-
Notifications
You must be signed in to change notification settings - Fork 40
/
ruleset.xml
312 lines (301 loc) · 18.7 KB
/
ruleset.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
<?xml version="1.0"?>
<ruleset xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="WordPress VIP Go" xsi:noNamespaceSchemaLocation="https://raw.githubusercontent.com/squizlabs/PHP_CodeSniffer/master/phpcs.xsd">
<description>WordPress VIP Go Coding Standards</description>
<!-- The rules below are the changes from between the original sniff or parent ruleset, and what should be applied for this Standard. -->
<!-- Include the base VIP Minimum ruleset -->
<rule ref="WordPressVIPMinimum"/>
<!-- Things that may be incompatible with the VIP Go infrastructure and needs a dev to review -->
<rule ref="WordPressVIPMinimum.Functions.RestrictedFunctions.file_ops_delete">
<type>warning</type>
<severity>6</severity>
<message>File system operations only work on the `/tmp/` and `wp-content/uploads/` directories. To avoid unexpected results, please use helper functions like `get_temp_dir()` or `wp_get_upload_dir()` to get the proper directory path when using functions such as %s(). For more details, please see: https://wpvip.com/documentation/vip-go/writing-files-on-vip-go/</message>
</rule>
<rule ref="WordPressVIPMinimum.Functions.RestrictedFunctions.file_ops_file_put_contents">
<type>warning</type>
<severity>6</severity>
<message>File system operations only work on the `/tmp/` and `wp-content/uploads/` directories. To avoid unexpected results, please use helper functions like `get_temp_dir()` or `wp_get_upload_dir()` to get the proper directory path when using functions such as %s(). For more details, please see: https://wpvip.com/documentation/vip-go/writing-files-on-vip-go/</message>
</rule>
<rule ref="WordPressVIPMinimum.Functions.RestrictedFunctions.file_ops_flock">
<type>warning</type>
<severity>6</severity>
<message>File system operations only work on the `/tmp/` and `wp-content/uploads/` directories. To avoid unexpected results, please use helper functions like `get_temp_dir()` or `wp_get_upload_dir()` to get the proper directory path when using functions such as %s(). For more details, please see: https://wpvip.com/documentation/vip-go/writing-files-on-vip-go/</message>
</rule>
<rule ref="WordPressVIPMinimum.Functions.RestrictedFunctions.file_ops_fputcsv">
<type>warning</type>
<severity>6</severity>
<message>File system operations only work on the `/tmp/` and `wp-content/uploads/` directories. To avoid unexpected results, please use helper functions like `get_temp_dir()` or `wp_get_upload_dir()` to get the proper directory path when using functions such as %s(). For more details, please see: https://wpvip.com/documentation/vip-go/writing-files-on-vip-go/</message>
</rule>
<rule ref="WordPressVIPMinimum.Functions.RestrictedFunctions.file_ops_fputs">
<type>warning</type>
<severity>6</severity>
<message>File system operations only work on the `/tmp/` and `wp-content/uploads/` directories. To avoid unexpected results, please use helper functions like `get_temp_dir()` or `wp_get_upload_dir()` to get the proper directory path when using functions such as %s(). For more details, please see: https://wpvip.com/documentation/vip-go/writing-files-on-vip-go/</message>
</rule>
<rule ref="WordPressVIPMinimum.Functions.RestrictedFunctions.file_ops_fwrite">
<type>warning</type>
<severity>6</severity>
<message>File system operations only work on the `/tmp/` and `wp-content/uploads/` directories. To avoid unexpected results, please use helper functions like `get_temp_dir()` or `wp_get_upload_dir()` to get the proper directory path when using functions such as %s(). For more details, please see: https://wpvip.com/documentation/vip-go/writing-files-on-vip-go/</message>
