Enhance WP_REST_Posts_Controller with writable PreparedPost and static analysis fixes

src/wp-includes/formatting.php

@@ -5777,6 +5777,8 @@ function sanitize_trackback_urls( $to_ping ) {
  *
  * @param string|array $value String or array of data to slash.
  * @return string|array Slashed `$value`, in the same type as supplied.
+ *
+ * @phpstan-return ( $value is string ? string : array )
  */
 function wp_slash( $value ) {
 	if ( is_array( $value ) ) {

src/wp-includes/post.php

@@ -1145,6 +1145,14 @@ function get_extended( $post ) {
  *                                 or 'display'. Default 'raw'.
  * @return WP_Post|array|null Type corresponding to $output on success or null on failure.
  *                            When $output is OBJECT, a `WP_Post` instance is returned.
+ *
+ * @phpstan-return (
+ *     $output is 'ARRAY_A' ? array<string, mixed>|null : (
+ *         $output is 'ARRAY_N' ? array<int, mixed>|null : (
+ *             WP_Post|null
+ *         )
+ *     )
+ * )
  */
 function get_post( $post = null, $output = OBJECT, $filter = 'raw' ) {
 	if ( empty( $post ) && isset( $GLOBALS['post'] ) ) {

src/wp-includes/rest-api.php

@@ -684,6 +684,8 @@ function rest_ensure_request( $request ) {
  * @return WP_REST_Response|WP_Error If response generated an error, WP_Error, if response
  *                                   is already an instance, WP_REST_Response, otherwise
  *                                   returns a new WP_REST_Response instance.
+ *
+ * @phpstan-return ( $response is WP_Error ? WP_Error : WP_REST_Response )
  */
 function rest_ensure_response( $response ) {
 	if ( is_wp_error( $response ) ) {

src/wp-includes/rest-api/endpoints/class-wp-rest-attachments-controller.php

@@ -327,7 +327,7 @@ protected function insert_attachment( $request ) {
 
 		$name       = wp_basename( $file['file'] );
 		$name_parts = pathinfo( $name );
-		$name       = trim( substr( $name, 0, -( 1 + strlen( $name_parts['extension'] ) ) ) );
+		$name       = trim( substr( $name, 0, -( 1 + strlen( $name_parts['extension'] ?? '' ) ) ) );
 
 		$url  = $file['url'];
 		$type = $file['type'];
@@ -355,17 +355,22 @@ protected function insert_attachment( $request ) {
 		}
 
 		$attachment = $this->prepare_item_for_database( $request );
+		if ( is_wp_error( $attachment ) ) {
+			return $attachment;
+		}
 
 		$attachment->post_mime_type = $type;
 		$attachment->guid           = $url;
 
 		// If the title was not set, use the original filename.
 		if ( empty( $attachment->post_title ) && ! empty( $files['file']['name'] ) ) {
 			// Remove the file extension (after the last `.`)
-			$tmp_title = substr( $files['file']['name'], 0, strrpos( $files['file']['name'], '.' ) );
-
-			if ( ! empty( $tmp_title ) ) {
-				$attachment->post_title = $tmp_title;
+			$last_dot_location = strrpos( $files['file']['name'], '.' );
+			if ( false !== $last_dot_location ) {
+				$tmp_title = substr( $files['file']['name'], 0, $last_dot_location );
+				if ( ! empty( $tmp_title ) ) {
+					$attachment->post_title = $tmp_title;
+				}
 			}
 		}
 
@@ -377,10 +382,6 @@ protected function insert_attachment( $request ) {
 		// $post_parent is inherited from $attachment['post_parent'].
 		$id = wp_insert_attachment( wp_slash( (array) $attachment ), $file, 0, true, false );
 
-		if ( trim( $alt ) ) {
-			update_post_meta( $id, '_wp_attachment_image_alt', sanitize_text_field( $alt ) );
-		}
-
 		if ( is_wp_error( $id ) ) {
 			if ( 'db_update_error' === $id->get_error_code() ) {
 				$id->add_data( array( 'status' => 500 ) );
@@ -391,6 +392,10 @@ protected function insert_attachment( $request ) {
 			return $id;
 		}
 
+		if ( trim( $alt ) ) {
+			update_post_meta( $id, '_wp_attachment_image_alt', sanitize_text_field( $alt ) );
+		}
+
 		$attachment = get_post( $id );
 
