ( $request_parts as $key => $part ) {
@@ -111,14 +114,14 @@ public function force_authorized_access( $result ) {
 				return $result;
 			}
 
-			$slashed_request = trailingslashit( $_SERVER['REQUEST_URI'] );
+			$slashed_request = trailingslashit( $request_uri );
 
 			if ( 0 === strpos( $slashed_request, $expected_namespace ) && wpcom_vip_go_rest_api_request_allowed( $this->namespace ) ) {
 				return true;
 			}
 		} else {
 			$query_args   = array();
-			$query_string = parse_url( $_SERVER['REQUEST_URI'], PHP_URL_QUERY );
+			$query_string = wp_parse_url( $request_uri, PHP_URL_QUERY );
 			wp_parse_str( $query_string, $query_args );
 
 			if ( ! isset( $query_args['rest_route'] ) ) {
@@ -159,7 +162,7 @@ public function list_sites() {
 				foreach ( $_sites as $_site ) {
 					switch_to_blog( $_site );
 
-					$url_parts = wp_parse_args( parse_url( home_url() ), array(
+					$url_parts = wp_parse_args( wp_parse_url( home_url() ), array(
 						'host' => '',
 						'path' => '',
 					) );
@@ -173,7 +176,7 @@ public function list_sites() {
 					}
 
 					$sites[] = array(
-						'ID' => $_site,
+						'ID'          => $_site,
 						'domain_name' => $url,
 					);
 
@@ -187,8 +190,8 @@ public function list_sites() {
 		} else {
 			// Provided for consistency, even though this provides no insightful response
 			$sites[] = array(
-				'ID' => 1,
-				'domain_name' => parse_url( home_url(), PHP_URL_HOST ),
+				'ID'          => 1,
+				'domain_name' => wp_parse_url( home_url(), PHP_URL_HOST ),
 			);
 		}
 
@@ -209,7 +212,7 @@ public function list_plugins() {
 	 *
 	 * @return WP_REST_Response
 	 */
-	public function list_jetpack_details( $request ): WP_REST_Response {
+	public function list_jetpack_details(): WP_REST_Response {
 		$details = [];
 
 		if ( is_multisite() ) {
@@ -246,7 +249,7 @@ public function list_jetpack_details( $request ): WP_REST_Response {
 	 */
 	protected function get_jetpack_details_for_site(): array {
 		$connection = new Automattic\Jetpack\Connection\Manager();
-		$data = [
+		$data       = [
 			'site_id'       => get_current_blog_id(),
 			'cache_site_id' => Jetpack::get_option( 'id' ),
 			'home_url'      => home_url(),
@@ -269,24 +272,24 @@ protected function get_all_plugins() {
 
 		// array of all standard plugins
 		$standard_plugins = get_plugins();
-		$tmp_plugins = array();
+		$tmp_plugins      = array();
 		foreach ( $standard_plugins as $key => $plugin ) {
 			$vip_plugin_slug = 'plugins/' . dirname( $key );
 			if ( is_plugin_active( $key ) ) {
 				$tmp_plugins[ $key ] = array(
-					'name' => $plugin['Name'],
-					'version' => $plugin['Version'],
+					'name'        => $plugin['Name'],
+					'version'     => $plugin['Version'],
 					'description' => $plugin['Description'],
-					'type' => 'standard',
-					'active' => true,
+					'type'        => 'standard',
+					'active'      => true,
 				);
 			} elseif ( ! in_array( $vip_plugin_slug, $vip_loaded_plugins, true ) ) {
 				$tmp_plugins[ $key ] = array(
-					'name' => $plugin['Name'],
-					'version' => $plugin['Version'],
+					'name'        => $plugin['Name'],
+					'version'     => $plugin['Version'],
 					'description' => $plugin['Description'],
-					'type' => 'standard',
-					'active' => false,
+					'type'        => 'standard',
+					'active'      => false,
 				);
 			}
 		}
@@ -298,71 +301,72 @@ protected function get_all_plugins() {
 			$vip_plugin_slug = 'plugins/' . dirname( $key );
 			if ( in_array( $vip_plugin_slug, $vip_loaded_plugins, true ) ) {
 				$tmp_plugins[ $key ] = array(
-					'name' => $plugin['Name'],
-					'version' => $plugin['Version'],
+					'name'        => $plugin['Name'],
+					'version'     => $plugin['Version'],
 					'description' => $plugin['Description'],
-					'type' => 'standard-code',
-					'active' => true,
+					'type'        => 'standard-code',
+					'active'      => true,
 				);
 			}
 		}
 		$all_plugins['standard-code'] = $tmp_plugins;
 
 		// array of all mu plugins
-		$mu_plugins = get_mu_plugins();
+		$mu_plugins  = get_mu_plugins();
 		$tmp_plugins = array();
 		foreach ( $mu_plugins as $key => $plugin ) {
 			$tmp_plugins[ $key ] = array(
-				'name' => $plugin['Name'],
-				'version' => $plugin['Version'],
+				'name'        => $plugin['Name'],
+				'version'     => $plugin['Version'],
 				'description' => $plugin['Description'],
-				'type' => 'mu-plugin',
-				'active' => true,
+				'type'        => 'mu-plugin',
+				'active'      => true,
 			);
 		}
 		$all_plugins['mu-plugin'] = $tmp_plugins;
 