</rule>
<rule ref="WordPressVIPMinimum.Functions.RestrictedFunctions.file_ops_ftruncate">
<type>warning</type>
<severity>6</severity>
<message>File system operations only work on the `/tmp/` and `wp-content/uploads/` directories. To avoid unexpected results, please use helper functions like `get_temp_dir()` or `wp_get_upload_dir()` to get the proper directory path when using functions such as %s(). For more details, please see: https://wpvip.com/documentation/vip-go/writing-files-on-vip-go/</message>
</rule>
<rule ref="WordPressVIPMinimum.Functions.RestrictedFunctions.file_ops_is_writable">
<type>warning</type>
<severity>6</severity>
<message>File system operations only work on the `/tmp/` and `wp-content/uploads/` directories. To avoid unexpected results, please use helper functions like `get_temp_dir()` or `wp_get_upload_dir()` to get the proper directory path when using functions such as %s(). For more details, please see: https://wpvip.com/documentation/vip-go/writing-files-on-vip-go/</message>
</rule>
<rule ref="WordPressVIPMinimum.Functions.RestrictedFunctions.file_ops_is_writeable">
<type>warning</type>
<severity>6</severity>
<message>File system operations only work on the `/tmp/` and `wp-content/uploads/` directories. To avoid unexpected results, please use helper functions like `get_temp_dir()` or `wp_get_upload_dir()` to get the proper directory path when using functions such as %s(). For more details, please see: https://wpvip.com/documentation/vip-go/writing-files-on-vip-go/</message>
</rule>
<rule ref="WordPressVIPMinimum.Functions.RestrictedFunctions.file_ops_link">
<type>warning</type>
<severity>6</severity>
<message>File system operations only work on the `/tmp/` and `wp-content/uploads/` directories. To avoid unexpected results, please use helper functions like `get_temp_dir()` or `wp_get_upload_dir()` to get the proper directory path when using functions such as %s(). For more details, please see: https://wpvip.com/documentation/vip-go/writing-files-on-vip-go/</message>
</rule>
<rule ref="WordPressVIPMinimum.Functions.RestrictedFunctions.file_ops_rename">
<type>warning</type>
<severity>6</severity>
<message>File system operations only work on the `/tmp/` and `wp-content/uploads/` directories. To avoid unexpected results, please use helper functions like `get_temp_dir()` or `wp_get_upload_dir()` to get the proper directory path when using functions such as %s(). For more details, please see: https://wpvip.com/documentation/vip-go/writing-files-on-vip-go/</message>
</rule>
<rule ref="WordPressVIPMinimum.Functions.RestrictedFunctions.file_ops_symlink">
<type>warning</type>
<severity>6</severity>
<message>File system operations only work on the `/tmp/` and `wp-content/uploads/` directories. To avoid unexpected results, please use helper functions like `get_temp_dir()` or `wp_get_upload_dir()` to get the proper directory path when using functions such as %s(). For more details, please see: https://wpvip.com/documentation/vip-go/writing-files-on-vip-go/</message>
</rule>
<rule ref="WordPressVIPMinimum.Functions.RestrictedFunctions.file_ops_tempnam">
<type>warning</type>
<severity>6</severity>
<message>File system operations only work on the `/tmp/` and `wp-content/uploads/` directories. To avoid unexpected results, please use helper functions like `get_temp_dir()` or `wp_get_upload_dir()` to get the proper directory path when using functions such as %s(). For more details, please see: https://wpvip.com/documentation/vip-go/writing-files-on-vip-go/</message>
</rule>
<rule ref="WordPressVIPMinimum.Functions.RestrictedFunctions.file_ops_touch">
<type>warning</type>
<severity>6</severity>
