Allow Windows Paths with validate_file()

[srtfisher]

Fixes #487

Summary by CodeRabbit

• New Features

  • Enhanced file validation capabilities to improve security and file handling.

• Documentation

  • Added deprecation notice for the general helpers file, encouraging use of package-specific helpers.

• Refactor

  • Standard WordPress naming conventions and commenting standards have been disabled to align with internal code standards.

• Chores

  • Several files with no semantic changes have been updated for codebase consistency.

[coderabbitai]

Warning

Rate Limit Exceeded

@srtfisher has exceeded the limit for the number of files or commits that can be reviewed per hour. Please wait 13 minutes and 31 seconds before requesting another review.

How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.
Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.
Please see our FAQ for further information.

Commits

Files that changed from the base of the PR and between 73b3b4d and 1535fb9.

Walkthrough

The updates primarily involve the addition of the validate_file function from the Mantle\Support\Helpers namespace to various asset and view engine classes. Additionally, there's a deprecation notice in the helpers file, indicating a shift towards package-specific helpers and a deviation from some WordPress standards. The validate_file function itself has been enhanced with new parameters and validation rules, and it now checks for the existence of a core function before proceeding.

Changes

File(s)	Change Summary
.../class-asset-loader.php .../class-asset-service-provider.php .../class-file-engine.php .../class-php-engine.php	Added the validate_file function from the Mantle\Support\Helpers namespace.
.../model/concerns/ .../model/registration/ .../query/ .../http/ .../scheduling/ .../support/class-arr.php .../testing/concerns/	No semantic changes.
.../framework/helpers.php	Deprecated the entire file, disabled some WordPress standards.
.../support/helpers/helpers-general.php	Updated the validate_file function with a new parameter and additional validation rules; added a proxy call to the core function if available.

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on X ?

---

Tips

Chat with CodeRabbit Bot (@coderabbitai)

• You can reply to a review comment made by CodeRabbit.
• You can tag CodeRabbit on specific lines of code or files in the PR by tagging @coderabbitai in a comment.
• You can tag @coderabbitai in a PR comment and ask one-off questions about the PR and the codebase. Use quoted replies to pass the context for follow-up questions.

CodeRabbit Commands (invoked as PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger a review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai help to get help.

Additionally, you can add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.

CodeRabbit Configration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• The JSON schema for the configuration file is available here.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/coderabbit-overrides.v2.json

[coderabbitai]

Review Status

Actionable comments generated: 4

Configuration used: CodeRabbit UI

Commits

Files that changed from the base of the PR and between 1339b4e and 73b3b4d.

Files selected for processing (20)

• src/mantle/assets/class-asset-loader.php (1 hunks)
• src/mantle/assets/class-asset-service-provider.php (1 hunks)
• src/mantle/database/model/concerns/trait-has-events.php (1 hunks)
• src/mantle/database/model/concerns/trait-has-global-scopes.php (1 hunks)
• src/mantle/database/model/registration/trait-register-meta.php (1 hunks)
• src/mantle/database/model/registration/trait-register-rest-fields.php (1 hunks)
• src/mantle/database/query/class-post-query-builder.php (1 hunks)
• src/mantle/framework/helpers.php (1 hunks)
• src/mantle/http/class-request.php (1 hunks)
• src/mantle/http/class-uploaded-file.php (1 hunks)
• src/mantle/http/view/class-view-finder.php (1 hunks)
• src/mantle/http/view/class-view.php (1 hunks)
• src/mantle/scheduling/class-event.php (1 hunks)
• src/mantle/scheduling/class-schedule.php (1 hunks)
• src/mantle/scheduling/trait-manages-frequencies.php (1 hunks)
• src/mantle/support/class-arr.php (1 hunks)
• src/mantle/support/helpers/helpers-general.php (1 hunks)
• src/mantle/testing/concerns/trait-interacts-with-cron.php (1 hunks)
• src/mantle/view/engines/class-file-engine.php (1 hunks)
• src/mantle/view/engines/class-php-engine.php (1 hunks)

