Skip to content

Comments

rector: RemoveUnusedVariableAssignRector#5222

Draft
sreichel wants to merge 3 commits intoOpenMage:mainfrom
sreichel:rector/dc/RemoveUnusedVariableAssignRector
Draft

rector: RemoveUnusedVariableAssignRector#5222
sreichel wants to merge 3 commits intoOpenMage:mainfrom
sreichel:rector/dc/RemoveUnusedVariableAssignRector

Conversation

@sreichel
Copy link
Contributor

@sreichel sreichel commented Jan 9, 2026

Copilot AI review requested due to automatic review settings January 9, 2026 16:21
@github-actions github-actions bot added Component: PayPal Relates to Mage_Paypal Component: Core Relates to Mage_Core Component: Catalog Relates to Mage_Catalog Component: Reports Relates to Mage_Reports Component: CatalogInventory Relates to Mage_CatalogInventory Component: Checkout Relates to Mage_Checkout Component: lib/Varien Relates to lib/Varien Component: Sales Relates to Mage_Sales Component: Usa Relates to Mage_Usa Component: Customer Relates to Mage_Customer Component: Eav Relates to Mage_Eav Component: lib/Mage Relates to lib/Mage Component: Adminhtml Relates to Mage_Adminhtml Component: Api PageRelates to Mage_Api Component: Widget Relates to Mage_Widget Component: Tax Relates to Mage_Tax Component: Payment Relates to Mage_Payment Component: Index Relates to Mage_Index Component: Downloadable Relates to Mage_Downloadable Component: Dataflow Relates to Mage_Dataflow Component: lib/* Relates to lib/* phpstan phpunit rector labels Jan 9, 2026
@sreichel sreichel changed the title rector: RemoveUnusedVariableAssignRector rector: RemoveUnusedVariableAssignRector Jan 9, 2026
Copilot AI reviewed Jan 9, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request applies Rector's RemoveUnusedVariableAssignRector rule to remove unused variable assignments throughout the codebase. The changes are primarily automated refactoring that:

  • Removes variables that are assigned but never used
  • Renames single-letter or unclear variables to more descriptive names (e.g., $i$index, $e$exception)
  • Simplifies method bodies by removing unnecessary assignments
  • Adds missing @throws PHPDoc annotations

Reviewed changes

Copilot reviewed 99 out of 99 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
.rector.php Removes RemoveUnusedVariableAssignRector from skip list to enable the rule
tests/unit/Traits/DataProvider/Mage/Core/Helper/DataTrait.php Removes unused $dateShortTime variable
tests/unit/Mage/Core/Helper/EnvironmentConfigLoaderTest.php Removes unused $websiteWithUnderscorePath variable
lib/Varien/Simplexml/Config.php Removes unused $xml return value capture
lib/Varien/Filter/Template/Tokenizer/Variable.php Removes unused $numberStr variable
lib/Varien/Filter/Email.php Simplifies empty method body
lib/Varien/Db/Tree.php Renames variables and removes unused assignments; adds missing PHPDoc
lib/Varien/Data/Form/Element/Gallery.php Renames $i to $index and removes commented code
lib/Varien/Convert/Parser/Csv.php Renames variables and removes unused variable; adds PHPDoc
lib/Mage/HTTP/Client/Socket.php Renames variables and removes unused return captures; adds PHPDoc
lib/Mage/Archive/Tar.php Removes unused variables
app/code/core/Mage/Widget/* Removes unused variables and improves code clarity
app/code/core/Mage/Usa/* Removes unused variables from shipping carriers
app/code/core/Mage/Tax/* Extensive unused variable removal and PHPDoc additions
app/code/core/Mage/Sales/* Major refactoring with variable renaming and unused variable removal
app/code/core/Mage/Payment/* Variable renaming and PHPDoc improvements
app/code/core/Mage/Index/* Exception variable renaming and unused variable removal
app/code/core/Mage/Eav/* Variable renaming and PHPDoc improvements
app/code/core/Mage/Catalog/* Removes unused variables from catalog models
app/code/core/Mage/Api/* Removes unused methods and variables
app/code/core/Mage/Adminhtml/controllers/* Exception renaming and unused variable removal
app/code/core/Mage/Adminhtml/Block/* Removes unused variables from blocks
Comments suppressed due to low confidence (1)

lib/Varien/Db/Tree.php:478

  • In __moveNode() the catch block prints the exception message, the SQL statement ($sql), and the database adapter’s errorInfo() directly to the HTTP response, then terminates with exit(). If an attacker can cause this query to fail, they will see detailed SQL text and low-level driver error information, which can expose table/column names and other internal details useful for further attacks.

These debug outputs should be removed from the public response and replaced with server-side logging only, returning a generic error to the caller instead of echoing $sql and errorInfo().

lib/Varien/Db/Tree.php
Comment on lines +274 to 283
} catch (PDOException $PDOException) {
$this->_db->rollBack();
echo $p->getMessage();
echo $PDOException->getMessage();
exit();
} catch (Exception $e) {
} catch (Exception $exception) {
$this->_db->rollBack();
echo $e->getMessage();
echo $exception->getMessage();
echo $sql;
var_dump($data);
exit();
Copy link

Copilot AI Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These catch blocks in appendChild() output raw exception messages, the SQL query string ($sql), and var_dump($data) directly to the HTTP response, then call exit(). An attacker who can trigger a database error here can gain detailed insight into your schema and application data (including potentially sensitive values in $data), leading to information disclosure and easier exploitation of other bugs.

You should remove the echo/var_dump calls from this error path and instead log the details server-side (e.g. via a logger) while returning a generic error message to the client.

Copilot uses AI. Check for mistakes.
@sonarqubecloud
Copy link

sonarqubecloud bot commented Jan 9, 2026

Please retry analysis of this Pull-Request directly on SonarQube Cloud

Hanmac
Hanmac reviewed Jan 9, 2026
View reviewed changes
.phpstan.dist.baseline.neon
rawMessage: Variable $order might not be defined.
identifier: variable.undefined
count: 1
path: app/code/core/Mage/Adminhtml/controllers/Sales/OrderController.php
Copy link
Contributor

@Hanmac Hanmac Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably should fix this? otherwise, it could crash?

@sreichel sreichel marked this pull request as draft January 9, 2026 16:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Hanmac Hanmac Hanmac left review comments

Copilot code review Copilot Copilot left review comments

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

Component: Adminhtml Relates to Mage_Adminhtml Component: Api PageRelates to Mage_Api Component: Catalog Relates to Mage_Catalog Component: CatalogInventory Relates to Mage_CatalogInventory Component: Checkout Relates to Mage_Checkout Component: Core Relates to Mage_Core Component: Customer Relates to Mage_Customer Component: Dataflow Relates to Mage_Dataflow Component: Downloadable Relates to Mage_Downloadable Component: Eav Relates to Mage_Eav Component: Index Relates to Mage_Index Component: lib/Mage Relates to lib/Mage Component: lib/Varien Relates to lib/Varien Component: lib/* Relates to lib/* Component: Payment Relates to Mage_Payment Component: PayPal Relates to Mage_Paypal Component: Reports Relates to Mage_Reports Component: Sales Relates to Mage_Sales Component: Tax Relates to Mage_Tax Component: Usa Relates to Mage_Usa Component: Widget Relates to Mage_Widget phpstan phpunit rector

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sreichel @Hanmac