-
Notifications
You must be signed in to change notification settings - Fork 40
/
Copy pathruleset.xml
257 lines (246 loc) · 15.7 KB
/
ruleset.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
<?xml version="1.0"?>
<ruleset xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="WordPress-VIP-Go" xsi:noNamespaceSchemaLocation="https://raw.githubusercontent.com/PHPCSStandards/PHP_CodeSniffer/master/phpcs.xsd">
<description>WordPress VIP Go Coding Standards</description>
<!-- The rules below are the changes from between the original sniff or parent ruleset, and what should be applied for this Standard. -->
<!-- Include the base VIP Minimum ruleset -->
<rule ref="WordPressVIPMinimum"/>
<!-- Things that may be incompatible with the VIP Go infrastructure and needs a dev to review -->
<rule ref="WordPressVIPMinimum.Functions.RestrictedFunctions.file_ops_file_put_contents">
<type>warning</type>
<severity>6</severity>
<message>File system operations only work on the `/tmp/` and `wp-content/uploads/` directories. To avoid unexpected results, please use helper functions like `get_temp_dir()` or `wp_get_upload_dir()` to get the proper directory path when using functions such as %s(). For more details, please see: https://docs.wpvip.com/technical-references/vip-go-files-system/local-file-operations/</message>
</rule>
<rule ref="WordPressVIPMinimum.Functions.RestrictedFunctions.file_ops_flock">
<type>warning</type>
<severity>6</severity>
<message>File system operations only work on the `/tmp/` and `wp-content/uploads/` directories. To avoid unexpected results, please use helper functions like `get_temp_dir()` or `wp_get_upload_dir()` to get the proper directory path when using functions such as %s(). For more details, please see: https://docs.wpvip.com/technical-references/vip-go-files-system/local-file-operations/</message>
</rule>
<rule ref="WordPressVIPMinimum.Functions.RestrictedFunctions.file_ops_fputcsv">
<type>warning</type>
<severity>6</severity>
<message>File system operations only work on the `/tmp/` and `wp-content/uploads/` directories. To avoid unexpected results, please use helper functions like `get_temp_dir()` or `wp_get_upload_dir()` to get the proper directory path when using functions such as %s(). For more details, please see: https://docs.wpvip.com/technical-references/vip-go-files-system/local-file-operations/</message>
</rule>
<rule ref="WordPressVIPMinimum.Functions.RestrictedFunctions.file_ops_fputs">
<type>warning</type>
<severity>6</severity>
<message>File system operations only work on the `/tmp/` and `wp-content/uploads/` directories. To avoid unexpected results, please use helper functions like `get_temp_dir()` or `wp_get_upload_dir()` to get the proper directory path when using functions such as %s(). For more details, please see: https://docs.wpvip.com/technical-references/vip-go-files-system/local-file-operations/</message>
</rule>
<rule ref="WordPressVIPMinimum.Functions.RestrictedFunctions.file_ops_fwrite">
<type>warning</type>
<severity>6</severity>
<message>File system operations only work on the `/tmp/` and `wp-content/uploads/` directories. To avoid unexpected results, please use helper functions like `get_temp_dir()` or `wp_get_upload_dir()` to get the proper directory path when using functions such as %s(). For more details, please see: https://docs.wpvip.com/technical-references/vip-go-files-system/local-file-operations/</message>
</rule>
<rule ref="WordPressVIPMinimum.Functions.RestrictedFunctions.file_ops_ftruncate">
<type>warning</type>
<severity>6</severity>
<message>File system operations only work on the `/tmp/` and `wp-content/uploads/` directories. To avoid unexpected results, please use helper functions like `get_temp_dir()` or `wp_get_upload_dir()` to get the proper directory path when using functions such as %s(). For more details, please see: https://docs.wpvip.com/technical-references/vip-go-files-system/local-file-operations/</message>
</rule>
<rule ref="WordPressVIPMinimum.Functions.RestrictedFunctions.file_ops_is_writable">
<type>warning</type>
<severity>6</severity>
<message>File system operations only work on the `/tmp/` and `wp-content/uploads/` directories. To avoid unexpected results, please use helper functions like `get_temp_dir()` or `wp_get_upload_dir()` to get the proper directory path when using functions such as %s(). For more details, please see: https://docs.wpvip.com/technical-references/vip-go-files-system/local-file-operations/</message>
</rule>
<rule ref="WordPressVIPMinimum.Functions.RestrictedFunctions.file_ops_is_writeable">
<type>warning</type>
<severity>6</severity>
