Merge branch 'main' into copilot/fix-plugin-verification-checks

swissspidy · swissspidy · commit d1d2931dde79 · 2026-03-12T10:32:37.000+01:00
diff --git a/.github/workflows/copilot-setup-steps.yml b/.github/workflows/copilot-setup-steps.yml
@@ -21,9 +21,7 @@ jobs:
 
       - name: Check existence of composer.json file
         id: check_composer_file
-        uses: andstor/file-existence-action@076e0072799f4942c8bc574a82233e1e4d13e9d6 # v3
-        with:
-          files: "composer.json"
+        run: echo "files_exists=$(test -f composer.json && echo true || echo false)" >> "$GITHUB_OUTPUT"
 
       - name: Set up PHP environment
         if: steps.check_composer_file.outputs.files_exists == 'true'
@@ -38,7 +36,7 @@ jobs:
 
       - name: Install Composer dependencies & cache dependencies
         if: steps.check_composer_file.outputs.files_exists == 'true'
-        uses: ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520 # v3
+        uses: ramsey/composer-install@a35c6ebd3d08125aaf8852dff361e686a1a67947 # v3
         env:
           COMPOSER_ROOT_VERSION: dev-${{ github.event.repository.default_branch }}
         with:
diff --git a/README.md b/README.md
@@ -96,7 +96,7 @@ site.
 Verifies plugin files against WordPress.org's checksums.
 
 ~~~
-wp plugin verify-checksums [<plugin>...] [--all] [--strict] [--version=<version>] [--format=<format>] [--insecure] [--exclude=<name>]
+wp plugin verify-checksums [<plugin>...] [--all] [--strict] [--version=<version>] [--format=<format>] [--insecure] [--exclude=<name>] [--exclude-mu-plugins]
 ~~~
 
 **OPTIONS**
@@ -132,6 +132,9 @@ wp plugin verify-checksums [<plugin>...] [--all] [--strict] [--version=<version>
 	[--exclude=<name>]
 		Comma separated list of plugin names that should be excluded from verifying.
 
+	[--exclude-mu-plugins]
+		Exclude must-use plugins from verification.
+
 **EXAMPLES**
 
     # Verify the checksums of all installed plugins
diff --git a/features/checksum-plugin.feature b/features/checksum-plugin.feature
@@ -167,10 +167,7 @@ Feature: Validate checksums for WordPress plugins
       """
 
     When I try `wp plugin verify-checksums --all --exclude=akismet`
-    Then STDOUT should contain:
-      """
-      Verified 0 of 1 plugins (1 skipped).
-      """
+    Then STDOUT should match /^Success: Verified \d of \d plugins \(\d skipped\)\./
 
   Scenario: Plugin is verified when the --exclude argument isn't included
     Given a WP install
@@ -189,10 +186,7 @@ Feature: Validate checksums for WordPress plugins
       """
 
     When I try `wp plugin verify-checksums --all`
-    Then STDOUT should contain:
-      """
-      Verified 1 of 1 plugins.
-      """
+    Then STDOUT should match /^Success: Verified \d of \d plugins/
 