<message>File system operations only work on the `/tmp/` and `wp-content/uploads/` directories. To avoid unexpected results, please use helper functions like `get_temp_dir()` or `wp_get_upload_dir()` to get the proper directory path when using functions such as %s(). For more details, please see: https://wpvip.com/documentation/vip-go/writing-files-on-vip-go/</message>
</rule>
<rule ref="WordPressVIPMinimum.Functions.RestrictedFunctions.file_ops_unlink">
<type>warning</type>
<severity>6</severity>
<message>File system operations only work on the `/tmp/` and `wp-content/uploads/` directories. To avoid unexpected results, please use helper functions like `get_temp_dir()` or `wp_get_upload_dir()` to get the proper directory path when using functions such as %s(). For more details, please see: https://wpvip.com/documentation/vip-go/writing-files-on-vip-go/</message>
</rule>
<rule ref="WordPressVIPMinimum.UserExperience.AdminBarRemoval.RemovalDetected">
<type>warning</type>
<severity>6</severity>
<message>Removal of admin bar is highly discouraged for user roles of "administrator" and "vip_support" -- if these roles are already excluded, this warning can be ignored.</message>
</rule>
<rule ref="WordPressVIPMinimum.UserExperience.AdminBarRemoval.HidingDetected">
<type>warning</type>
<severity>6</severity>
<message>Hiding of admin bar is highly discouraged for user roles of "administrator" and "vip_support" -- if these roles are already excluded, this warning can be ignored.</message>
</rule>
<rule ref="WordPressVIPMinimum.Functions.RestrictedFunctions.cookies_setcookie">
<type>error</type>
<severity>6</severity>
<message>Due to server-side caching, server-side based client related logic might not work. We recommend implementing client side logic in JavaScript instead.</message>
</rule>
<rule ref="WordPressVIPMinimum.Variables.RestrictedVariables.cache_constraints___COOKIE">
<type>error</type>
<severity>6</severity>
<message>Due to server-side caching, server-side based client related logic might not work. We recommend implementing client side logic in JavaScript instead.</message>
</rule>
<rule ref="WordPressVIPMinimum.Variables.RestrictedVariables.cache_constraints___SERVER__HTTP_USER_AGENT__">
<type>error</type>
<severity>6</severity>
<message>Due to server-side caching, server-side based client related logic might not work. We recommend implementing client side logic in JavaScript instead.</message>
</rule>
<!-- Things that really should be fixed, but don't necessarily have to be for the site to work.
This includes potential security holes as well as functions that may bring down sites for performance reasons.
-->
<!-- Should fix all of them but it doesn't need a manual review -->
<rule ref="WordPress.WP.AlternativeFunctions.file_system_read_fopen">
<message>File system operations only work on the `/tmp/` and `wp-content/uploads/` directories. To avoid unexpected results, please use helper functions like `get_temp_dir()` or `wp_get_upload_dir()` to get the proper directory path when using functions such as %s(). For more details, please see: https://wpvip.com/documentation/vip-go/writing-files-on-vip-go/</message>
</rule>
<rule ref="WordPress.WP.AlternativeFunctions.file_system_read_fclose">
<message>File system operations only work on the `/tmp/` and `wp-content/uploads/` directories. To avoid unexpected results, please use helper functions like `get_temp_dir()` or `wp_get_upload_dir()` to get the proper directory path when using functions such as %s(). For more details, please see: https://wpvip.com/documentation/vip-go/writing-files-on-vip-go/</message>
</rule>
<rule ref="WordPressVIPMinimum.Performance.FetchingRemoteData.FileGetContentsUnknown">
<type>warning</type>
