Skip to content

fix: store credential auth config fields byte-exact#2890

Merged
chubes4 merged 1 commit into
mainfrom
fix/auth-config-opaque-credential-fields
Jul 13, 2026
Merged

fix: store credential auth config fields byte-exact#2890
chubes4 merged 1 commit into
mainfrom
fix/auth-config-opaque-credential-fields

Conversation

@chubes4

@chubes4 chubes4 commented Jul 13, 2026

Copy link
Copy Markdown
Member

Summary

  • Store provider-declared password and textarea auth config values as opaque credentials after trimming and removing control characters, preserving percent-encoded octets and $ payload segments.
  • Keep text field sanitization unchanged.
  • Preserve opaque values in the set-token account-data path as well.

Root cause and impact

sanitize_text_field() was applied to every auth config field in both the CLI direct-connect path and the shared executeSaveAuthConfig() ability path. WordPress.org session cookies are opaque credential payloads, not text input: the live wporg_trac cookie was reduced from 832 to 772 bytes, with percent-encoded octets stripped (tk_or=%22https%3A%2F%2Fwww.google.com%2F%22 became tk_or=httpswww.google.com) and %7C segments in wporg_sec/wporg_logged_in corrupted. The original cookie returned curl 200; the stored corrupted cookie returned Trac 403.

Approach

The provider field declaration from get_config_fields() is now the sanitization contract:

  • password and textarea: preserve the payload byte-for-byte except boundary trimming and control-character removal.
  • text and unknown field types: retain sanitize_text_field() behavior.

The regression coverage saves and reads a password/textarea value containing %22, %3A, %2F, %7C, and $o3$g0 byte-identically; it also proves text fields remain sanitized and set-token preserves opaque token data.

Test evidence

  • php -l inc/Abilities/AuthAbilities.php
  • php -l inc/Cli/Commands/AuthCommand.php
  • php -l tests/Unit/Abilities/AuthAbilitiesTest.php
  • composer lint -- inc/Abilities/AuthAbilities.php inc/Cli/Commands/AuthCommand.php tests/Unit/Abilities/AuthAbilitiesTest.php

The checkout has no PHPUnit executable, PHPUnit configuration, or Composer test script, so the WordPress unit suite is not runnable from this repository state.

AI assistance

  • AI assistance: Yes
  • Tool(s): OpenCode (openai/gpt-5.6-terra), orchestrated by Franklin
  • Used for: Root-caused and fixed credential-destroying sanitization in the auth config save path with regression tests, under Chris Huber direction.

@homeboy-ci

homeboy-ci Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Homeboy Results — data-machine

Lint

review lint — passed

ℹ️ Full options: homeboy self docs commands/lint
Deep dive: homeboy review lint data-machine --changed-since 8f297d2

Artifacts and drill-down
  • CI results artifact: homeboy-ci-results-data-machine-review-lint-quality-Linux-node24 contains immediate command JSON for this action invocation.
  • Observation artifact: homeboy-observations-data-machine-review-lint-quality-Linux-node24 contains exported Homeboy run history for deeper queries.
  • Drill-down: download the observation artifact, then run homeboy runs import <dir>, homeboy runs list, and homeboy runs findings <run-id>.
  • Artifacts are attached to the workflow run: https://github.com/Extra-Chill/data-machine/actions/runs/29215475997

Test

review test — passed

ℹ️ Auto-fix lint issues: homeboy refactor data-machine --from lint --write
ℹ️ Collect coverage: homeboy test data-machine --coverage
ℹ️ Save test baseline: homeboy test data-machine --baseline
ℹ️ Pass args to test runner: homeboy test -- [args]
ℹ️ Full options: homeboy self docs commands/test
Deep dive: homeboy review test data-machine --changed-since 8f297d2

Artifacts and drill-down
  • CI results artifact: homeboy-ci-results-data-machine-review-test-quality-Linux-node24 contains immediate command JSON for this action invocation.
  • Observation artifact: homeboy-observations-data-machine-review-test-quality-Linux-node24 contains exported Homeboy run history for deeper queries.
  • Drill-down: download the observation artifact, then run homeboy runs import <dir>, homeboy runs list, and homeboy runs findings <run-id>.
  • Artifacts are attached to the workflow run: https://github.com/Extra-Chill/data-machine/actions/runs/29215475997

Audit

review audit — passed

  • audit — 27 finding(s)
  • Total: 27 finding(s)

Deep dive: homeboy review audit data-machine --changed-since 8f297d2

Artifacts and drill-down
  • CI results artifact: homeboy-ci-results-data-machine-review-audit-quality-Linux-node24 contains immediate command JSON for this action invocation.
  • Observation artifact: homeboy-observations-data-machine-review-audit-quality-Linux-node24 contains exported Homeboy run history for deeper queries.
  • Drill-down: download the observation artifact, then run homeboy runs import <dir>, homeboy runs list, and homeboy runs findings <run-id>.
  • Artifacts are attached to the workflow run: https://github.com/Extra-Chill/data-machine/actions/runs/29215475997
Tooling versions
  • Homeboy CLI: homeboy 0.281.20+123145ee082b+8552dc4d
  • Extension: wordpress from https://github.com/Extra-Chill/homeboy-extensions
  • Extension revision: 79dd370c
  • Action: unknown@unknown

@chubes4
chubes4 merged commit a931ce1 into main Jul 13, 2026
5 checks passed
@chubes4
chubes4 deleted the fix/auth-config-opaque-credential-fields branch July 13, 2026 01:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant