Resolve deferred FP items: admin-only hook whitelist and N+1 loop containment

noelsaw1 · claude · noelsaw1 · commit e04239c0c1c0 · 2026-03-23T21:17:03.000-07:00
- spo-004: Add admin-only hook whitelist to downgrade inherently-admin hooks
  (admin_notices, admin_init, admin_menu, etc.) to INFO severity instead of
  flagging as missing capability checks
- N+1: Replace line-range heuristic in find_meta_in_loop_line() with
  brace-depth tracking so get_*_meta calls after a loop's closing brace
  are no longer false-positived as N+1 patterns
- Update FEEDBACK-CR-SELF-SERVICE.md, CHANGELOG.md, and 4X4.md

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/4X4.md b/4X4.md
@@ -47,6 +47,7 @@ WP Code Check is a zero-dependency static analysis toolkit for WordPress perform
 - [x] Added Path B observability for aggregated magic-string patterns - phase timing and quality counters are now visible in text and JSON output.
 - [x] Fixed stale-registry fallback behavior - eliminated one apparent hang path in the pattern loader and guarded empty search patterns.
 - [x] Fixed high-noise direct-pattern false positives - reduced `php-shell-exec-functions`, `spo-002-superglobals`, and `php-dynamic-include` noise with targeted scanner and pattern fixes.
+- [x] Cleared all deferred items from CR self-service feedback review — added admin-only hook whitelist for `spo-004` (downgrade to INFO) and strengthened N+1 loop detection with brace-depth lexical containment in `find_meta_in_loop_line()`.
 - [ ] Phase 0b observability remains incomplete - heartbeat output and slow-check rollups are still deferred and need a focused pass.
 
 ---
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,14 @@
 
 All notable changes to this project will be documented in this file.
 
+## [Unreleased]
+
+### Changed
+
+- Admin-only hook whitelist for `spo-004-missing-cap-check`: `add_action()` calls using inherently-admin-only hooks (`admin_notices`, `admin_init`, `admin_menu`, `admin_head`, `admin_footer`, `admin_enqueue_scripts`, `admin_print_styles`, `admin_print_scripts`, `network_admin_menu`, `user_admin_menu`, `network_admin_notices`, `admin_bar_init`, `admin_action_*`, `load-*`) are now downgraded to INFO severity instead of HIGH, reducing false positives for capability check findings
+
+- N+1 loop detection (`find_meta_in_loop_line`) now uses brace-depth tracking to verify `get_*_meta` calls are lexically inside a loop body, not just within 80 lines of a loop keyword. Eliminates false positives from sequential meta calls after loop closure
+
 ## [2.2.9] - 2026-03-23
 
 ### Added
diff --git a/PROJECT/2-WORKING/FEEDBACK-CR-SELF-SERVICE.md b/PROJECT/2-WORKING/FEEDBACK-CR-SELF-SERVICE.md
@@ -43,22 +43,24 @@
   **File to fix:** `dist/bin/check-performance.sh` ~line 5970 (simple pattern runner grep call)  
   **Verified impact:** `unsanitized-superglobal-read` dropped from **30 → 19** findings in the follow-up scan. The remaining 19 are mostly other classes of reads that still require separate tuning, especially the dedicated `unsanitized-superglobal-isset-bypass` rule.
 
----
+- [x] **FIX admin-only hook whitelist for capability check false positives** ✅ *Implemented in scanner*
+  **Finding:** `credit-registry-forms.php:48` — `add_action('admin_notices', ...)` flagged for missing capability check. `admin_notices` only fires for authenticated admin users.
+  **Reviewer recommendation:** Whitelist inherently-admin-only hooks (`admin_notices`, `admin_init`, `admin_menu`, etc.)
+  **Fix implemented:** Added admin-only hook whitelist in the `spo-004-missing-cap-check` section of `check-performance.sh` (~line 4261). When `add_action()` uses a whitelisted hook, the finding is still recorded but downgraded to INFO severity instead of HIGH. Whitelisted hooks: `admin_notices`, `admin_init`, `admin_menu`, `admin_head`, `admin_footer`, `admin_enqueue_scripts`, `admin_print_styles`, `admin_print_scripts`, `network_admin_menu`, `user_admin_menu`, `network_admin_notices`, `admin_bar_init`, `admin_action_*` (glob), `load-*` (glob).
+  **File changed:** `dist/bin/check-performance.sh` ~line 4261
+  **FPs eliminated:** 1+ per scan (downgraded to INFO)
 
-### 📋 Deferred — Investigate Further Before Implementing
+---
 
-- [ ] **DEFERRED: Add admin-only hook whitelist for capability check false positives**  
-  **Finding:** `credit-registry-forms.php:48` — `add_action('admin_notices', ...)` flagged for missing capability check. `admin_notices` only fires for authenticated admin users.  
-  **Reviewer recommendation:** Whitelist inherently-admin-only hooks (`admin_notices`, `admin_init`, `admin_menu`, etc.)  
-  **Our assessment:** Correct diagnosis. Not fixable with regex alone — requires a hook whitelist in the scanner logic. Downgrade severity to INFO as interim.  
-  **Effort:** Low–Medium | **FPs eliminated:** 1 per occurrence
+### ✅ Previously Deferred — Now Implemented
 