   # Hello Dolly was moved from a single file to a directory in WordPress 6.9
   @less-than-wp-6.9
@@ -238,3 +232,74 @@ Feature: Validate checksums for WordPress plugins
       """
       Warning: Plugin duplicate-post main file is missing: duplicate-post/duplicate-post.php
       """
+
+  Scenario: Verify must-use plugin that is a standard plugin moved to mu-plugins
+    Given a WP install
+
+    When I run `wp plugin delete --all`
+
+    And I run `wp plugin install duplicate-post --version=3.2.1`
+    Then STDOUT should not be empty
+
+    When I run `mv wp-content/plugins/duplicate-post wp-content/mu-plugins/`
+    Then STDERR should be empty
+
+    When I try `wp plugin verify-checksums --all`
+    Then STDOUT should match /Success: Verified \d of \d plugins/
+    And STDERR should not contain:
+      """
+      duplicate-post
+      """
+
+  Scenario: Exclude must-use plugins from verification
+    Given a WP install
+
+    When I run `wp plugin install duplicate-post --version=3.2.1`
+    Then STDOUT should not be empty
+
+    When I run `mv wp-content/plugins/duplicate-post wp-content/mu-plugins/`
+    Then STDERR should be empty
+
+    When I run `wp plugin delete --all`
+
+    And I run `wp plugin verify-checksums --all --exclude-mu-plugins`
+    Then STDOUT should contain:
+      """
+      Plugin already verified.
+      """
+
+  Scenario: Modified must-use plugin doesn't verify
+    Given a WP install
+
+    When I run `wp plugin install duplicate-post --version=3.2.1`
+    Then STDOUT should not be empty
+
+    When I run `mv wp-content/plugins/duplicate-post wp-content/mu-plugins/`
+    Then STDERR should be empty
+
+    Given "Duplicate Post" replaced with "Different Name" in the wp-content/mu-plugins/duplicate-post/duplicate-post.php file
+
+    When I try `wp plugin verify-checksums --all --format=json`
+    Then STDOUT should contain:
+      """
+      "plugin_name":"duplicate-post","file":"duplicate-post.php","message":"Checksum does not match"
+      """
+    And STDERR should match /Error: Only verified \d of \d plugins/
+
+  Scenario: Single-file must-use plugin without checksums shows warning
+    Given a WP install
+    And a wp-content/mu-plugins/custom-mu-plugin.php file:
+      """
+      <?php
+      /**
+       * Plugin Name: Custom MU Plugin
+       * Version: 1.0.0
+       */
+      """
+
+    When I run `wp plugin verify-checksums --all 2>&1`
+    Then STDOUT should contain:
+      """
+      Warning: Must-use plugin 'custom-mu-plugin.php' appears to be a custom file or loader plugin and cannot be verified.
+      """
+    And STDOUT should match /Success: Verified \d of \d plugins \(\d skipped\)\./
diff --git a/src/Checksum_Plugin_Command.php b/src/Checksum_Plugin_Command.php
@@ -62,6 +62,9 @@ class Checksum_Plugin_Command extends Checksum_Base_Command {
 	 * [--exclude=<name>]
 	 * : Comma separated list of plugin names that should be excluded from verifying.
 	 *
+	 * [--exclude-mu-plugins]
+	 * : Exclude must-use plugins from verification.
+	 *
 	 * ## EXAMPLES
 	 *
 	 *     # Verify the checksums of all installed plugins
@@ -74,11 +77,13 @@ class Checksum_Plugin_Command extends Checksum_Base_Command {
 	 */
 	public function __invoke( $args, $assoc_args ) {
 
-		$fetcher  = new Fetchers\UnfilteredPlugin();
-		$all      = Utils\get_flag_value( $assoc_args, 'all', false );
-		$strict   = Utils\get_flag_value( $assoc_args, 'strict', false );
-		$insecure = Utils\get_flag_value( $assoc_args, 'insecure', false );
-		$plugins  = $fetcher->get_many( $all ? $this->get_all_plugin_names() : $args );
+		$fetcher    = new Fetchers\UnfilteredPlugin();
+		$all        = Utils\get_flag_value( $assoc_args, 'all', false );
+		$strict     = Utils\get_flag_value( $assoc_args, 'strict', false );
+		$insecure   = Utils\get_flag_value( $assoc_args, 'insecure', false );
+		$exclude_mu = Utils\get_flag_value( $assoc_args, 'exclude-mu-plugins', false );
+		$plugins    = $fetcher->get_many( $all ? $this->get_all_plugin_names() : $args );
+		$mu_plugins = ! $exclude_mu ? array_merge( get_mu_plugins(), get_plugins( '/../' . basename( WPMU_PLUGIN_DIR ) ) ) : [];
 
 		/**
 		 * @var string $exclude
@@ -155,6 +160,27 @@ public function __invoke( $args, $assoc_args ) {
 			}
 		}
 
