igorhrcek / wp-cli-secure-command Goto Github PK

Is your feature request related to a problem? Please describe.
No

Describe the solution you'd like
We need to implement a command that will allow us to search for certain security headers, output the result of the search and allow user to set most frequently used security headers

Describe alternatives you've considered
None

Additional context
Because of the complexity of this command we are going to do implementation in two steps:

1. We are going to perform search-only
2. We are going to write rules into config files

We haven't agreed really on the list of headers that we want to scan for (and provide rules for) but I think that we should go with:

1. HSTS (Strict-Transport-Security)
2. X-XSS
3. X-Frame-Options
4. X-Content-Type-Options
5. Referrer-Policy (maybe to consider)

I propose that the command for this should be something like:

wp secure securityheaders --scan
wp secure securityheaders --deploy=hsts
wp secure securityheaders --remove=hsts

For scan I prefer to use a table output with the following columns:

1. Header name
2. Value (present, not present)

Describe the bug
Cannot install WP-CLI package

To Reproduce
Steps to reproduce the behavior:

1. Try to install with command
   wp package install [email protected]:igorhrcek/wp-cli-secure-command.git

Expected behavior
I expected for the package to be installed

Desktop (please complete the following information):

• OS: Ubuntu

Additional context

Error that I recieve is:

Warning: Couldn't fetch default branch for package 'https://github.com:igorhrcek/wp-cli-secure-command.git' (HTTP code 403). Presuming default branch is 'master'.
Warning: Package name mismatch...Updating from git name 'igorhrcek/wp-cli-secure-command' to composer.json name 'igor/wp_cli_secure_command'.
Installing package igor/wp_cli_secure_command (dev-master)
Updating /home/nvsn/.wp-cli/packages/composer.json to require the package...
Registering https://github.com:igorhrcek/wp-cli-secure-command.git as a VCS repository...
Using Composer to install the package...
---
Loading composer repositories with package information
Warning: Failed to execute git clone --mirror -- 'https://github.com:igorhrcek/wp-cli-secure-command.git' '/home/nvsn/.cache/composer/vcs/https---github.com-igorhrcek-wp-cli-secure-command.git/'

Cloning into bare repository '/home/nvsn/.cache/composer/vcs/https---github.com-igorhrcek-wp-cli-secure-command.git'...
remote: Not Found
fatal: repository 'https://github.com:igorhrcek/wp-cli-secure-command.git/' not found

---
Error: Package installation failed.
Reverted composer.json.

Automatically identify the owner and reset it correctly please

Describe the bug
File manger always edits in the current working directory.

To Reproduce
Steps to reproduce the behavior:
run wp secure block-php plugins from the $HOME directory.
An .htaccess will be created in the home directory.
Even if a --path is specified.

Expected behavior

This is a tricky one. I think the default --path should be the default one in 90% of cases.
But an .htaccess can also be located above a public folder. Probably the same applies to the nginx config files.

If the default path is respected a way for an exception should be available. maybe a --config-path flag.

Not a clear cut solution for this one.

Is your feature request related to a problem? Please describe.
If we allow inline JS to exist then having strong CSP policies (#27) will have no real purpose.

Describe the solution you'd like
We should find an elegant, sustainable and flexible solution for hooking into any WordPress installation in order to add and execute certain code.

Describe alternatives you've considered
None

Additional context
We should use a MU plugins for this. Practically every time we need to change the behavior of the WordPress we could just copy the PHP file from our codebase to a MU plugin and then update the main plugin file to include the new files. That way we can easily add and remove certain security features and hook into WP.

🚨 The automated release from the master branch failed. 🚨

I recommend you give this issue a high priority, so other packages depending on you can benefit from your bug fixes and new features again.

You can find below the list of errors reported by semantic-release. Each one of them has to be resolved in order to automatically publish your package. I’m sure you can fix this 💪.

Errors are usually caused by a misconfiguration or an authentication problem. With each error reported below you will find explanation and guidance to help you to resolve it.

