Enabling linter/liccheck/test in CI

.github/workflows/liccheck.yml

@@ -0,0 +1,22 @@
+name: "license-check"
+on:
+  push:
+    branches: [ '**' ]
+
+jobs:
+  license-check:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v2
+      - name: Set up Python 3.11
+        uses: actions/setup-python@v2
+        with:
+          python-version: "3.11"
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install -r requirements.txt liccheck==0.9.2
+      - name: Run liccheck
+        run: liccheck

.github/workflows/lint.yml

@@ -0,0 +1,22 @@
+name: "lint"
+on:
+  push:
+    branches: [ '**' ]
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v2
+      - name: Set up Python 3.11
+        uses: actions/setup-python@v2
+        with:
+          python-version: "3.11"
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install pre-commit==3.5.0
+      - name: Run pre-commit
+        run: pre-commit run --all-files

.gitignore

@@ -1,4 +1,4 @@
 __pycache__
 *.swp
 venv/
-data/plugin_fuzz_results/scanned/
+data/plugin_fuzz_results/scanned/

.pre-commit-config.yaml

@@ -0,0 +1,20 @@
+repos:
+- repo: https://github.com/pre-commit/pre-commit-hooks
+  rev: v4.4.0
+  hooks:
+  - id: end-of-file-fixer
+  - id: trailing-whitespace
+- repo: https://github.com/psf/black
+  rev: 23.7.0
+  hooks:
+  - id: black
+- repo: https://github.com/pycqa/isort
+  rev: 5.12.0
+  hooks:
+  - id: isort
+    name: isort (python)
+- repo: https://github.com/PyCQA/flake8
+  rev: 6.1.0
+  hooks:
+  - id: flake8
+    args: [.]

README.md

@@ -131,10 +131,19 @@ Warning: the tests take long (more than an hour) and because they check whether
 would find vulnerabilities, they fail with some probability.
 
 ### Reformatting code and running linters
-To reformat and check the code, use:
+wpgarlic uses `pre-commit` to run linters and format the code.
+`pre-commit` is executed on CI to verify that the code is formatted properly.
+
+To run it locally, use:
+
+```
+pre-commit run --all-files
+```
+
+To setup `pre-commit` so that it runs before each commit, use:
 
 ```
-./bin/reformat
+pre-commit install
 ```
 
 ## Manual testing environment

docker-compose.manual-testing.yml

@@ -1,5 +1,5 @@
 version: "3.9"
-    
+
 services:
   wordpress2:
     container_name: wordpress2

docker-compose.yml

@@ -1,5 +1,5 @@
 version: "3.9"
-    
+
 services:
   db1:
     image: mysql:5.7
@@ -35,4 +35,3 @@ networks:
     internal: true
   network2:
     internal: false
-

docker_image/apache_config/000-default.conf

@@ -5,4 +5,3 @@
         ErrorLog ${APACHE_LOG_DIR}/error.log
         CustomLog ${APACHE_LOG_DIR}/access.log combined
 </VirtualHost>
-

docker_image/download_admin.sh

@@ -17,4 +17,3 @@ timeout 240 wget \
     --domains=127.0.0.1 \
     --reject-regex='.*(customize.php|theme-editor.php|plugins.php|update.php|/js/|plugin-install.php|plugin-editor.php|site-health.php).*' \
     http://127.0.0.1:8001/wp-admin/
-

docker_image/fuzz/fuzz_actions.py

@@ -46,8 +46,6 @@
         prefix = ""
 
     object_name = action + (" (admin)" if become_admin else "")
-    command_results += fuzz_command(
-        f"{prefix}php /fuzzer/execute/{cmd}.php '{action}'", payload_id, object_name
-    )
+    command_results += fuzz_command(f"{prefix}php /fuzzer/execute/{cmd}.php '{action}'", payload_id, object_name)
 
 print(json.dumps(command_results))

docker_image/fuzz/utils.py

@@ -33,10 +33,7 @@ def fuzz_command(
 ) -> typing.List[typing.Dict]:
     command_results = []
     for intercept_prob in VARIABLE_INTERCEPT_PROBABILITIES:
-        cmd_prefixed = (
-            f"export INTERCEPT_PROB={intercept_prob}; export PAYLOAD_ID={payload_id.strip()}; "
-            + cmd
-        )
+        cmd_prefixed = f"export INTERCEPT_PROB={intercept_prob}; export PAYLOAD_ID={payload_id.strip()}; " + cmd
         cmd_wrapped = ["bash", "-c", cmd_prefixed]
 