+		$total = count( $plugins );
+
+		foreach ( $mu_plugins as $mu_file => $mu_plugin ) {
+			$plugin_name = $this->get_plugin_slug_from_path( $mu_file );
+
+			if ( ! empty( $args ) ) {
+				if ( ! in_array( $plugin_name, $args, true ) ) {
+					continue;
+				} else {
+					++$total;
+				}
+			}
+
+			if ( in_array( $plugin_name, $exclude_list, true ) ) {
+				++$skips;
+				continue;
+			}
+
+			$this->verify_mu_plugin( $mu_file, $mu_plugin, $plugin_name, $version_arg, $insecure, $strict, $skips );
+		}
+
 		if ( ! empty( $this->errors ) ) {
 			$formatter = new Formatter(
 				$assoc_args,
@@ -163,7 +189,10 @@ public function __invoke( $args, $assoc_args ) {
 			$formatter->display_items( $this->errors );
 		}
 
-		$total     = count( $plugins );
+		if ( $all ) {
+			$total += count( $mu_plugins );
+		}
+
 		$failures  = count( array_unique( array_column( $this->errors, 'plugin_name' ) ) );
 		$successes = $total - $failures - $skips;
 
@@ -335,22 +364,23 @@ private function get_plugin_files( $path ) {
 	 * @param string $path      Relative path to the plugin file to check the
 	 *                          integrity of.
 	 * @param array  $checksums Array of provided checksums to compare against.
+	 * @param string $base_dir  Optional. Base directory for the plugin. Defaults to WP_PLUGIN_DIR.
 	 *
 	 * @return bool|string
 	 */
-	private function check_file_checksum( $path, $checksums ) {
+	private function check_file_checksum( $path, $checksums, $base_dir = null ) {
 		if ( $this->supports_sha256()
 			&& array_key_exists( 'sha256', $checksums )
 		) {
-			$sha256 = $this->get_sha256( $this->get_absolute_path( $path ) );
+			$sha256 = $this->get_sha256( $this->get_absolute_path( $path, $base_dir ) );
 			return in_array( $sha256, (array) $checksums['sha256'], true );
 		}
 
 		if ( ! array_key_exists( 'md5', $checksums ) ) {
 			return 'No matching checksum algorithm found';
 		}
 
-		$md5 = $this->get_md5( $this->get_absolute_path( $path ) );
+		$md5 = $this->get_md5( $this->get_absolute_path( $path, $base_dir ) );
 
 		return in_array( $md5, (array) $checksums['md5'], true );
 	}
@@ -394,12 +424,16 @@ private function get_md5( $filepath ) {
 	/**
 	 * Gets the absolute path to a relative plugin file.
 	 *
-	 * @param string $path Relative path to get the absolute path for.
+	 * @param string $path     Relative path to get the absolute path for.
+	 * @param string $base_dir Optional. Base directory to prepend. Defaults to WP_PLUGIN_DIR.
 	 *
 	 * @return string
 	 */
-	private function get_absolute_path( $path ) {
-		return WP_PLUGIN_DIR . '/' . $path;
+	private function get_absolute_path( $path, $base_dir = null ) {
+		if ( null === $base_dir ) {
+			$base_dir = WP_PLUGIN_DIR;
+		}
+		return $base_dir . '/' . $path;
 	}
 
