From 0b914e63c74bbf7cbf6a98375cc745e43f455e2a Mon Sep 17 00:00:00 2001 From: Fernando Morgenstern Date: Tue, 24 Oct 2023 08:03:41 -0300 Subject: [PATCH] Add nonce validation in admin pages Fix a Cross-Site Request Forgery issue due to nonce validation not being implemented. --- CHANGELOG.md | 5 ++++ inc/class-mailrelaypages.php | 49 +++++++++++++++++++++++++++--------- phpcs.xml | 3 --- 3 files changed, 42 insertions(+), 15 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 11bfdc0..e7638f3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,11 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/) and this project adheres to [Semantic Versioning](http://semver.org/). +## [Unreleased] + +### Security +- Added nonce validation in admin pages + ## [2.1.1] - 2022-09-15 ### Fixed diff --git a/inc/class-mailrelaypages.php b/inc/class-mailrelaypages.php index f1378da..27f47fd 100644 --- a/inc/class-mailrelaypages.php +++ b/inc/class-mailrelaypages.php @@ -39,7 +39,18 @@ public function render_admin_page() { load_plugin_textdomain( 'mailrelay', false, 'mailrelay/languages/' ); - if ( isset( $_POST['action'] ) ) { + // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotValidated + if ( isset($_SERVER['REQUEST_METHOD']) && 'POST' === $_SERVER['REQUEST_METHOD'] && ! wp_verify_nonce(sanitize_key($_POST['_mailrelay_nonce']), '_mailrelay_nonce') ) { + wp_die( + 'Invalid Nonce', + 'Invalid Nonce', + array( + 'back_link' => true, + ) + ); + } + + if ( isset($_POST['action']) ) { if ( 'mailrelay_save_authentication_settings' === $_POST['action'] ) { $response = $this->process_save_connection_settings(); } elseif ( 'mailrelay_save_settings' === $_POST['action'] ) { @@ -108,10 +119,11 @@ public function render_admin_page() {
'return check_form();' ); - $submit_text = __( 'Sync', 'mailrelay' ); - submit_button( $submit_text, 'primary', 'submit-manual', true, $attributes ); + wp_nonce_field('_mailrelay_nonce', '_mailrelay_nonce'); + do_settings_sections( 'manual-page-admin' ); + $attributes = array( 'onclick' => 'return check_form();' ); + $submit_text = __( 'Sync', 'mailrelay' ); + submit_button( $submit_text, 'primary', 'submit-manual', true, $attributes ); ?>
@@ -130,6 +142,7 @@ public function render_admin_page() {
'return check_form();' ); $submit_text = __( 'Save', 'mailrelay' ); @@ -331,7 +345,8 @@ public function action_manual_sync_callback() { } public function auto_sync_callback() { - $value = isset( $_POST['mailrelay_auto_sync'] ) ? wp_unslash( $_POST['mailrelay_auto_sync'] ) : get_option( 'mailrelay_auto_sync' ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized + // phpcs:ignore WordPress.Security.NonceVerification.Missing -- Reason: Nonce verification happens at render_admin_page. + $value = isset( $_POST['mailrelay_auto_sync'] ) ? filter_var( wp_unslash( $_POST['mailrelay_auto_sync'] ), FILTER_SANITIZE_NUMBER_INT ) : get_option( 'mailrelay_auto_sync' ); ?> /> @@ -405,14 +422,17 @@ protected function mailrelay_data() { public function process_save_connection_settings() { $mailrelay_data = array(); - $mailrelay_data['host'] = isset( $_POST['mailrelay_host'] ) ? wp_unslash( $_POST['mailrelay_host'] ) : ''; // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized + // phpcs:ignore WordPress.Security.NonceVerification.Missing -- Reason: Nonce verification happens at render_admin_page. + $mailrelay_data['host'] = isset( $_POST['mailrelay_host'] ) ? sanitize_text_field( wp_unslash( $_POST['mailrelay_host'] ) ) : ''; if ( strpos( $mailrelay_data['host'], 'http://' ) === 0 || strpos( $mailrelay_data['host'], 'https://' ) === 0 ) { $mailrelay_data['host'] = wp_parse_url( $mailrelay_data['host'], PHP_URL_HOST ); } if ( strpos( $mailrelay_data['host'], '.ipzmarketing.com' ) !== false ) { $mailrelay_data['host'] = str_replace( '.ipzmarketing.com', '', $mailrelay_data['host'] ); } - $mailrelay_data['api_key'] = ( isset( $_POST['mailrelay_api_key'] ) ) ? wp_unslash( $_POST['mailrelay_api_key'] ) : ''; // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized + + // phpcs:ignore WordPress.Security.NonceVerification.Missing -- Reason: Nonce verification happens at render_admin_page. + $mailrelay_data['api_key'] = ( isset( $_POST['mailrelay_api_key'] ) ) ? sanitize_text_field( wp_unslash( $_POST['mailrelay_api_key'] ) ) : ''; $ping_response_code = mailrelay_ping( $mailrelay_data ); @@ -455,8 +475,11 @@ public function process_save_connection_settings() { public function process_save_settings() { $mailrelay_data = array(); - $mailrelay_data['mailrelay_auto_sync'] = ( isset( $_POST['mailrelay_auto_sync'] ) ) ? wp_unslash( $_POST['mailrelay_auto_sync'] ) : false; // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized - $mailrelay_data['mailrelay_auto_sync_groups'] = ( isset( $_POST['mailrelay_auto_sync_groups'] ) ) ? wp_unslash( $_POST['mailrelay_auto_sync_groups'] ) : array(); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized + // phpcs:ignore WordPress.Security.NonceVerification.Missing -- Reason: Nonce verification happens at render_admin_page. + $mailrelay_data['mailrelay_auto_sync'] = ( isset( $_POST['mailrelay_auto_sync'] ) ) ? filter_var( wp_unslash( $_POST['mailrelay_auto_sync'] ), FILTER_SANITIZE_NUMBER_INT ) : false; + + // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized, WordPress.Security.NonceVerification.Missing -- Reason: Nonce verification happens at render_admin_page. + $mailrelay_data['mailrelay_auto_sync_groups'] = ( isset( $_POST['mailrelay_auto_sync_groups'] ) ) ? wp_unslash( $_POST['mailrelay_auto_sync_groups'] ) : array(); update_option( 'mailrelay_auto_sync', $mailrelay_data['mailrelay_auto_sync'] ); update_option( 'mailrelay_auto_sync_groups', $mailrelay_data['mailrelay_auto_sync_groups'] ); @@ -468,6 +491,7 @@ public function process_save_settings() { } public function process_manual_sync() { + // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Reason: Nonce verification happens at render_admin_page. $woo_commerce_option = ( isset( $_REQUEST['woo_commerce'] ) ) ? sanitize_key( wp_unslash( $_REQUEST['woo_commerce'] ) ) : ''; if ( 'only' === $woo_commerce_option ) { @@ -484,6 +508,7 @@ public function process_manual_sync() { $users = get_users(); } + // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Reason: Nonce verification happens at render_admin_page. $groups = isset( $_REQUEST['group'] ) ? array_map( 'intval', wp_unslash( $_REQUEST['group'] ) ) : array(); $added = 0; $updated = 0; diff --git a/phpcs.xml b/phpcs.xml index 132fa82..27f6d35 100644 --- a/phpcs.xml +++ b/phpcs.xml @@ -3,9 +3,6 @@ Generally-applicable sniffs for WordPress plugins - - -