         try:

docker_image/get_fuzzable_entrypoints/get_menu_actions_to_fuzz.php

@@ -15,4 +15,3 @@
 foreach($_registered_pages as $key => $value) {
     echo "MENU: " . $key . "\n";
 }
-

docker_image/just_visit_admin_homepage.sh

@@ -8,4 +8,3 @@ curl 'http://127.0.0.1:8001/wp-login.php' \
 sed -i -e "s/^#HttpOnly_//" /tmp/cookies.jar
 
 wget --load-cookies=/tmp/cookies.jar --keep-session-cookies http://127.0.0.1:8001/wp-admin/
-

docker_image/magic_payloads.php

@@ -93,7 +93,7 @@ function getAndSaveForFurtherGets($key) {
                 'GET', 'GET', 'GET',
                 'POST', 'POST', 'POST',
                 'PUT', 'DELETE', 'OPTIONS'];
-            
+
             $method = $methods[array_rand($methods)];
 
             $this->parameters[$key] = $method;

docker_image/php_source_patch.patch

@@ -4,15 +4,15 @@ index 96169d9a27..20c05f455e 100644
 +++ b/Zend/zend_string.h
 @@ -20,6 +20,8 @@
  #define ZEND_STRING_H
- 
+
  #include "zend.h"
 +#include <unistd.h>
 +#include <time.h>
- 
+
  BEGIN_EXTERN_C()
- 
+
 @@ -311,7 +313,43 @@ static zend_always_inline zend_bool zend_string_equal_val(zend_string *s1, zend_
- 
+
  static zend_always_inline zend_bool zend_string_equal_content(zend_string *s1, zend_string *s2)
  {
 -	return ZSTR_LEN(s1) == ZSTR_LEN(s2) && zend_string_equal_val(s1, s2);
@@ -54,21 +54,21 @@ index 96169d9a27..20c05f455e 100644
 +
 +	return 0;
  }
- 
+
  static zend_always_inline zend_bool zend_string_equals(zend_string *s1, zend_string *s2)
 diff --git a/ext/json/json.c b/ext/json/json.c
 index 8474642266..b7fd3a13d5 100644
 --- a/ext/json/json.c
 +++ b/ext/json/json.c
 @@ -33,7 +33,7 @@
- 
+
  static PHP_MINFO_FUNCTION(json);
  static PHP_FUNCTION(json_encode);
 -static PHP_FUNCTION(json_decode);
 +static PHP_FUNCTION(real_json_decode);
  static PHP_FUNCTION(json_last_error);
  static PHP_FUNCTION(json_last_error_msg);
- 
+
 @@ -66,7 +66,7 @@ ZEND_END_ARG_INFO()
  /* {{{ json_functions[] */
  static const zend_function_entry json_functions[] = {
@@ -79,7 +79,7 @@ index 8474642266..b7fd3a13d5 100644
  	PHP_FE(json_last_error_msg, arginfo_json_last_error_msg)
  	PHP_FE_END
 @@ -308,7 +308,7 @@ static PHP_FUNCTION(json_encode)
- 
+
  /* {{{ proto mixed json_decode(string json [, bool assoc [, int depth]])
     Decodes the JSON representation into a PHP value */
 -static PHP_FUNCTION(json_decode)
@@ -92,7 +92,7 @@ index 0dd4045887..e3820c2ec4 100644
 --- a/ext/standard/base64.c
 +++ b/ext/standard/base64.c
 @@ -943,7 +943,7 @@ PHP_FUNCTION(base64_encode)
- 
+
  /* {{{ proto string base64_decode(string str[, bool strict])
     Decodes string using MIME base64 algorithm */
 -PHP_FUNCTION(base64_decode)
@@ -107,11 +107,11 @@ index faf245c5d9..f9ba87a077 100644
 @@ -59,7 +59,7 @@
   * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
   */
- 
+
 -PHP_FUNCTION(base64_decode);
 +PHP_FUNCTION(real_base64_decode);
  PHP_FUNCTION(base64_encode);
- 
+
  #if (ZEND_INTRIN_AVX2_FUNC_PTR || ZEND_INTRIN_SSSE3_FUNC_PTR) && !ZEND_INTRIN_AVX2_NATIVE
 diff --git a/ext/standard/basic_functions.c b/ext/standard/basic_functions.c
 index 64f27ef5af..b13a7d43e0 100644
@@ -120,11 +120,11 @@ index 64f27ef5af..b13a7d43e0 100644
 @@ -2917,7 +2917,7 @@ static const zend_function_entry basic_functions[] = { /* {{{ */
  	PHP_FE(getmyinode,														arginfo_getmyinode)
  	PHP_FE(getlastmod,														arginfo_getlastmod)
- 
+
 -	PHP_FE(base64_decode,													arginfo_base64_decode)
 +	PHP_FE(real_base64_decode,													arginfo_base64_decode)
  	PHP_FE(base64_encode,													arginfo_base64_encode)
- 
+
  	PHP_FE(password_hash,													arginfo_password_hash)
 diff --git a/ext/standard/php_fopen_wrapper.c b/ext/standard/php_fopen_wrapper.c
 index 295751f0db..14112eab7c 100644
@@ -133,7 +133,7 @@ index 295751f0db..14112eab7c 100644
 @@ -216,34 +216,7 @@ php_stream * php_stream_url_wrap_php(php_stream_wrapper *wrapper, const char *pa
  		return php_stream_alloc(&php_stream_output_ops, NULL, 0, "wb");
  	}
- 
+
 -	if (!strcasecmp(path, "input")) {
 -		php_stream_input_t *input;
 -
@@ -171,7 +171,7 @@ index a5a68f8c68..be4a94183b 100644
 --- a/main/SAPI.c
 +++ b/main/SAPI.c
 @@ -652,6 +652,19 @@ static void sapi_header_add_op(sapi_header_op_enum op, sapi_header_struct *sapi_
- 
+
  SAPI_API int sapi_header_op(sapi_header_op_enum op, void *arg)
  {
 +	if (op ==  SAPI_HEADER_ADD || op == SAPI_HEADER_REPLACE) {