<message>File system operations only work on the `/tmp/` and `wp-content/uploads/` directories. To avoid unexpected results, please use helper functions like `get_temp_dir()` or `wp_get_upload_dir()` to get the proper directory path when using functions such as %s(). For more details, please see: https://docs.wpvip.com/technical-references/vip-go-files-system/local-file-operations/</message>
</rule>
<rule ref="WordPressVIPMinimum.Functions.RestrictedFunctions.file_ops_link">
<type>warning</type>
<severity>6</severity>
<message>File system operations only work on the `/tmp/` and `wp-content/uploads/` directories. To avoid unexpected results, please use helper functions like `get_temp_dir()` or `wp_get_upload_dir()` to get the proper directory path when using functions such as %s(). For more details, please see: https://docs.wpvip.com/technical-references/vip-go-files-system/local-file-operations/</message>
</rule>
<rule ref="WordPressVIPMinimum.Functions.RestrictedFunctions.file_ops_rename">
<type>warning</type>
<severity>6</severity>
<message>File system operations only work on the `/tmp/` and `wp-content/uploads/` directories. To avoid unexpected results, please use helper functions like `get_temp_dir()` or `wp_get_upload_dir()` to get the proper directory path when using functions such as %s(). For more details, please see: https://docs.wpvip.com/technical-references/vip-go-files-system/local-file-operations/</message>
</rule>
<rule ref="WordPressVIPMinimum.Functions.RestrictedFunctions.file_ops_symlink">
<type>warning</type>
<severity>6</severity>
<message>File system operations only work on the `/tmp/` and `wp-content/uploads/` directories. To avoid unexpected results, please use helper functions like `get_temp_dir()` or `wp_get_upload_dir()` to get the proper directory path when using functions such as %s(). For more details, please see: https://docs.wpvip.com/technical-references/vip-go-files-system/local-file-operations/</message>
</rule>
<rule ref="WordPressVIPMinimum.Functions.RestrictedFunctions.file_ops_tempnam">
<type>warning</type>
<severity>6</severity>
<message>File system operations only work on the `/tmp/` and `wp-content/uploads/` directories. To avoid unexpected results, please use helper functions like `get_temp_dir()` or `wp_get_upload_dir()` to get the proper directory path when using functions such as %s(). For more details, please see: https://docs.wpvip.com/technical-references/vip-go-files-system/local-file-operations/</message>
</rule>
<rule ref="WordPressVIPMinimum.Functions.RestrictedFunctions.file_ops_touch">
<type>warning</type>
<severity>6</severity>
<message>File system operations only work on the `/tmp/` and `wp-content/uploads/` directories. To avoid unexpected results, please use helper functions like `get_temp_dir()` or `wp_get_upload_dir()` to get the proper directory path when using functions such as %s(). For more details, please see: https://docs.wpvip.com/technical-references/vip-go-files-system/local-file-operations/</message>
</rule>
<rule ref="WordPressVIPMinimum.Functions.RestrictedFunctions.file_ops_unlink">
<type>warning</type>
<severity>6</severity>
<message>File system operations only work on the `/tmp/` and `wp-content/uploads/` directories. To avoid unexpected results, please use helper functions like `get_temp_dir()` or `wp_get_upload_dir()` to get the proper directory path when using functions such as %s(). For more details, please see: https://docs.wpvip.com/technical-references/vip-go-files-system/local-file-operations/</message>
</rule>
<rule ref="WordPressVIPMinimum.UserExperience.AdminBarRemoval.RemovalDetected">
<type>warning</type>
<severity>6</severity>
<message>Removal of admin bar is highly discouraged for user roles of "administrator" and "vip_support" -- if these roles are already excluded, this warning can be ignored.</message>
</rule>
<rule ref="WordPressVIPMinimum.UserExperience.AdminBarRemoval.HidingDetected">
<type>warning</type>
<severity>6</severity>
<message>Hiding of admin bar is highly discouraged for user roles of "administrator" and "vip_support" -- if these roles are already excluded, this warning can be ignored.</message>
</rule>
<rule ref="WordPressVIPMinimum.Functions.RestrictedFunctions.cookies_setcookie">
<severity>6</severity>
</rule>
<rule ref="WordPressVIPMinimum.Variables.RestrictedVariables.cache_constraints___COOKIE">
<type>error</type>
<severity>6</severity>
</rule>
<rule ref="WordPressVIPMinimum.Variables.RestrictedVariables.cache_constraints___SERVER__HTTP_USER_AGENT__">
<type>error</type>
<severity>6</severity>
</rule>
<!-- Things that really should be fixed, but don't necessarily have to be for the site to work.