Once all the errors are resolved, semantic-release will release your package the next time you push a commit to the master branch. You can also manually restart the failed CI job that runs semantic-release.

If you are not sure how to resolve this, here are some links that can help you:

• Usage documentation
• Frequently Asked Questions
• Support channels

If those don’t help, or if this issue is reporting something you think isn’t right, you can always ask the humans behind semantic-release.

Missing package.json file.

A package.json file at the root of your project is required to release on npm.

Please follow the npm guideline to create a valid package.json file.

Good luck with your project ✨

Your semantic-release bot 📦🚀

Describe the bug
I tried to install the package, just copied the line wp package install [email protected]:igorhrcek/wp-cli-secure-command.git and inserted it into iTerm. The error i got was:

`Warning: Package name mismatch...Updating from git name 'igorhrcek/wp-cli-secure-command' to composer.json name 'igor/wp_cli_secure_command'.
Installing package igor/wp_cli_secure_command (dev-master)
Updating /Users/xxxx/.wp-cli/packages/composer.json to require the package...
Registering [email protected]:igorhrcek/wp-cli-secure-command.git as a VCS repository...
Using Composer to install the package...

Loading composer repositories with package information
Warning: The 'https://api.github.com/repos/igorhrcek/wp-cli-secure-command' URL could not be accessed: HTTP/1.1 400 Bad Request

Error: Package installation failed.
Reverted composer.json.`

• OS: MacOS Monterey

Is your feature request related to a problem? Please describe.
No

Describe the solution you'd like
We need to update the Readme file to include information about managing security headers

Describe alternatives you've considered
None

Additional context
None

Is your feature request related to a problem? Please describe.
No

Describe the solution you'd like
We should implement a command that will allow us to manage different CSP policies - apply rules to certain policies, such as style-src, font-src, script-src etc.

The user should also be able to get information about what is applied as a policy, like "show me what I set as a script-src" and then to either add or remove addresses from it.

Describe alternatives you've considered
None

Additional context
CSP can get really messy, with too many URLs and different types of policies, so parsing them can be a tricky business.

I think that we should keep a state in a separate file (like in JSON object on FS) and use that to build policy directive and write it into configuration file.

Is your feature request related to a problem? Please describe.
No

Describe the solution you'd like
File Editor is a huge security risk in the dashboard and it should be disabled, so we need to implement a command for that.

Describe alternatives you've considered
None

Additional context
This is just setting the DISALLOW_FILE_EDIT to true, so we can do it using existing wp config set command.

Is your feature request related to a problem? Please describe.
No

Describe the solution you'd like
There is an official recommendation about permission masks for files and folders in WP, so we should implement a command to do all that for us

Describe alternatives you've considered
No

Additional context
WP recommends 666 for files, 755 for folders and I think that this should be a default:
https://wordpress.org/support/article/changing-file-permissions/

Now, someone might want a more permissive system for folders, like 775 instead of 755, so I think there should be an option to pass an additional arguments for files and folders separately, like:

wp secure fixpermissions
wp secure fixpermissions --files=644 --folders=775

We should also forbid setting 777 for either files and folders.

Is your feature request related to a problem? Please describe.
There are a few commands that are doing the same thing (blocking PHP execution) on various paths and instead of having 4 separate commands, we might have one.

Describe the solution you'd like
Remove all existing block-php commands and replace it with only one that will accept arguments?

Describe alternatives you've considered
None

Additional context
For example, instead of:

wp secure block_php_exution_in_uploads

we should have:

wp secure blockphp --locations=uploads,themes,plugins,wp-includes

Describe the bug
X-XSS-Protection is obsolete for a few years now and not supported by browsers anymore. This header will do nothing and at least caused privacy and security issues in the past.

To Reproduce

Expected behavior
Remove the X-XSS-Protection header.

