duplication-notes.md
1 month ago
flow-test-matrix.md
1 month ago
php-file-metrics.tsv
1 month ago
security-checklist-results.md
1 month ago
security-checklist-results.md
34 lines
| 1 | # Security checklist results (Wave C — sample-based) |
| 2 | |
| 3 | **Method:** Repository-wide ripgrep for high-signal patterns, then manual review of **highest-churn** PHP files from `php-file-metrics.tsv` and concentrated AJAX/REST modules. |
| 4 | |
| 5 | **Repo snapshot:** See parent health report for commit SHA and date. |
| 6 | |
| 7 | ## Summary |
| 8 | |
| 9 | | Item | Scope | Result | Notes | |
| 10 | | ----------------------------------- | -------------------------------------------------------------- | ---------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | |
| 11 | | AJAX: nonce + capability | `includes/admin/class-ajax.php` (32 `wp_ajax_*` registrations) | **Pass / mixed** | Many handlers use `wp_verify_nonce` + `Conditional::user_can` (e.g. `subscribe_to_newsletter`). **Follow-up:** audit every handler; several `wp_ajax_nopriv_*` endpoints exist (`advads_ad_select`, `advads-ad-health-notice-push`) — verify intentional public surface and rate/abuse controls. | |
| 12 | | `$_REQUEST` usage | Plugin-owned paths (excludes Action Scheduler list table) | **Review** | Matches in `includes/admin/class-ajax.php`, `includes/admin/class-list-filters.php`, `includes/admin/class-edd-updater.php`. Each needs case-by-case sanitization and authorization. | |
| 13 | | REST routes | `includes/rest/*.php`, modules | **Review** | `register_rest_route` present in multiple classes; confirm `permission_callback` on each route (not audited line-by-line in this pass). | |
| 14 | | Dynamic SQL | Hot files | **Review** | Prioritize `$wpdb` usage in `includes/admin/class-ajax.php`, repositories, importers; confirm `$wpdb->prepare` on variable fragments. | |
| 15 | | Output escaping | Views / admin pages | **Review** | Systematic pass deferred; spot-check high-churn admin classes when touching UI. | |
| 16 | | `unserialize` / `maybe_unserialize` | First-party code | **Review** | `includes/utilities/class-wordpress.php::maybe_unserialize` uses `allowed_classes => false` (good). `includes/importers/class-ad-inserter.php` uses `unserialize` on decoded data (flagged phpcs) — ensure input is trusted/truncated. Third-party (`packages/woocommerce/action-scheduler`) excluded from sign-off. | |
| 17 | |
| 18 | ## `unserialize` / `maybe_unserialize` (first-party highlights) |
| 19 | |
| 20 | | File | Note | |
| 21 | | --------------------------------------------------------- | ---------------------------------------------------------------------------------------------- | |
| 22 | | `includes/utilities/class-wordpress.php` | Wrapper restricts allowed classes. | |
| 23 | | `includes/importers/class-plugin-exporter.php` | `maybe_unserialize` on post meta — typical import path; keep capability checks on importer UI. | |
| 24 | | `includes/importers/class-ad-inserter.php` | `unserialize( base64_decode(...) )` — **high attention** on call path and caller capability. | |
| 25 | | `includes/importers/class-xml-importer.php` | Uses `WordPress::maybe_unserialize` for options/meta. | |
| 26 | | `includes/admin/class-edd-updater.php` | `maybe_unserialize` on remote API body fields — depends on SSL/signature of updater. | |
| 27 | | `modules/gadsense/includes/class-adsense-report-data.php` | Custom unserialize helpers — review when changing Adsense module. | |
| 28 | |
| 29 | ## Next pass (recommended) |
| 30 | |
| 31 | 1. Enumerate every `register_rest_route` and record `permission_callback`. |
| 32 | 2. Walk `includes/admin/class-ajax.php` method-by-method for nopriv handlers. |
| 33 | 3. Grep `$wpdb->query` / `$wpdb->get_*` without `prepare` in `includes/` and `admin/`. |
| 34 |