This includes potential security holes as well as functions that may bring down sites for performance reasons.
-->
<!-- Should fix all of them but it doesn't need a manual review -->
<rule ref="WordPress.WP.AlternativeFunctions.file_system_operations_fopen">
<message>File system operations only work on the `/tmp/` and `wp-content/uploads/` directories. To avoid unexpected results, please use helper functions like `get_temp_dir()` or `wp_get_upload_dir()` to get the proper directory path when using functions such as %s(). For more details, please see: https://docs.wpvip.com/technical-references/vip-go-files-system/local-file-operations/</message>
</rule>
<rule ref="WordPressVIPMinimum.Performance.FetchingRemoteData.FileGetContentsUnknown">
<message>%s() is uncached. If the function is being used to fetch a remote file (e.g. a URL starting with https://), please use wpcom_vip_file_get_contents() to ensure the results are cached. For more details, please see: https://docs.wpvip.com/technical-references/code-quality-and-best-practices/retrieving-remote-data/</message>
</rule>
<!-- Warnings and other things -->
<rule ref="WordPress.Security.ValidatedSanitizedInput.InputNotSanitized">
<!-- Needs a manual check -->
<type>warning</type>
<severity>10</severity>
</rule>
<rule ref="WordPress.WP.PostsPerPage.posts_per_page_posts_per_page">
<message>Having more than 100 posts returned per page may lead to severe performance problems.</message>
</rule>
<rule ref="WordPressVIPMinimum.Hooks.RestrictedHooks.upload_mimes">
<severity>10</severity>
</rule>
<rule ref="WordPressVIPMinimum.Security.PHPFilterFunctions">
<severity>10</severity>
</rule>
<rule ref="WordPressVIPMinimum.Functions.RestrictedFunctions.wp_mail_wp_mail">
<severity>7</severity>
</rule>
<!-- VIP Uncached warnings -->
<rule ref="WordPressVIPMinimum.Functions.RestrictedFunctions.attachment_url_to_postid_attachment_url_to_postid">
<type>warning</type>
<message>%s() is uncached, please use wpcom_vip_attachment_url_to_postid() instead.</message>
</rule>
<rule ref="WordPressVIPMinimum.Functions.RestrictedFunctions.get_adjacent_post_get_adjacent_post">
<type>warning</type>
</rule>
<rule ref="WordPressVIPMinimum.Functions.RestrictedFunctions.get_adjacent_post_get_previous_post">
<type>warning</type>
</rule>
<rule ref="WordPressVIPMinimum.Functions.RestrictedFunctions.get_adjacent_post_get_previous_post_link">
<type>warning</type>
</rule>
<rule ref="WordPressVIPMinimum.Functions.RestrictedFunctions.get_adjacent_post_get_next_post">
<type>warning</type>
</rule>
<rule ref="WordPressVIPMinimum.Functions.RestrictedFunctions.get_adjacent_post_get_next_post_link">
<type>warning</type>
</rule>
<rule ref="WordPressVIPMinimum.Functions.RestrictedFunctions.get_posts_get_children">
<type>warning</type>
<severity>3</severity>
<message>%s() is uncached and performs a no limit query. Please use get_posts or WP_Query instead. Please see: https://docs.wpvip.com/technical-references/caching/uncached-functions/</message>
</rule>
<rule ref="WordPressVIPMinimum.Functions.RestrictedFunctions.get_posts_get_posts">
<severity>3</severity>
</rule>
<rule ref="WordPressVIPMinimum.Functions.RestrictedFunctions.get_posts_wp_get_recent_posts">
<severity>3</severity>
</rule>
