Opened 4 weeks ago
Closed 2 weeks ago
#63136 closed task (blessed) (wontfix)
Build/Test Tools: Add Unit Tests for `wp_fast_hash()`
| Reported by: |
|
Owned by: |
|
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Severity: | normal | Version: | trunk |
| Component: | Security | Keywords: | has-patch has-unit-tests |
| Focuses: | tests | Cc: |
Description
The wp_fast_hash() function is part of the upcoming 6.8 version, and I noticed that it lacks unit tests.
I believe there are additional tests we can perform beyond just verifying the hashes in the wp_verify_fast_hash unit tests.
Change History (10)
This ticket was mentioned in PR #8556 on WordPress/wordpress-develop by @debarghyabanerjee.
4 weeks ago
#1
- Keywords has-patch has-unit-tests added; needs-unit-tests removed
#2
@
4 weeks ago
- Component changed from Build/Test Tools to Security
- Milestone changed from Awaiting Review to 6.8
- Version set to trunk
Related: #21022.
Thanks for the ticket and the patch proposal.
Moving for 6.8 consideration as unit tests can land anytime in the release cycle. Also moving to the Security component.
#3
@
4 weeks ago
Can probably be converted from enhancement to task as unit tests are non-functional changes for the core software, yeah?
This ticket was mentioned in Slack in #core by audrasjb. View the logs.
4 weeks ago
@johnbillion commented on PR #8556:
4 weeks ago
#7
Thanks for the PR @Debarghya-Banerjee . Honestly I am in two minds about this, on one hand increased test coverage is always good, but on the other hand I don't believe these tests provide value. This has also came up in Core-53651 (#7731) and some other tickets that propose adding tests to functions that perform little or no logic. If the tests simply copy the logic that exists in the function, or if the function itself performs no real logic, then the tests are of no value, and they can end up unnecessarily tying the tests to an implementation detail.
- Asserting that the return value is not empty is useless because the function always returns a value. There is no conditional logic that affects this.
- Asserting that the return value starts with
$generic$is possibly useful for future changes, but if any work were to be done to this prefix then it would likely become part of some conditional logic so the test would need to change anyway. - Asserting that the function returns a non-empty value when special characters are included in the message doesn't assure us of anything useful. We have to implicitly trust that the Sodium functions are performing as expected otherwise we'd need to write an exhaustive suite of tests that assure the cryptographic security of Sodium.
It might seem like a waste of time to push back on adding these sorts of tests, but they have a cost both in terms of the test run time, future maintainability, and time spent by contributors adding further similar tests when that time would be better spent elsewhere.
#8
@
3 weeks ago
Thank you for the patch proposal. After reviewing the wp_fast_hash() function and the added tests, I agree with @johnbillion’s concerns. The function is simple, always returns a non-empty value, and relies on Sodium, which is already well-tested. Adding tests for these basic behaviors doesn’t add significant value and could increase maintenance overhead in the future. I recommend reconsidering the addition of these specific unit tests unless further logic is added to the function.
Looking forward to your feedback.
Trac Ticket: Core-63136