From 7bd0e5b9ffb49cadfd7c1c188fbe8caa81114dcd Mon Sep 17 00:00:00 2001 From: Sean Fisher Date: Fri, 12 Jan 2024 11:04:11 -0500 Subject: [PATCH 1/6] Fixing issue with splitting lines by platform --- README.md | 2 +- plugin.php | 6 +++--- readme.txt | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 73d219c..0ea7b48 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # REST API Guard -Stable tag: 1.0.2 +Stable tag: 1.0.4 Requires at least: 6.0 diff --git a/plugin.php b/plugin.php index 3424cd9..fc5d259 100644 --- a/plugin.php +++ b/plugin.php @@ -3,7 +3,7 @@ * Plugin Name: REST API Guard * Plugin URI: https://github.com/alleyinteractive/wp-rest-api-guard * Description: Restrict and control access to the REST API - * Version: 1.0.3 + * Version: 1.0.4 * Author: Sean Fisher * Author URI: https://alley.co/ * Requires at least: 6.0 @@ -104,7 +104,7 @@ function should_prevent_anonymous_access( WP_REST_Server $server, WP_REST_Reques if ( ! empty( $allowlist ) ) { if ( ! is_array( $allowlist ) ) { - $allowlist = explode( "\n", $allowlist ); + $allowlist = preg_split( '/\r\n|\r|\n/', $allowlist ); } foreach ( $allowlist as $allowlist_endpoint ) { @@ -127,7 +127,7 @@ function should_prevent_anonymous_access( WP_REST_Server $server, WP_REST_Reques if ( ! empty( $denylist ) ) { if ( ! is_array( $denylist ) ) { - $denylist = explode( "\n", $denylist ); + $denylist = preg_split( '/\r\n|\r|\n/', $denylist ); } foreach ( $denylist as $denylist_endpoint ) { diff --git a/readme.txt b/readme.txt index 6440980..3466a6f 100644 --- a/readme.txt +++ b/readme.txt @@ -1,5 +1,5 @@ === REST API Guard === -Stable tag: 1.0.3 +Stable tag: 1.0.4 Requires at least: 6.0 Tested up to: 6.3 Requires PHP: 7.4 From f93d8a6068212f76832f85e8479d4dd8368284a7 Mon Sep 17 00:00:00 2001 From: Sean Fisher Date: Fri, 12 Jan 2024 11:04:21 -0500 Subject: [PATCH 2/6] Bump dev dependencies --- composer.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/composer.json b/composer.json index fda088f..3725ab2 100644 --- a/composer.json +++ b/composer.json @@ -20,9 +20,9 @@ "php": "^7.4|^8.0" }, "require-dev": { - "alleyinteractive/alley-coding-standards": "^1.0", + "alleyinteractive/alley-coding-standards": "^2.0", "alleyinteractive/composer-wordpress-autoloader": "^1.0", - "mantle-framework/testkit": "^0.7", + "mantle-framework/testkit": "^0.12", "nunomaduro/collision": "^5.0" }, "config": { From 19fe1425831f878a4f8cf07812f861c3e150cad4 Mon Sep 17 00:00:00 2001 From: Sean Fisher Date: Fri, 12 Jan 2024 11:05:21 -0500 Subject: [PATCH 3/6] Fixing test name --- .github/workflows/unit-test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/unit-test.yml b/.github/workflows/unit-test.yml index ece6829..e293dd9 100644 --- a/.github/workflows/unit-test.yml +++ b/.github/workflows/unit-test.yml @@ -9,5 +9,5 @@ on: - cron: '0 0 * * *' jobs: - coding-standards: + unit-test: uses: alleyinteractive/.github/.github/workflows/php-tests.yml@main From 47b325c06d2c8411365f4bb47386e6eb2380f40e Mon Sep 17 00:00:00 2001 From: Sean Fisher Date: Fri, 12 Jan 2024 11:06:59 -0500 Subject: [PATCH 4/6] Remove schedule --- .github/workflows/coding-standards.yml | 2 -- .github/workflows/unit-test.yml | 2 -- 2 files changed, 4 deletions(-) diff --git