<rule ref="WordPressVIPMinimum.Functions.RestrictedFunctions.url_to_postid_url_to_postid">
<type>warning</type>
<message>%s() is uncached, please use wpcom_vip_url_to_postid() instead.</message>
</rule>
<rule ref="WordPressVIPMinimum.Functions.RestrictedFunctions.wp_old_slug_redirect_wp_old_slug_redirect">
<type>warning</type>
</rule>
<!-- Miscellaneous sub-optimal things -->
<rule ref="Internal.LineEndings.Mixed">
<severity>1</severity>
</rule>
<rule ref="Generic.CodeAnalysis.AssignmentInCondition">
<severity>1</severity>
</rule>
<rule ref="WordPress.CodeAnalysis.AssignmentInTernaryCondition.FoundInTernaryCondition">
<severity>1</severity>
</rule>
<rule ref="WordPress.PHP.DiscouragedPHPFunctions.urlencode_urlencode">
<severity>3</severity>
</rule>
<rule ref="WordPress.PHP.DontExtract">
<severity>3</severity>
</rule>
<rule ref="Universal.Operators.StrictComparisons">
<severity>3</severity>
</rule>
<rule ref="WordPress.PHP.StrictInArray.MissingTrueStrict">
<severity>3</severity>
</rule>
<rule ref="WordPress.Security.EscapeOutput.UnsafePrintingFunction">
<!-- We trust that translations are safe on VIP Go -->
<severity>1</severity>
</rule>
<rule ref="WordPress.WP.EnqueuedResources.NonEnqueuedScript">
<type>warning</type>
<severity>3</severity>
<message>Scripts should be registered/enqueued via `wp_enqueue_script`. This can improve the site's performance due to script concatenation.</message>
</rule>
<rule ref="WordPress.WP.EnqueuedResources.NonEnqueuedStylesheet">
<type>warning</type>
<severity>3</severity>
<message>Stylesheets should be registered/enqueued via `wp_enqueue_style`. This can improve the site's performance due to styles concatenation.</message>
</rule>
<rule ref="WordPressVIPMinimum.Performance.LowExpiryCacheTime.LowCacheTime">
<severity>3</severity>
</rule>
<rule ref="WordPressVIPMinimum.Files.IncludingFile">
<type>warning</type>
<severity>3</severity>
</rule>
<rule ref="VariableAnalysis.CodeAnalysis.VariableAnalysis.UndefinedVariable">
<severity>3</severity>
</rule>
<rule ref="WordPressVIPMinimum.UserExperience.AdminBarRemoval">
<severity>3</severity>
</rule>
<rule ref="Generic.PHP.NoSilencedErrors">
<severity>1</severity>
</rule>
<rule ref="WordPressVIPMinimum.Functions.RestrictedFunctions.is_multi_author_is_multi_author">
<severity>1</severity>
</rule>
<rule ref="WordPressVIPMinimum.Functions.RestrictedFunctions.switch_to_blog_switch_to_blog">
<severity>3</severity>
</rule>
<rule ref="WordPressVIPMinimum.Performance.WPQueryParams.PostNotIn">
<severity>3</severity>
</rule>
<!-- Silence is golden, these don't affect us on VIP Go -->
<rule ref="VariableAnalysis.CodeAnalysis.VariableAnalysis.UnusedVariable">
<severity>0</severity>
</rule>
<rule ref="WordPress.DB.SlowDBQuery.slow_db_query_meta_key">
<!-- We are silencing this one because VIP Go has a combined index on meta_key, meta_value-->
<severity>0</severity>
</rule>
<rule ref="Generic.PHP.DisallowShortOpenTag.EchoFound">
<severity>0</severity>
</rule>
<rule ref="WordPress.WP.AlternativeFunctions.file_system_operations_readfile">
<severity>0</severity>
</rule>
<rule ref="WordPress.WP.AlternativeFunctions.file_system_operations_fclose">
<severity>0</severity>
</rule>
<rule ref="WordPress.Security.EscapeOutput.ExceptionNotEscaped">
<severity>0</severity>
</rule>
</ruleset>