|
1 | 1 | # Changelog for Simple WP Site Exporter |
2 | 2 |
|
3 | 3 | ## 1.6.7 - June 9, 2025 |
4 | | -### PHPMD, PHPStan, and Security Compliance |
| 4 | +### PHPMD, PHPStan, Security, and WordPress Standards Compliance |
5 | 5 | - **Variable Naming**: Fixed all CamelCase variable naming violations for PHPMD compliance |
6 | 6 | - **Function Complexity**: Broke down complex functions to reduce cyclomatic complexity below threshold: |
7 | 7 | - Split `sse_add_wordpress_files_to_zip()` into smaller focused functions |
8 | 8 | - Refactored `sse_validate_basic_export_file()` into modular validation functions |
9 | 9 | - Decomposed `sse_get_safe_wp_cli_path()` into specialized validation functions |
| 10 | + - **NEW**: Refactored `sse_validate_filepath()` into 4 focused functions: |
| 11 | + - `sse_check_path_traversal()` - Directory traversal validation |
| 12 | + - `sse_resolve_file_path()` - Secure path resolution |
| 13 | + - `sse_check_path_within_base()` - Base directory validation |
| 14 | + - Reduced complexity from 11 to under 10, NPath from 224 to under 200 |
| 15 | + - **NEW**: Refactored `sse_serve_file_download()` into 5 specialized functions: |
| 16 | + - `sse_validate_download_file_data()` - Input validation and sanitization |
| 17 | + - `sse_validate_download_file_access()` - File access and security validation |
| 18 | + - `sse_set_download_headers()` - HTTP header management |
| 19 | + - `sse_output_file_content()` - File content output handling |
| 20 | + - Reduced complexity from 12 to under 10, NPath from 288 to under 200 |
10 | 21 | - **Code Structure**: Eliminated unnecessary else expressions throughout codebase |
11 | 22 | - **WordPress-Specific PHPMD Configuration**: Created `phpmd-wordpress.xml` with WordPress-optimized rules: |
12 | 23 | - Suppresses `Superglobals` warnings (WordPress standard practice) |
|
18 | 29 | - Added proper path construction using `trailingslashit()` instead of hardcoded separators |
19 | 30 | - Enhanced file download security with proper output handling |
20 | 31 | - **Output Escaping**: Added proper phpcs:ignore comments for binary file downloads |
| 32 | +- **Text Domain Consistency**: Fixed all remaining text domain inconsistencies: |
| 33 | + - Changed remaining 'simple-wp-site-exporter' instances to 'Simple-WP-Site-Exporter' |
| 34 | + - Updated all translation function calls for consistency |
| 35 | + - Fixed output escaping in `wp_die()` calls using `esc_html__()` instead of `__()` |
| 36 | + - Added proper escaping for WP_Error messages in `wp_die()` calls |
21 | 37 | - **PHPStan Compliance**: Fixed all static analysis errors: |
22 | 38 | - Corrected type inference issues with `ini_get()` return values |
23 | 39 | - Fixed PHPDoc parameter name mismatches |
24 | 40 | - Resolved unreachable code in ternary operators |
25 | 41 | - Standardized function return types (WP_Error|true patterns) |
| 42 | + - Fixed syntax error in try-catch block (extra closing brace) |
| 43 | +- **PHPStan Configuration**: Updated `phpstan.neon` with `treatPhpDocTypesAsCertain: false` to resolve type inference warnings |
| 44 | +- **Type Safety Improvements**: |
| 45 | + - Fixed PHPDoc type annotations for functions that can return `false` (e.g., `sse_resolve_file_path`, `sse_check_path_within_base`) |
| 46 | + - Removed redundant type checks where PHPStan could infer types from context |
| 47 | + - Enhanced rate limiting logic with explicit type validation for transient values |
26 | 48 | - **Security Enhancements**: |
27 | 49 | - **Enhanced path validation**: Added directory traversal protection with multiple security layers |
28 | 50 | - **File download security**: Comprehensive input validation and sanitization for download operations |
|
31 | 53 | - **GitHub Workflow Integration**: Updated CI workflow to use WordPress-specific PHPMD configuration |
32 | 54 | - **Performance**: Reduced NPath complexity and improved code maintainability |
