Add --include-root parameter to also verify root directory (#102)

paulschreiber · danielbachhuber · web-flow · commit 1a44dfbd3f96 · 2023-03-24T13:57:16.000-07:00
* Add --include-root parameter

Allows warning for unexpected files in ABSPATH.

* Add test for --include-root parameter

* when --allow-root is set, do not warn about wp-config.php and wp-contents/plugins/*

* PHPCS: align equals signs

* Update src/Checksum_Core_Command.php

Co-authored-by: Daniel Bachhuber &lt;daniel@bachhuber.co&gt;

* when --include-root is enabled, skip entire wp-content directory from extra file checks

* add private $include_root variable

* update help text to indicate it looks for files and folders

* Add test for wp-cli.yml

* Update features/checksum-core.feature

Co-authored-by: Daniel Bachhuber &lt;daniel@bachhuber.co&gt;

* Fix Scenario indentation

* Add more tests to clarify expected behavior

* Remove extraneous helper

* Clean up `wp-cli.yml` scenario

* Rebuild README with new flag

* Avoid random test failures when the order changes

* Remove extraneous argument

* Fix these assertions

---------

Co-authored-by: Daniel Bachhuber &lt;daniel@bachhuber.co&gt;
Co-authored-by: Daniel Bachhuber &lt;daniel.bachhuber@automattic.com&gt;
diff --git a/README.md b/README.md
@@ -16,7 +16,7 @@ This package implements the following commands:
 Verifies WordPress files against WordPress.org's checksums.
 
 ~~~
-wp core verify-checksums [--version=<version>] [--locale=<locale>] [--insecure]
+wp core verify-checksums [--include-root] [--version=<version>] [--locale=<locale>] [--insecure]
 ~~~
 
 Downloads md5 checksums for the current version from WordPress.org, and
@@ -31,6 +31,9 @@ site.
 
 **OPTIONS**
 
+	[--include-root]
+		Verify all files and folders in the root directory, and warn if any non-WordPress items are found.
+
 	[--version=<version>]
 		Verify checksums against a specific version of WordPress.
 
diff --git a/features/checksum-core.feature b/features/checksum-core.feature
@@ -33,6 +33,37 @@ Feature: Validate checksums for WordPress install
       Warning: File doesn't exist: readme.html
       Error: WordPress installation doesn't verify against checksums.
       """
+    And the return code should be 1
+
+  Scenario: Core checksums don't verify because wp-cli.yml is present
+    Given a WP install
+    And a wp-cli.yml file:
+      """
+      plugin install:
+        - user-switching
+      """
+
+    When I try `wp core verify-checksums`
+    Then STDERR should be:
+      """
+      Warning: File should not exist: wp-cli.yml
+      """
+    And STDOUT should be:
+      """
+      Success: WordPress installation verifies against checksums.
+      """
+    And the return code should be 0
+
+    When I run `rm wp-cli.yml`
+    Then STDERR should be empty
+
+    When I run `wp core verify-checksums`
+    Then STDERR should be empty
+    And STDOUT should be:
+      """
+      Success: WordPress installation verifies against checksums.
+      """
+    And the return code should be 0
 
   Scenario: Verify core checksums without loading WordPress
     Given an empty directory
@@ -96,23 +127,76 @@ Feature: Validate checksums for WordPress install
       """
     And the return code should be 0
 
-    Scenario: Verify core checksums when extra files prefixed with 'wp-' are included in WordPress root
-      Given a WP install
-      And a wp-extra-file.php file:
-        """
-        hello world
-        """
-
-      When I try `wp core verify-checksums`
-      Then STDERR should be:
-        """
-        Warning: File should not exist: wp-extra-file.php
-        """
-      And STDOUT should be:
-        """
-        Success: WordPress installation verifies against checksums.
-        """
-      And the return code should be 0
+  Scenario: Verify core checksums when extra files prefixed with 'wp-' are included in WordPress root
+    Given a WP install
+    And a wp-extra-file.php file:
+      """
+      hello world
+      """
+
+    When I try `wp core verify-checksums`
+    Then STDERR should be:
+      """
+      Warning: File should not exist: wp-extra-file.php
+      """
+    And STDOUT should be:
+      """
+      Success: WordPress installation verifies against checksums.
+      """
+    And the return code should be 0
+
+  Scenario: Verify core checksums when extra files are included in WordPress root and --include-root is passed
+    Given a WP install
+    And a extra-file.php file:
+      """
+      hello world
+      """
+    And a unknown-folder/unknown-file.php file:
+      """
+      taco burrito
+      """
+    And a wp-content/unknown-file.php file:
+      """
+      foobar
+      """
+
+    When I try `wp core verify-checksums --include-root`
+    Then STDERR should contain:
+      """
+      Warning: File should not exist: unknown-folder/unknown-file.php
+      """
+    And STDERR should contain:
+      """
+      Warning: File should not exist: extra-file.php
+      """
+    And STDERR should not contain:
+      """
+      Warning: File should not exist: wp-content/unknown-file.php
+      """
+    And STDOUT should be:
+      """
+      Success: WordPress installation verifies against checksums.
+      """
+    And the return code should be 0
+
+    When I run `wp core verify-checksums`
+    Then STDERR should not contain:
+      """
+      Warning: File should not exist: unknown-folder/unknown-file.php
+      """
+    And STDERR should not contain:
+      """
+      Warning: File should not exist: extra-file.php
+      """
+    And STDERR should not contain:
+      """
+      Warning: File should not exist: wp-content/unknown-file.php
+      """
+    And STDOUT should be:
+      """
+      Success: WordPress installation verifies against checksums.
+      """
+    And the return code should be 0
 
   Scenario: Verify core checksums with a plugin that has wp-admin
     Given a WP install
diff --git a/src/Checksum_Core_Command.php b/src/Checksum_Core_Command.php
@@ -10,6 +10,13 @@
  */
 class Checksum_Core_Command extends Checksum_Base_Command {
 
+	/**
+	 * Whether or not to verify contents of the root directory.
+	 *
+	 * @var boolean
+	 */
+	private $include_root = false;
+
 	/**
 	 * Verifies WordPress files against WordPress.org's checksums.
 	 *
@@ -25,6 +32,9 @@ class Checksum_Core_Command extends Checksum_Base_Command {
 	 *
 	 * ## OPTIONS
 	 *
+	 * [--include-root]
+	 * : Verify all files and folders in the root directory, and warn if any non-WordPress items are found.
+	 *
 	 * [--version=<version>]
 	 * : Verify checksums against a specific version of WordPress.
 	 *
@@ -69,6 +79,10 @@ public function __invoke( $args, $assoc_args ) {
 			$locale = $assoc_args['locale'];
 		}
 
+		if ( ! empty( $assoc_args['include-root'] ) ) {
+			$this->include_root = true;
+		}
+
 		if ( empty( $wp_version ) ) {
 			$details    = self::get_wp_details();
 			$wp_version = $details['wp_version'];
@@ -136,6 +150,10 @@ public function __invoke( $args, $assoc_args ) {
 	 * @return bool
 	 */
 	protected function filter_file( $filepath ) {
+		if ( true === $this->include_root ) {
+			return ( 1 !== preg_match( '/^(wp-config\.php$|wp-content\/)/', $filepath ) );
+		}
+
 		return ( 0 === strpos( $filepath, 'wp-admin/' )
 			|| 0 === strpos( $filepath, 'wp-includes/' )
 			|| 1 === preg_match( '/^wp-(?!config\.php)([^\/]*)$/', $filepath )
