Skip to content

DB/DirectDatabaseQuery: fix handling of namespaced calls to cache functions #2619

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: develop
Choose a base branch
from
Open

DB/DirectDatabaseQuery: fix handling of namespaced calls to cache functions #2619

wants to merge 2 commits into from

Conversation

@rodrigoprimo
Copy link
Collaborator

@rodrigoprimo rodrigoprimo commented Sep 18, 2025

Description

Before this change, the sniff was not properly differentiating between fully qualified calls to global WP cache functions and namespaced calls to non-WP functions with the same name as the WP functions.

In other words, the sniff was correctly identifying \wp_cache_get() as a WP cache function, but it was incorrectly identifying MyNamespace\wp_cache_get() as a WP cache function as well. This PR fixes this issue.

Suggested changelog entry

Fixed: WordPress.DB.DirectDatabaseQuery: handling of calls to namespaced non-global functions with the same name as WP cache functions.

@rodrigoprimo
DB/DirectDatabaseQuery: fix handling of namespaced calls to cache fun…
4569963 
…ctions

Before this change, the sniff was not properly differentiating between fully qualified calls to global WP cache functions and namespaced calls to non-WP functions with the same name as the WP functions.

In other words, the sniff was correctly identifying `\wp_cache_get()` as a WP cache function, but it was incorrectly identifying `MyNamespace\wp_cache_get()` as a WP cache function. This commit fixes this issue.
@jrfnl
Copy link
Member

jrfnl commented Sep 18, 2025

Hmm... so as per #2615:

As suggested by Juliette, I'm including a test to document that method names that match the cache function names are deliberately not flagged by this sniff, as they will be most likely valid custom cache functions.

... we are ignoring method calls if they mirror the WP native functions, but now this PR will start flagging namespaced function calls which mirror the WP native functions ?

That sounds very inconsistent to me.

@rodrigoprimo
Copy link
Collaborator Author

rodrigoprimo commented Oct 30, 2025

That is a good point. I'm unsure what is the best approach here.

I checked other WPCS sniffs to see if they have similar behavior, and those I examined behave differently.

Similar to the list of cache functions used by DirectDatabaseQuery, the NonceVerification and ValidatedSanitizedInput sniffs have lists of WP functions that they check for usage in different circumstances. Both sniffs only match global WP functions and will not match non-global functions with the same name (whether namespaced functions or methods). All sniffs extending AbstractFunctionRestrictionsSniff and AbstractFunctionParameterSniff behave in the same way when looking for their target functions.

Do you see a reason to keep the DirectDatabaseQuery sniff behaving differently than the sniffs mentioned above? Or should we revisit its behavior and make it explicitly match only global WP cache functions (like the other sniffs do)?

@jrfnl
Copy link
Member

jrfnl commented Oct 31, 2025

The NonceVerification and ValidatedSanitizedInput sniffs are security sniffs, so those being stricter than the DirectDatabaseQuery sniff makes total sense to me.

@rodrigoprimo
Revert how the sniff handles namespaced functions that mirror the nam…
990b1c9 
…e of WP global cache functions

As discussed during the PR review, this reverts changes from the previous commit which filtered out namespaced cache function calls. After discussion, it was decided to maintain the existing behavior where namespaced cache functions like `MyNamespace\wp_cache_get()` are treated as valid custom cache implementations, consistent with how method calls like `$obj->wp_cache_get()` are handled.

The tests have been updated to test the new behavior.
@rodrigoprimo
Copy link
Collaborator Author

rodrigoprimo commented Oct 31, 2025

Thanks for your input, @jrfnl. I have pushed a new commit reverting the changes to the sniff code and updating the tests to safeguard against regressions for the current behavior of the sniff. Is this more or less what you had in mind? Do you prefer that I update the title and description of this PR to reflect that now it only adds DirectDatabaseQuery tests or that I close this PR and open a new one?

@rodrigoprimo rodrigoprimo mentioned this pull request Nov 5, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

Type: Bug

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rodrigoprimo @jrfnl