docker_image/user.php

@@ -5,4 +5,3 @@ function __construct($id) {
 		$this->ID = $id;
 	}
 }
-

docker_image/wordpress_patches/formatting.php.patch

@@ -5,21 +5,21 @@
   */
  function esc_url( $url, $protocols = null, $_context = 'display' ) {
  	$original_url = $url;
- 
+
 -	if ( '' === $url ) {
 +	/* We use strcmp instead of ===, therefore the wpgarlic mocked equality won't be used */
 +	if (!strcmp('', $url)) {
  		return $url;
  	}
- 
+
  	$url = str_replace( ' ', '%20', ltrim( $url ) );
  	$url = preg_replace( '|[^a-z0-9-~+_.?#=!&;,/:%@$\|*\'()\[\]\\x80-\\xff]|i', '', $url );
- 
+
 -	if ( '' === $url ) {
 +	/* We use strcmp instead of ===, therefore the wpgarlic mocked equality won't be used */
 +	if (!strcmp('', $url)) {
  		return $url;
  	}
- 
+
  	if ( 0 !== stripos( $url, 'mailto:' ) ) {
  		$strip = array( '%0d', '%0a', '%0D', '%0A' );

docker_image/wordpress_patches/wp-load.php.patch

@@ -2,15 +2,14 @@
 +++ wp-load.php	2023-10-02 09:54:30.062521986 +0000
 @@ -64,13 +64,10 @@
  	require_once ABSPATH . WPINC . '/load.php';
- 
+
  	// Check for the required PHP version and for the MySQL extension or a database drop-in.
  	wp_check_php_mysql_versions();
- 
+
 -	// Standardize $_SERVER variables across setups.
 -	wp_fix_server_vars();
 -
  	define( 'WP_CONTENT_DIR', ABSPATH . 'wp-content' );
  	require_once ABSPATH . WPINC . '/functions.php';
- 
+
  	$path = wp_guess_url() . '/wp-admin/setup-config.php';
-

docker_image/wordpress_patches/wp-settings.php.patch

@@ -2,10 +2,10 @@
 +++ wp-settings.php	2023-10-02 09:45:51.443209232 +0000
 @@ -495,13 +492,10 @@
  do_action( 'plugins_loaded' );
- 
+
  // Define constants which affect functionality if not already defined.
  wp_functionality_constants();
- 
+
 -// Add magic quotes and set up $_REQUEST ( $_GET + $_POST ).
 -wp_magic_quotes();
 -