 	/**
@@ -428,4 +462,128 @@ private function get_soft_change_files() {
 	private function is_soft_change_file( $file ) {
 		return in_array( strtolower( $file ), $this->get_soft_change_files(), true );
 	}
+
+	/**
+	 * Extracts the plugin slug from the plugin file path.
+	 *
+	 * For MU plugins that are actually standard plugins moved to mu-plugins folder,
+	 * we extract the plugin slug from the file path to look up checksums.
+	 *
+	 * @param string $plugin_file Path to the plugin file.
+	 *
+	 * @return string Plugin slug.
+	 */
+	private function get_plugin_slug_from_path( $plugin_file ) {
+		// If it's in a subdirectory, use the directory name as slug.
+		if ( false !== strpos( $plugin_file, '/' ) ) {
+			return dirname( $plugin_file );
+		}
+
+		// For single files, extract the slug from the filename.
+		return basename( $plugin_file, '.php' );
+	}
+
+	/**
+	 * Gets the version for a plugin from its header data or the version argument.
+	 *
+	 * @param string $version_arg Version argument from command line.
+	 * @param array  $plugin_data Plugin header data.
+	 *
+	 * @return string|false Plugin version, or false if not found.
+	 */
+	private function get_plugin_version_for_verification( $version_arg, $plugin_data ) {
+		if ( ! empty( $version_arg ) ) {
+			return $version_arg;
+		}
+
+		if ( ! empty( $plugin_data['Version'] ) ) {
+			return $plugin_data['Version'];
+		}
+
+		return false;
+	}
+
+	/**
+	 * Verifies a must-use plugin against WordPress.org checksums.
+	 *
+	 * @param string $mu_file     Path to the MU plugin file.
+	 * @param array  $mu_plugin   Plugin header data.
+	 * @param string $plugin_name Plugin slug/name.
+	 * @param string $version_arg Version to verify against (if specified).
+	 * @param bool   $insecure    Whether to allow insecure connections.
+	 * @param bool   $strict      Whether to check soft change files.
+	 * @param int    &$skips      Reference to skip counter.
+	 */
+	private function verify_mu_plugin( $mu_file, $mu_plugin, $plugin_name, $version_arg, $insecure, $strict, &$skips ) {
+		$is_single_file = false === strpos( $mu_file, '/' );
+
+		// Get version from the plugin header.
+		$version = $this->get_plugin_version_for_verification( $version_arg, $mu_plugin );
+
+		if ( false === $version ) {
+			WP_CLI::warning( "Could not retrieve the version for must-use plugin {$plugin_name}, skipping." );
+			++$skips;
+			return;
+		}
+
+		$wp_org_api = new WpOrgApi( [ 'insecure' => $insecure ] );
+
+		try {
+			/**
+			 * @var array|false $checksums
+			 */
+			$checksums = $wp_org_api->get_plugin_checksums( $plugin_name, $version );
+			if ( false === $checksums ) {
+				throw new Exception( "Could not retrieve the checksums for version {$version} of must-use plugin {$plugin_name}, skipping." );
+			}
+		} catch ( Exception $exception ) {
+			// If it's a single file or we can't get checksums, warn the user.
+			if ( $is_single_file ) {
+				WP_CLI::warning( "Must-use plugin '{$mu_file}' appears to be a custom file or loader plugin and cannot be verified." );
+			} else {
+				WP_CLI::warning( $exception->getMessage() );
+			}
+			++$skips;
+			return;
+		}
+
+		$files = $this->get_mu_plugin_files( $mu_file );
+
+		foreach ( $files as $file ) {
+			if ( ! array_key_exists( $file, $checksums ) ) {
+				$this->add_error( $plugin_name, $file, 'File was added' );
+				continue;
+			}
+
+			if ( ! $strict && $this->is_soft_change_file( $file ) ) {
+				continue;
+			}
+
+			// Build the relative path for MU plugins.
+			$relative_path = $is_single_file ? $file : dirname( $mu_file ) . '/' . $file;
+
+			$result = $this->check_file_checksum( $relative_path, $checksums[ $file ], WPMU_PLUGIN_DIR );
+			if ( true !== $result ) {
+				$this->add_error( $plugin_name, $file, is_string( $result ) ? $result : 'Checksum does not match' );
+			}
+		}
+	}
+
+	/**
+	 * Gets the list of files that are part of the given MU plugin.
+	 *
+	 * @param string $mu_file Path to the main MU plugin file.
+	 *
+	 * @return array<string> Array of files with their relative paths.
+	 */
+	private function get_mu_plugin_files( $mu_file ) {
+		// If it's a single file in the root of mu-plugins, return just that file.
+		if ( false === strpos( $mu_file, '/' ) ) {
+			return array( $mu_file );
+		}
+
+		// If it's in a subdirectory, get all files in that directory.
+		$folder = WPMU_PLUGIN_DIR . '/' . dirname( $mu_file );
+		return $this->get_files( trailingslashit( $folder ) );
+	}
 }
diff --git a/src/WP_CLI/Fetchers/UnfilteredPlugin.php b/src/WP_CLI/Fetchers/UnfilteredPlugin.php
@@ -27,7 +27,8 @@ class UnfilteredPlugin extends Base {
 	 */
 	public function get( $name ) {
 		$name = (string) $name;
- 		// First, check plugins detected by get_plugins()
+
+		// First, check plugins detected by get_plugins()
 		foreach ( get_plugins() as $file => $_ ) {
 			if ( "{$name}.php" === $file ||
 				( $name && $file === $name ) ||