<message>%s() is uncached. If the function is being used to fetch a remote file (e.g. a URL starting with https://), please use wpcom_vip_file_get_contents() to ensure the results are cached. For more details, please see https://wpvip.com/documentation/vip-go/fetching-remote-data/</message>
</rule>
<!-- Warnings and other things -->
<rule ref="WordPress.Security.NonceVerification.NoNonceVerification">
<!-- Needs a manual check -->
<type>warning</type>
<severity>10</severity>
</rule>
<rule ref="WordPress.Security.ValidatedSanitizedInput.InputNotSanitized">
<!-- Needs a manual check -->
<type>warning</type>
<severity>10</severity>
</rule>
<rule ref="WordPress.WP.PostsPerPage.posts_per_page_posts_per_page">
<message>Having more than 100 posts returned per page may lead to severe performance problems.</message>
</rule>
<rule ref="WordPressVIPMinimum.Hooks.RestrictedHooks.upload_mimes">
<severity>10</severity>
</rule>
<rule ref="WordPressVIPMinimum.Security.PHPFilterFunctions">
<severity>10</severity>
</rule>
<rule ref="WordPressVIPMinimum.Functions.RestrictedFunctions.dbDelta_dbdelta">
<type>warning</type>
<severity>7</severity>
</rule>
<rule ref="WordPressVIPMinimum.Functions.RestrictedFunctions.wp_mail_wp_mail">
<severity>7</severity>
</rule>
<!-- VIP Uncached warnings -->
<rule ref="WordPressVIPMinimum.Functions.RestrictedFunctions.attachment_url_to_postid_attachment_url_to_postid">
<type>warning</type>
<message>%s() is uncached, please use wpcom_vip_attachment_url_to_postid() instead.</message>
</rule>
<rule ref="WordPressVIPMinimum.Functions.RestrictedFunctions.get_adjacent_post_get_adjacent_post">
<type>warning</type>
</rule>
<rule ref="WordPressVIPMinimum.Functions.RestrictedFunctions.get_adjacent_post_get_previous_post">
<type>warning</type>
</rule>
<rule ref="WordPressVIPMinimum.Functions.RestrictedFunctions.get_adjacent_post_get_previous_post_link">
<type>warning</type>
</rule>
<rule ref="WordPressVIPMinimum.Functions.RestrictedFunctions.get_adjacent_post_get_next_post">
<type>warning</type>
</rule>
<rule ref="WordPressVIPMinimum.Functions.RestrictedFunctions.get_adjacent_post_get_next_post_link">
<type>warning</type>
</rule>
<rule ref="WordPressVIPMinimum.Functions.RestrictedFunctions.get_page_by_title_get_page_by_title">
<type>warning</type>
<message>%s() is uncached, please use wpcom_vip_get_page_by_title() instead.</message>
</rule>
<rule ref="WordPressVIPMinimum.Functions.RestrictedFunctions.get_posts_get_children">
<type>warning</type>
<severity>3</severity>
<message>%s() is uncached and performs a no limit query. Please use get_posts or WP_Query instead. More Info: https://wpvip.com/documentation/vip-go/uncached-functions/</message>
</rule>
<rule ref="WordPressVIPMinimum.Functions.RestrictedFunctions.get_posts_get_posts">
<severity>3</severity>
</rule>
<rule ref="WordPressVIPMinimum.Functions.RestrictedFunctions.get_posts_wp_get_recent_posts">
<severity>3</severity>
</rule>
<rule ref="WordPressVIPMinimum.Functions.RestrictedFunctions.url_to_postid_url_to_postid">
<type>warning</type>
<message>%s() is uncached, please use wpcom_vip_url_to_postid() instead.</message>
</rule>
<rule ref="WordPressVIPMinimum.Functions.RestrictedFunctions.wp_old_slug_redirect_wp_old_slug_redirect">
<type>warning</type>
</rule>
<!-- Miscellaneous sub-optimal things -->
<rule ref="Internal.LineEndings.Mixed">
<severity>1</severity>
</rule>
<rule ref="WordPress.CodeAnalysis.AssignmentInCondition.Found">
<severity>1</severity>
</rule>
<rule ref="WordPress.PHP.DiscouragedPHPFunctions.urlencode_urlencode">
<severity>3</severity>
</rule>
<rule ref="WordPress.PHP.DontExtract">
<severity>3</severity>
</rule>
<rule ref="WordPress.PHP.StrictComparisons.LooseComparison">
<severity>3</severity>
</rule>
<rule ref="WordPress.PHP.StrictInArray.MissingTrueStrict">
<severity>3</severity>
</rule>
<rule ref="WordPress.Security.EscapeOutput.UnsafePrintingFunction">