Additional context
See also:
https://caniuse.com/mdn-http_headers_x-xss-protection
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection

Describe the bug
phpcs is reporting a huge amount of code style issues:
https://github.com/igorhrcek/wp-cli-secure-command/actions/runs/2155584916

Expected behavior
Try and fix all of the issues if possible

Additional context
None

Is your feature request related to a problem? Please describe.
No

Describe the solution you'd like
Implement a command that will allow us to block public access to custom files and/or folders

Describe alternatives you've considered
None

Additional context
For this command we need to define a new rule template that is going to be used as a placeholder for adding custom files names, folders and/or file extensions as well.

User should be able to add files, extensions and folders all at the same time. Something like:

wp secure block_access --files=file1,file2,file3 --extensions=exe,py,sql --folders=/home/something/something,otherfolder

It's not going to be possible to append files or folders if rule already exist.

When called with the --remove parameter we will remove this rule altogether.

Describe the bug
Repeated and incorrectly formatted rules in .htacces causing errors.

To Reproduce
Steps to reproduce the behavior:

1. Run wp secure block-access sensitive-files
2. Check .htaccess file
3. Each rule is repeated 4 times

Screenshots

Is your feature request related to a problem? Please describe.
No

Describe the solution you'd like
Implement a new GHA workflow for automated testing of nginx rules

Describe alternatives you've considered
None

Additional context
In addition to this workflow I also need to build a WordPress container that uses nginx

Describe the bug

The Default permission mask used in FixFileAndDirPermissions sets files to 0666, which would allow any user to write to files in the WordPress installation.

I would recommend a file mask of 0644, which would only allow the owner of the file to write to it, and still allows read access to all other users.

To Reproduce

Run wp secure fix-permissions

Expected behavior

I suspect the intended behavior of this function would be to set the mask to 0644, which is rw-r--r-- or sets files readable by any user, but writable by only the owner of the file.

Is your feature request related to a problem? Please describe.
No

Describe the solution you'd like
We need to develop custom CICD workflow for automated execution of tests using GitHub Actions

Describe alternatives you've considered
None

Additional context
We need to build Docker containers that will use both Apache and nginx to run WordPress. The reason for this is because we are doing integration tests for actual .htaccess and nginx rules that are deployed with our commands.

So to do so, we probably will have to modify official WordPress containers and add WP CLI and then to make a full workflow for performing tests.

Is your feature request related to a problem? Please describe.
No

Describe the solution you'd like
Let's ask for confirmation before executing FixPermissions command.

Describe alternatives you've considered
None

Additional context
Here is the docs for the confirmation implementaion:
https://make.wordpress.org/cli/handbook/references/internal-api/wp-cli-confirm/

We should say something like "This command will change file and folder permissions inside your WordPress installation which might affect the way it works. Are you sure that you want to do this?"

Is your feature request related to a problem? Please describe.
No

Describe the solution you'd like
TODO:

1. Refactor the block-access method to allow for custom files and folders
2. Fix the missing comments and check for PSR12 standardization of a code
3. Update the Readme file to reflect latest set of changes
4. Check existing Unit and Feature tests

Describe alternatives you've considered
None

Additional context
None

Is your feature request related to a problem? Please describe.
No

Describe the solution you'd like
Add a call for adding security headers in wp secure all

Describe alternatives you've considered
None

Additional context
None

Is your feature request related to a problem? Please describe.
No

Describe the solution you'd like
We should implement a command that will allow us to deploy all security rules at once

Describe alternatives you've considered
No

Additional context
Command should be something like:

wp secure all

and it should practically call all other sub-commands to deploy all the rules we have built.

PHP Parse error: syntax error, unexpected '|', expecting variable (T_VARIABLE) in /.wp-cli/packages/vendor/igor/wp_cli_secure_command/src/SubCommands/SubCommand.php on line 109

PHP 7.4.28
WP-CLI 2.6.0

Is your feature request related to a problem? Please describe.
Existing command used in tests is fixed to only one type of environment so tests will not run if executed in a different setup

Describe the solution you'd like
We need to move the restart command from test files to .env file or to find a better way of restarting nginx containers during tests

Describe alternatives you've considered
Not aware that there are any

Additional context
We should also try to implement the official WP CLI Testing process