-- [ ] **DEFERRED: Strengthen N+1 loop detection to verify lexical containment**  
-  **Finding 1:** `check-user-meta.php:23` — `get_user_meta()` called sequentially for a single user, not inside a user loop.  
-  **Finding 2:** `class-cr-business-rest-api.php:245` — single `get_user_meta()` re-read after processing.  
-  **Reviewer recommendation:** Confirm the meta call is lexically inside a loop body (`{...}`), not just nearby by line count.  
-  **Our assessment:** The scanner has `is_iterating_over_multiple_objects()` heuristics. These may be gaps in that logic. Review and tighten the "loop containment" check.  
-  **Effort:** Medium | **FPs eliminated:** 2
+- [x] **FIX N+1 loop detection now verifies lexical containment** ✅ *Implemented in scanner*
+  **Finding 1:** `check-user-meta.php:23` — `get_user_meta()` called sequentially for a single user, not inside a user loop.
+  **Finding 2:** `class-cr-business-rest-api.php:245` — single `get_user_meta()` re-read after processing.
+  **Root cause:** `find_meta_in_loop_line()` used a simple line-range check (loop line + 80 lines forward) without verifying the meta call was lexically inside the loop's braces. Sequential `get_*_meta()` calls after a loop's closing `}` were incorrectly flagged.
+  **Fix implemented:** Replaced the line-range `awk` in `find_meta_in_loop_line()` with brace-depth tracking. The new `awk` counts `{` and `}` from the loop line forward, only matching `get_(post|term|user)_meta` while depth > 0. Once the loop body closes (depth returns to 0), scanning stops — meta calls after the loop are no longer flagged.
+  **File changed:** `dist/bin/check-performance.sh` ~line 5413 (`find_meta_in_loop_line()`)
+  **FPs eliminated:** 2+ per scan
 
 ---
 
@@ -93,7 +95,7 @@
 | `exclude_if_file_contains` + `wp eval-file` | `check-performance.sh` + `php-dynamic-include.json` | Medium | 2 verified | ✅ Done |
 | Single-quote inline spo-002 grep | `check-performance.sh` ~L3723 | 1 line | 28 verified | ✅ Done |
 | Apply `exclude_patterns` in simple runner | `check-performance.sh` ~L5970 | Medium | 11 verified | ✅ Done |
-| Admin-only hook whitelist | `check-performance.sh` | Medium | 1+ per scan | 📋 Deferred |
-| N+1 loop containment tightening | `check-performance.sh` | Medium | 2+ per scan | 📋 Deferred |
+| Admin-only hook whitelist | `check-performance.sh` ~L4261 | Low | 1+ per scan (→ INFO) | ✅ Done |
+| N+1 loop containment (brace-depth) | `check-performance.sh` ~L5413 | Medium | 2+ per scan | ✅ Done |
 
 **Latest measured totals:** 99 findings before scanner fixes → **88 findings after first round** → **86 findings after dynamic-include fix**.
diff --git a/dist/bin/check-performance.sh b/dist/bin/check-performance.sh
@@ -4258,6 +4258,24 @@ if [ -n "$ADMIN_MATCHES" ]; then
       continue
     fi
 
+    # Admin-only hook whitelist: these hooks only fire for authenticated admin
+    # users, so a missing capability check is informational, not a real risk.
+    # Extract the hook name from add_action('hook_name', ...) patterns.
+    if echo "$code" | grep -qE "add_action[[:space:]]*\\("; then
+      hook_name=$(echo "$code" | sed -n "s/.*add_action[[:space:]]*([[:space:]]*['\"]\\([^'\"]*\\)['\"].*/\\1/p" | head -1)
+      case "$hook_name" in
+        admin_notices|admin_init|admin_menu|admin_head|admin_footer| \
+        admin_enqueue_scripts|admin_print_styles|admin_print_scripts| \
+        network_admin_menu|user_admin_menu|network_admin_notices| \
+        admin_bar_init|admin_action_*|load-*)
+          # Downgrade to INFO — the hook itself implies admin context
+          ADMIN_SEEN_KEYS="${ADMIN_SEEN_KEYS}${key}"
+          group_and_add_finding "spo-004-missing-cap-check" "info" "INFO" "$file" "$lineno" "$code" "Admin-only hook '$hook_name' — implicit capability via hook context"
+          continue
+          ;;
+      esac
+    fi
+
     # Enhancement v1.0.93: Parse capability parameter from add_*_page() functions
     # add_submenu_page() 4th parameter is capability
     # add_menu_page() 4th parameter is capability
@@ -5409,7 +5427,31 @@ find_meta_in_loop_line() {
 			window_end="$scope_end"
 		fi
 
-		if awk -v s="$lineno" -v e="$window_end" 'NR>=s && NR<=e { if ($0 ~ /get_(post|term|user)_meta[[:space:]]*\(/) { print NR; exit } }' "$file"; then
+		# Verify lexical containment: only match get_*_meta while brace
+		# depth > 0 (i.e. actually inside the loop body, not after it).
+		local meta_line
+		meta_line=$(awk -v s="$lineno" -v e="$window_end" '
+		BEGIN { depth = 0; started = 0 }
+		NR >= s && NR <= e {
+			# Count braces on this line (simple char count — good enough for PHP)
+			n = length($0)
+			for (i = 1; i <= n; i++) {
+				c = substr($0, i, 1)
+				if (c == "{") { depth++; started = 1 }
+				if (c == "}") { depth-- }
+			}
+			# Only match meta calls while inside the loop body
+			if (started && depth > 0 && $0 ~ /get_(post|term|user)_meta[[:space:]]*\(/) {
+				print NR
+				exit
+			}
+			# If we opened and then fully closed the loop, stop looking
+			if (started && depth <= 0 && NR > s) exit
+		}
+		' "$file")
+
+		if [ -n "$meta_line" ]; then
+			echo "$meta_line"
 			return 0
 		fi
 	done <<< "$loop_matches"