<!-- We trust that translations are safe on VIP Go -->
<severity>1</severity>
</rule>
<rule ref="WordPress.WP.GlobalVariablesOverride.OverrideProhibited">
<!-- This is often a false positive. Still nice to flag for a check -->
<severity>3</severity>
</rule>
<rule ref="WordPress.WP.EnqueuedResources.NonEnqueuedScript">
<type>warning</type>
<severity>3</severity>
<message>Scripts should be registered/enqueued via `wp_enqueue_script`. This can improve the site's performance due to script concatenation.</message>
</rule>
<rule ref="WordPress.WP.EnqueuedResources.NonEnqueuedStylesheet">
<type>warning</type>
<severity>3</severity>
<message>Stylesheets should be registered/enqueued via `wp_enqueue_style`. This can improve the site's performance due to styles concatenation.</message>
</rule>
<rule ref="WordPressVIPMinimum.Performance.LowExpiryCacheTime.LowCacheTime">
<severity>3</severity>
</rule>
<rule ref="WordPressVIPMinimum.Files.IncludingFile">
<type>warning</type>
<severity>3</severity>
</rule>
<rule ref="VariableAnalysis.CodeAnalysis.VariableAnalysis.UndefinedVariable">
<severity>3</severity>
</rule>
<rule ref="VariableAnalysis.CodeAnalysis.VariableAnalysis.UnusedVariable">
<severity>1</severity>
</rule>
<rule ref="WordPressVIPMinimum.UserExperience.AdminBarRemoval">
<severity>3</severity>
</rule>
<rule ref="Generic.PHP.NoSilencedErrors">
<severity>1</severity>
</rule>
<rule ref="WordPressVIPMinimum.Security.ProperEscapingFunction.htmlAttrNotByEscHTML">
<!-- This is still safe, just sub-optimal-->
<severity>3</severity>
</rule>
<rule ref="WordPressVIPMinimum.Functions.RestrictedFunctions.is_multi_author_is_multi_author">
<severity>1</severity>
</rule>
<rule ref="WordPressVIPMinimum.Functions.RestrictedFunctions.switch_to_blog_switch_to_blog">
<type>warning</type>
<severity>3</severity>
<message>Switch to blog may not work as expected since it only changes the database context for the blog and does not load the plugins or theme of that site. This means that filters or hooks that the blog you are switching to uses will not run.</message>
</rule>
<rule ref="WordPressVIPMinimum.Performance.WPQueryParams.PostNotIn">
<severity>3</severity>
</rule>
<!-- Silence is golden, these don't affect us on VIP Go -->
<rule ref="WordPress.DB.SlowDBQuery.slow_db_query_meta_key">
<!-- We are silencing this one because VIP Go has a combined index on meta_key, meta_value-->
<severity>0</severity>
</rule>
<rule ref="WordPressVIPMinimum.Performance.BatcacheWhitelistedParams">
<!-- We are silencing this one because VIP Go does not use Batcache-->
<severity>0</severity>
</rule>
<rule ref="WordPressVIPMinimum.Functions.RestrictedFunctions.user_meta_add_user_meta">
<severity>0</severity>
</rule>
<rule ref="WordPressVIPMinimum.Functions.RestrictedFunctions.user_meta_delete_user_meta">
<severity>0</severity>
</rule>
<rule ref="WordPressVIPMinimum.Functions.RestrictedFunctions.user_meta_get_user_meta">
<severity>0</severity>
</rule>
<rule ref="WordPressVIPMinimum.Functions.RestrictedFunctions.user_meta_update_user_meta">
<severity>0</severity>
</rule>
<rule ref="WordPressVIPMinimum.Variables.RestrictedVariables.user_meta__wpdb__usermeta">
<severity>0</severity>
</rule>
<rule ref="WordPressVIPMinimum.Functions.RestrictedFunctions.site_option_delete_site_option">
<severity>0</severity>
</rule>
<rule ref="WordPressVIPMinimum.Functions.RestrictedFunctions.site_option_update_site_option">
<severity>0</severity>
</rule>
<rule ref="WordPressVIPMinimum.Functions.RestrictedFunctions.site_option_add_site_option">
<severity>0</severity>
</rule>
<rule ref="WordPressVIPMinimum.Functions.RestrictedFunctions.get_super_admins_get_super_admins">
<severity>0</severity>
</rule>
<rule ref="Generic.PHP.DisallowShortOpenTag.EchoFound">
<severity>0</severity>
</rule>
</ruleset>