Integration for WordPress plugins

Is there any specific integration for scanning WordPress plugins? There are a number of WordPress specific security flaws to look out for. For example one-time security tokens (nonces). There’s more on plugin and theme security on WordPress codex site.

I found another discussion about general WordPress analysis, but it seems it didn’t go anywhere. Did you make any progress on this since 2018? Did any other WordPress plugin authors get in touch with similar questions/requirements?

Hello,

I will be completely transparent and answer directly your question: no progress since 2018 to provide dedicated rules targeting WordPress plugins. But, in 2020 SonarSource acquired RIPS Tech who was the de facto leader on PHP scanning and so PHP is now considered as a main language for Code Security. It means that implementing rules to find security issues for PHP is now a priority.
Since the people of RIPS joined SonarSource, we progressed a lot on the quality of the issues raised by SonarQube and SonarCloud and we provide 222 rules dedicated to PHP. Among them, 34 detect Vulnerability and 21 detects Security Hotspots.

I looked at the links you shared and in order to help me prioritize the work, would you be able to contribute here a list of “must-have” checks corresponding to the things you currently manually validate before releasing a WordPress plugin?

Thanks
Alex

Hi @Alexandre_Gigleux,

I thought about the most crucial checks for WordPress projects.

Security nonces


Ideally each (POST) request should contain a security token. It would be great if there was a rule that would identify forms that don’t contain any nonce field. It could also spot a missing nonce check in the code handling the submitted request on the server side.

Sometimes developers only check the nonce if the nonce variable is present. Instead of this…

if ( ! isset( $_POST['name_of_nonce_field'] ) || ! wp_verify_nonce( $_POST['name_of_nonce_field'], 'name_of_my_action' ) ) {
   // unauthorized access, exit or show some sort of error
}

…there is often this…

if ( isset( $_POST['name_of_nonce_field'] ) wp_verify_nonce( $_POST['name_of_nonce_field'], 'name_of_my_action' ) ) {
   // do requested action, database update, send notification...
}

SQL escaping


It is a good practice to use $wpdb->prepare to build query before passing it to $wpdb->query or $wpdb->get_results if it contains some variables. A rule to spot a direct query string concatenation would be handy. An example below.

Good

$result = $wpdb->get_results(
	$wpdb->prepare( 
		"SELECT * FROM {$wpdb->postmeta} WHERE meta_value = %s;",
		$lookup_value
	)
);

Bad

$result = $wpdb->get_results("SELECT * FROM {$wpdb->postmeta} WHERE meta_value = '" . $lookup_value . "';");

Capabilities checks


Sometimes developers forget to check user permissions when processing POST request, AJAX calls etc. It would be great to highlight code that processes a POST request without checking use permissions.

Also any AJAX handling code registered using wp_ajax_* and wp_ajax_nopriv_* should be checked for user permissions validation. See https://codex.wordpress.org/AJAX_in_Plugins.