a/.github/workflows/coding-standards.yml b/.github/workflows/coding-standards.yml index c336407..ea8e102 100644 --- a/.github/workflows/coding-standards.yml +++ b/.github/workflows/coding-standards.yml @@ -5,8 +5,6 @@ on: branches: - main pull_request: - schedule: - - cron: '0 0 * * *' jobs: coding-standards: diff --git a/.github/workflows/unit-test.yml b/.github/workflows/unit-test.yml index e293dd9..155e250 100644 --- a/.github/workflows/unit-test.yml +++ b/.github/workflows/unit-test.yml @@ -5,8 +5,6 @@ on: branches: - main pull_request: - schedule: - - cron: '0 0 * * *' jobs: unit-test: From 7b40cfef60cd0d56a5387154f385841532fa25e5 Mon Sep 17 00:00:00 2001 From: Sean Fisher Date: Fri, 12 Jan 2024 11:10:16 -0500 Subject: [PATCH 5/6] CHANGELOG --- CHANGELOG.md | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d8e5f18..4599ef9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,22 @@ All notable changes to `wp-rest-guard` will be documented in this file. -## 0.1.0 - 202X-XX-XX +## v1.0.4 - 2024-01-12 -- Initial release +- Fixing an issue splitting lines by `\n` instead of `\r\n` on Windows. + +## v1.0.3 - 2023-08-28 + +- Bumping tested version to 6.3 + +## v1.0.2 - 2022-11-03 + +- Fixing another typo in the plugin name. + +## v1.0.1 - 2022-10-26 + +- Fixing a typo on the settings page. + +## v1.0.0 - 2022-10-19 + +- Stable re-release 🎊 From 61a354939b8708e6b4edb89aca22b3f34dd06666 Mon Sep 17 00:00:00 2001 From: Sean Fisher Date: Fri, 12 Jan 2024 11:15:10 -0500 Subject: [PATCH 6/6] Allow for flexibility and including /wp-json in the allow/deny lists --- CHANGELOG.md | 1 + plugin.php | 12 ++++++++++-- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4599ef9..a3dc604 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,7 @@ All notable changes to `wp-rest-guard` will be documented in this file. ## v1.0.4 - 2024-01-12 - Fixing an issue splitting lines by `\n` instead of `\r\n` on Windows. +- Allow `/wp-json/` to be included in the allow/deny lists. ## v1.0.3 - 2023-08-28 diff --git a/plugin.php b/plugin.php index fc5d259..41b7564 100644 --- a/plugin.php +++ b/plugin.php @@ -92,8 +92,6 @@ function should_prevent_anonymous_access( WP_REST_Server $server, WP_REST_Reques return true; } - // todo: check settings. - /** * Filter the allowlist for allowed anonymous requests. * @@ -108,6 +106,11 @@ function should_prevent_anonymous_access( WP_REST_Server $server, WP_REST_Reques } foreach ( $allowlist as $allowlist_endpoint ) { + // Strip off /wp-json from the beginning of the endpoint if it was included. + if ( 0 === strpos( $allowlist_endpoint, '/wp-json' ) ) { + $allowlist_endpoint = substr( $allowlist_endpoint, 8 ); + } + if ( preg_match( '/' . str_replace( '\*', '.*', preg_quote( $allowlist_endpoint, '/' ) ) . '/', $endpoint ) ) { return false; } @@ -131,6 +134,11 @@ function should_prevent_anonymous_access( WP_REST_Server $server, WP_REST_Reques } foreach ( $denylist as $denylist_endpoint ) { + // Strip off /wp-json from the beginning of the endpoint if it was included. + if ( 0 === strpos( $denylist_endpoint, '/wp-json' ) ) { + $denylist_endpoint = substr( $denylist_endpoint, 8 ); + } + if ( preg_match( '/' . str_replace( '\*', '.*', preg_quote( $denylist_endpoint, '/' ) ) . '/', $endpoint ) ) { return true; }