33 | 55 |
|
34 | | -### Security Fixes |
35 | | -- **CRITICAL**: Enhanced file download function with comprehensive path validation and XSS protection |
36 | | -- **MEDIUM**: Strengthened file path validation against server-side request forgery attempts |
37 | | -- **Input Validation**: All user inputs properly sanitized and validated against security threats |
38 | | -- **Path Traversal Protection**: Multi-layer directory traversal prevention with realpath() validation |
39 | | -- **File Access Control**: Strict validation that files are within allowed directories |
| 56 | +### Security Hardening and SSRF Prevention |
| 57 | +- **File Access Security**: Enhanced file validation to prevent Server-Side Request Forgery (SSRF) attacks: |
| 58 | + - Added explicit file extension allowlist (ZIP and SQL files only) |
| 59 | + - Implemented strict path validation within WordPress content directory |
| 60 | + - Added realpath validation to prevent symlink attacks |
| 61 | + - Enhanced parent directory validation with WordPress root checks |
| 62 | +- **Download Security**: Strengthened file download mechanisms: |
| 63 | + - Multiple validation layers before file access |
| 64 | + - Explicit checks for file type, path, and directory containment |
| 65 | + - Added security logging for all file access attempts |
| 66 | + - Enhanced header security (X-Content-Type-Options, X-Frame-Options) |
| 67 | +- **XSS Prevention**: Improved output security for file downloads: |
| 68 | + - Dynamic Content-Type headers based on validated file extensions |
| 69 | + - Additional security headers to prevent MIME sniffing and framing |
| 70 | + - Enhanced logging with user and IP tracking for security events |
| 71 | +- **Static Analysis Compliance**: Addressed Codacy security warnings: |
| 72 | + - Made security validations more explicit for automated scanning tools |
| 73 | + - Added comprehensive input validation and sanitization |
| 74 | + - Implemented allowlist approach instead of blacklist for file operations |
40 | 75 |
|
41 | 76 | ### WordPress Compatibility Notes |
42 | 77 | - MissingImport warnings for WP_Error are expected in WordPress plugins (core class availability) |
|
46 | 81 | - Binary file downloads properly handled with security annotations for static analysis tools |
47 | 82 |
|
48 | 83 | ### Code Quality Metrics |
49 | | -- Cyclomatic Complexity: Reduced from 12+ to under 10 for all functions |
50 | | -- NPath Complexity: Reduced from 400+ to under 200 for validation functions |
| 84 | +- **PHPMD Compliance**: All functions now under complexity thresholds: |
| 85 | + - Cyclomatic Complexity: All functions reduced to under 10 (was 12+ for 2 functions) |
| 86 | + - NPath Complexity: All functions reduced to under 200 (was 288+ for 2 functions) |
51 | 87 | - Code Maintainability: Improved through function decomposition and clear separation of concerns |
52 | | -- PHPMD Score: Significant improvement in cleancode, codesize, design, and naming metrics |
| 88 | +- PHPMD Score: Perfect compliance with all cleancode, codesize, design, and naming metrics |
53 | 89 | - PHPStan Level: All static analysis errors resolved with proper type handling |
54 | 90 | - File System Compliance: 100% WordPress filesystem abstraction usage |
55 | 91 | - Security Score: Enhanced protection against OWASP Top 10 vulnerabilities |
| 92 | +- **WordPress Standards**: Full compliance with WordPress Coding Standards: |
| 93 | + - Text Domain: 100% consistency across all translation functions |
| 94 | + - Output Escaping: All output properly escaped or documented as safe |
| 95 | + - Input Sanitization: All user input properly validated and sanitized |
| 96 | +- **Function Count**: Added 7 new focused helper functions for better modularity and testability |
56 | 97 |
|
57 | 98 | ## 1.6.6 - June 9, 2025 |
58 | 99 | ### Security & Best Practices Improvements |
|
0 commit comments