 		// array of all client mu plugins
 		$client_mu_plugins = wpcom_vip_get_client_mu_plugins_data();
-		$tmp_plugins = array();
+		$tmp_plugins       = array();
 		foreach ( $client_mu_plugins as $key => $plugin ) {
 			$tmp_plugins[ $key ] = array(
-				'name' => $plugin['Name'],
-				'version' => $plugin['Version'],
+				'name'        => $plugin['Name'],
+				'version'     => $plugin['Version'],
 				'description' => $plugin['Description'],
-				'type' => 'client-mu-plugin',
-				'active' => true,
+				'type'        => 'client-mu-plugin',
+				'active'      => true,
 			);
 		}
 		$all_plugins['client-mu-plugin'] = $tmp_plugins;
 
 		// array of all shared plugins (activated via code and via UI)
 		// once the remaining shared plugins are retired we can remove this section
-		$tmp_ui_plugins = array();
+		$tmp_ui_plugins   = array();
 		$tmp_code_plugins = array();
 		foreach ( get_plugins( '/../mu-plugins/shared-plugins' ) as $key => $plugin ) {
-			if ( $active_plugin_type = $this->legacy_is_plugin_active( basename( dirname( $key ) ) ) ) {
+			$active_plugin_type = $this->legacy_is_plugin_active( basename( dirname( $key ) ) );
+			if ( $active_plugin_type ) {
 				if ( 'manual' === $active_plugin_type ) {
 					$tmp_code_plugins[ $key ] = array(
-						'name' => $plugin['Name'],
-						'version' => $plugin['Version'],
+						'name'        => $plugin['Name'],
+						'version'     => $plugin['Version'],
 						'description' => $plugin['Description'],
-						'type' => 'vip-shared-code',
-						'active' => true,
+						'type'        => 'vip-shared-code',
+						'active'      => true,
 					);
 				} else {
 					$tmp_ui_plugins[ $key ] = array(
-						'name' => $plugin['Name'],
-						'version' => $plugin['Version'],
+						'name'        => $plugin['Name'],
+						'version'     => $plugin['Version'],
 						'description' => $plugin['Description'],
-						'type' => 'vip-shared-ui',
-						'active' => true,
+						'type'        => 'vip-shared-ui',
+						'active'      => true,
 					);
 				}
 			}
 		}
 		$all_plugins['vip-shared-code'] = $tmp_code_plugins;
-		$all_plugins['vip-shared-ui'] = $tmp_ui_plugins;
+		$all_plugins['vip-shared-ui']   = $tmp_ui_plugins;
 
 		// add constant to endpoint
 		$all_plugins['disable-shared-plugins'] = ( defined( 'WPCOM_VIP_DISABLE_SHARED_PLUGINS' ) && true === WPCOM_VIP_DISABLE_SHARED_PLUGINS ) ? true : false;
diff --git a/vip-rest-api.php b/vip-rest-api.php
@@ -71,36 +71,38 @@ function wpcom_vip_verify_go_rest_api_request_authorization( $namespace, $auth_h
 function wpcom_vip_go_rest_api_request_allowed( $namespace, $cap = 'do_not_allow' ) {
 	// First check basic auth
 	$basic_auth_user = wpcom_vip_basic_auth_user();
-	if ( $basic_auth_user && ! is_wp_error( $basic_auth_user ) &&
-		$basic_auth_user->ID && $basic_auth_user->ID > 0 ) {
-			$user_id = $basic_auth_user->ID;
-
-			// Check current user has `vip_support` or the required capability.
-			// VIP Support users should be able to do anything on the site, but
-			// this cap check runs before that plugin is loaded.
-			// https://github.com/Automattic/vip-support
-			if ( user_can( $user_id, 'vip_support' ) || user_can( $user_id, $cap ) ) {
-				return true;
-			}
+	if ( $basic_auth_user && ! is_wp_error( $basic_auth_user ) && $basic_auth_user->ID && $basic_auth_user->ID > 0 ) {
+		$user_id = $basic_auth_user->ID;
+
+		// Check current user has `vip_support` or the required capability.
+		// VIP Support users should be able to do anything on the site, but
+		// this cap check runs before that plugin is loaded.
+		// https://github.com/Automattic/vip-support
+		if ( user_can( $user_id, 'vip_support' ) || user_can( $user_id, $cap ) ) {
+			return true;
+		}
 	}
 
 	// Do we have a header to check?
-	if ( ! isset( $_SERVER['HTTP_AUTHORIZATION'] ) || empty( $_SERVER['HTTP_AUTHORIZATION'] ) ) {
+	if ( empty( $_SERVER['HTTP_AUTHORIZATION'] ) ) {
 		return false;
 	}
 
+	// phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
 	return wpcom_vip_verify_go_rest_api_request_authorization( $namespace, $_SERVER['HTTP_AUTHORIZATION'] );
 }
 
 function wpcom_vip_basic_auth_user() {
+	// phpcs:disable WordPressVIPMinimum.Variables.ServerVariables.BasicAuthentication
 	if ( ! isset( $_SERVER['PHP_AUTH_USER'] ) || ! isset( $_SERVER['PHP_AUTH_PW'] ) ) {
 		return false;
 	}
 
-	$username = $_SERVER['PHP_AUTH_USER'];
-	$password = $_SERVER['PHP_AUTH_PW'];
+	$username = $_SERVER['PHP_AUTH_USER'];  // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
+	$password = $_SERVER['PHP_AUTH_PW'];    // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
 
 	return wp_authenticate( $username, $password );
+	// phpcs:enable
 }
 
 /**