Files skipped from review due to trivial changes (15)

• src/mantle/database/model/concerns/trait-has-events.php
• src/mantle/database/model/concerns/trait-has-global-scopes.php
• src/mantle/database/model/registration/trait-register-meta.php
• src/mantle/database/model/registration/trait-register-rest-fields.php
• src/mantle/database/query/class-post-query-builder.php
• src/mantle/framework/helpers.php
• src/mantle/http/class-request.php
• src/mantle/http/class-uploaded-file.php
• src/mantle/http/view/class-view-finder.php
• src/mantle/http/view/class-view.php
• src/mantle/scheduling/class-event.php
• src/mantle/scheduling/class-schedule.php
• src/mantle/scheduling/trait-manages-frequencies.php
• src/mantle/support/class-arr.php
• src/mantle/testing/concerns/trait-interacts-with-cron.php

Additional comments: 8

src/mantle/assets/class-asset-loader.php (4)

• 16-16: The import of validate_file from Mantle\Support\Helpers is correctly added to support enhanced file validation as per the PR objectives.

• 16-16: Verify that the validate_file function is correctly updated to handle Windows paths as intended in the PR objectives.

• 16-16: Confirm that the comparison of validate_file return value to 0 aligns with the new validation rules and the intended enhancements.

• 16-16: Consider whether the new $allowed_files parameter should be utilized in the validate_file function call within this file, or if it's intended for use elsewhere.

src/mantle/assets/class-asset-service-provider.php (2)

• 12-12: The import of validate_file from Mantle\Support\Helpers is consistent with the PR's objective to enhance file validation.

• 9-16: > Note: This review was outside the patches, and no patch overlapping with it was found. Original lines [29-31]

The integration of validate_file in the load_blocks method appears correct, assuming a return value of 0 from validate_file indicates the file is valid.

src/mantle/view/engines/class-file-engine.php (1)

• 12-13: The import of validate_file from Mantle\Support\Helpers is correctly added to use the updated function within this file.

src/mantle/view/engines/class-php-engine.php (1)

• 13-17: The import of validate_file from Mantle\Support\Helpers is correctly added to use the updated validation logic within the PHP engine.

[coderabbitai]

The updated validate_file function includes a new parameter $allowed_files and additional validation logic. It is important to ensure that the changes do not introduce security vulnerabilities, especially with the handling of Windows drive paths and directory traversal. The proxying to the core validate_file function should also be verified for correctness and security.

• The check for directory traversal using ../ seems to be thorough, but it may be worth considering edge cases or encoding variations that could bypass these checks.
• The proxy call to the core validate_file function uses in_array to check the return value. Ensure that the core function's return values are compatible with this check and that no edge cases are missed.
• The function now explicitly allows absolute Windows drive paths. Confirm that this does not introduce any security risks, such as allowing access to critical system files or directories.

[coderabbitai]

The validate_file function is called twice in a row with the same argument. This seems redundant and may be a mistake. Consider calling it once and storing the result in a variable or directly using the result in the if condition.

- if ( 0 === validate_file( $path ) && 0 === validate_file( $path ) ) {
+ if ( 0 === validate_file( $path ) ) {

---

Committable suggestion

❗ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation.

Suggested change

	use Mantle\Contracts\View\Engine;
	use function Mantle\Support\Helpers\validate_file;
	/**
	* File Engine to load raw view files.
	*/

[coderabbitai]

The validate_file function is called twice in succession with the same argument. If this is intentional, consider adding a comment to clarify the reason. If it's a mistake, remove the redundant call.

- if ( 0 === validate_file( $path ) && 0 === validate_file( $path ) ) {
+ if ( 0 === validate_file( $path ) ) {

---

Committable suggestion

❗ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation.

Suggested change

	/**
	if ( 0 === validate_file( $path ) ) {

[coderabbitai]

Ensure that the validate_file function usage includes checks against a list of allowed files or directories to prevent potential security issues.

[kevinfodness]

A few suggestions, otherwise 🍣