 		/**
@@ -659,6 +664,13 @@ public function edit_media_item( $request ) {
 		if ( ! file_exists( $image_file_to_edit ) ) {
 			$image_file_to_edit = _load_image_to_edit_path( $attachment_id );
 		}
+		if ( false === $image_file_to_edit ) {
+			return new WP_Error(
+				'rest_cannot_get_image_file_to_edit',
+				__( 'Unable to get image file.' ),
+				array( 'status' => 404 )
+			);
+		}
 
 		$image_editor = wp_get_image_editor( $image_file_to_edit );
 
@@ -766,7 +778,11 @@ public function edit_media_item( $request ) {
 		$original_attachment_post = get_post( $attachment_id );
 
 		// Check request fields and assign default values.
-		$new_attachment_post                 = $this->prepare_item_for_database( $request );
+		$new_attachment_post = $this->prepare_item_for_database( $request );
+		if ( is_wp_error( $new_attachment_post ) ) {
+			return $new_attachment_post;
+		}
+
 		$new_attachment_post->post_mime_type = $saved['mime-type'];
 		$new_attachment_post->guid           = $uploads['url'] . "/$filename";
 
@@ -852,7 +868,15 @@ public function edit_media_item( $request ) {
 
 		wp_update_attachment_metadata( $new_attachment_id, $new_image_meta );
 
-		$response = $this->prepare_item_for_response( get_post( $new_attachment_id ), $request );
+		$new_attachment_post = get_post( $new_attachment_id );
+		if ( ! $new_attachment_post ) {
+			return new WP_Error(
+				'rest_post_invalid_id',
+				__( 'Invalid post ID.' ),
+				array( 'status' => 404 )
+			);
+		}
+		$response = $this->prepare_item_for_response( $new_attachment_post, $request );
 		$response->set_status( 201 );
 		$response->header( 'Location', rest_url( sprintf( '%s/%s/%s', $this->namespace, $this->rest_base, $new_attachment_id ) ) );
 
@@ -869,6 +893,9 @@ public function edit_media_item( $request ) {
 	 */
 	protected function prepare_item_for_database( $request ) {
 		$prepared_attachment = parent::prepare_item_for_database( $request );
+		if ( is_wp_error( $prepared_attachment ) ) {
+			return $prepared_attachment;
+		}
 
 		// Attachment caption (post_excerpt internally).
 		if ( isset( $request['caption'] ) ) {

src/wp-includes/rest-api/endpoints/class-wp-rest-autosaves-controller.php

@@ -14,6 +14,8 @@
  *
  * @see WP_REST_Revisions_Controller
  * @see WP_REST_Controller
+ *
+ * @phpstan-import-type PreparedPost from WP_REST_Posts_Controller
  */
 class WP_REST_Autosaves_Controller extends WP_REST_Revisions_Controller {
 
@@ -220,7 +222,14 @@ public function create_item( $request ) {
 			return $post;
 		}
 
-		$prepared_post     = $this->parent_controller->prepare_item_for_database( $request );
+		$prepared_post = $this->parent_controller->prepare_item_for_database( $request );
+		if ( is_wp_error( $prepared_post ) ) {
+			return $prepared_post;
+		}
+
+		/**
+		 * @var PreparedPost $prepared_post
+		 */
 		$prepared_post->ID = $post->ID;
 		$user_id           = get_current_user_id();
 
@@ -272,6 +281,13 @@ public function create_item( $request ) {
 		}
 
 		$autosave = get_post( $autosave_id );
+		if ( ! $autosave ) {
+			return new WP_Error(
+				'rest_post_invalid_id',
+				__( 'Invalid post ID.' ),
+				array( 'status' => 404 )
+			);
+		}
 		$request->set_param( 'context', 'edit' );
 
 		$response = $this->prepare_item_for_response( $autosave, $request );

src/wp-includes/rest-api/endpoints/class-wp-rest-menu-items-controller.php

@@ -196,6 +196,13 @@ public function create_item( $request ) {
 		do_action( 'rest_after_insert_nav_menu_item', $nav_menu_item, $request, true );
 
 		$post = get_post( $nav_menu_item_id );
+		if ( ! $post ) {
+			return new WP_Error(
+				'rest_post_invalid_id',
+				__( 'Invalid post ID.' ),
+				array( 'status' => 404 )
+			);
+		}
 		wp_after_insert_post( $post, false, null );
 
 		$response = $this->prepare_item_for_response( $post, $request );