Skip to content

Add CSRF protection and input validation#1077

Merged
vytisbulkevicius merged 4 commits into
developmentfrom
bugfix/optimole-service/1703
Jun 16, 2026
Merged

Add CSRF protection and input validation#1077
vytisbulkevicius merged 4 commits into
developmentfrom
bugfix/optimole-service/1703

Conversation

@girishpanchal30

@girishpanchal30 girishpanchal30 commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

All Submissions:

Changes proposed in this Pull Request:

Add nonce verification via check_ajax_referer(), validate attachment ID with absint() and post-type check, and verify uploaded file MIME type matches the original attachment using wp_check_filetype_and_ext() to prevent type-switching attacks. Expose nonce to JS via wp_localize_script and send it with each upload.

Closes https://github.com/Codeinwp/optimole-service/issues/1703 .

Other information:

  • Have you added an explanation of what your changes do and why you'd like us to include them?
  • Have you written new tests for your changes, as applicable?
  • Have you successfully ran tests with your changes locally?

@girishpanchal30 girishpanchal30 requested a review from Copilot June 15, 2026 12:47
@pirate-bot

pirate-bot commented Jun 15, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator

Plugin build for bf1c06b is ready 🛎️!

@pirate-bot

pirate-bot commented Jun 15, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator

🌍 i18n String Review Report

📊 Summary

Category Count
➕ Added 2
➖ Removed 0
🔄 Changed 0
Total 2
➕ Added Strings (2) - Click to expand
String Location Words Suggested Match
Invalid attachment ID inc/media_rename/attachmen... 3 No close match
Could not determine uploaded file type inc/media_rename/attachmen... 6 No close match
Total 9

Copilot AI reviewed Jun 15, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the media “replace file” flow in the attachment editor by adding CSRF protection and additional server-side validation to reduce the risk of unauthorized requests and file type switching.

Changes:

  • Exposes a replace-file nonce to the attachment edit JS and sends it with the upload request.
  • Adds nonce verification and stricter attachment ID validation in the AJAX replace endpoint.
  • Verifies the uploaded file’s detected MIME type matches the original attachment before replacing.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File Description
inc/media_rename/attachment_edit.php Adds nonce creation/localization and strengthens AJAX handler validation (nonce, attachment ID, MIME checks).
assets/js/single-attachment.js Sends the nonce along with the AJAX replace-file upload request.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread assets/js/single-attachment.js
Comment on lines 125 to 129
function uploadFile() {
var formData = new FormData();
formData.append("action", "optml_replace_file");
formData.append("optml_replace_nonce", OMAttachmentEdit.nonce);
formData.append("attachment_id", OMAttachmentEdit.attachmentId);
Comment thread inc/media_rename/attachment_edit.php Outdated
Comment on lines +333 to +334
check_ajax_referer( 'optml_replace_media_nonce', 'optml_replace_nonce' );

Comment thread inc/media_rename/attachment_edit.php Outdated
Comment on lines +333 to +337
check_ajax_referer( 'optml_replace_media_nonce', 'optml_replace_nonce' );

$id = absint( $_POST['attachment_id'] ?? 0 );

if ( ! $id ) {
@girishpanchal30 girishpanchal30 force-pushed the bugfix/optimole-service/1703 branch from be01897 to e22772f Compare June 15, 2026 13:23
@vytisbulkevicius

vytisbulkevicius commented Jun 16, 2026

Copy link
Copy Markdown
Contributor

@claude[agent] replace and use the existing suggested string instead of new one added and check if there are possible matches for those other 2 new strings added mentioned in comment #1077 (comment)

Claude AI and others added 2 commits June 16, 2026 09:17
@Claude @vytisbulkevicius
fix: reuse existing i18n string for MIME type mismatch error
7dc7fc8 
Agent-Logs-Url: https://github.com/Codeinwp/optimole-wp/sessions/a9c6ff77-c741-4d3d-9004-4d12974a746f

Co-authored-by: vytisbulkevicius <36594177+vytisbulkevicius@users.noreply.github.com>
@Claude @vytisbulkevicius
revert unintended package-lock.json change
bf1c06b 
Agent-Logs-Url: https://github.com/Codeinwp/optimole-wp/sessions/a9c6ff77-c741-4d3d-9004-4d12974a746f

Co-authored-by: vytisbulkevicius <36594177+vytisbulkevicius@users.noreply.github.com>
@Claude

Claude AI commented Jun 16, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

@claude[agent] replace and use the existing suggested string instead of new one added and check if there are possible matches for those other 2 new strings added mentioned in comment https://github.co...

Replaced 'Uploaded file type does not match the original attachment' with the existing string 'The uploaded file type does not match the original file type.' from inc/media_rename/attachment_replace.php:77 in commit bf1c06b.

For the other 2 new strings ('Invalid attachment ID' and 'Could not determine uploaded file type'), I searched the entire codebase and confirmed there are no existing matches that could be reused — these are genuinely new concepts not previously expressed in any translatable string.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/repos/Codeinwp/optimole-php-sdk/zipball/2f7a48525014bd681f39ddc85c55521b719d5879
    • Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/gNINUS /usr/bin/composer install HEAD /snap/bin/git __(.*?connectionbase64 --type php git rev-�� --abbrev-ref HEAD /home/REDACTED/.cargo/bin/git --abbrev-ref HEAD ndor/bin/git git (http block)
  • https://api.github.com/repos/Codeinwp/themeisle-sdk/zipball/d1ae68cbd4f84934b4d982e9eeff317b9f4c814a
    • Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/gNINUS /usr/bin/composer install HEAD /snap/bin/git __(.*?connectionbase64 --type php git rev-�� --abbrev-ref HEAD /home/REDACTED/.cargo/bin/git --abbrev-ref HEAD ndor/bin/git git (http block)
  • https://api.github.com/repos/PHPCSStandards/PHPCSExtra/zipball/fa4b8d051e278072928e32d817456a7fdb57b6ca
    • Triggering command: REDACTED, pid is -1 (http block)
  • https://api.github.com/repos/PHPCSStandards/PHPCSUtils/zipball/65355670ac17c34cd235cf9d3ceae1b9252c4dad
    • Triggering command: REDACTED, pid is -1 (http block)
  • https://api.github.com/repos/PHPCSStandards/PHP_CodeSniffer/zipball/ad545ea9c1b7d270ce0fc9cbfb884161cd706119
    • Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/gNINUS /usr/bin/composer install HEAD /snap/bin/git __(.*?connectionbase64 --type php git rev-�� --abbrev-ref HEAD /home/REDACTED/.cargo/bin/git --abbrev-ref HEAD ndor/bin/git git (http block)
  • https://api.github.com/repos/PHPCSStandards/composer-installer/zipball/e9cf5e4bbf7eeaf9ef5db34938942602838fc2b1
    • Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/gNINUS /usr/bin/composer install HEAD /snap/bin/git __(.*?connectionbase64 --type php git rev-�� --abbrev-ref HEAD /home/REDACTED/.cargo/bin/git --abbrev-ref HEAD ndor/bin/git git (http block)
  • https://api.github.com/repos/WordPress/WordPress-Coding-Standards/zipball/d2421de7cec3274ae622c22c744de9a62c7925af
    • Triggering command: REDACTED, pid is -1 (http block)
  • https://api.github.com/repos/Yoast/PHPUnit-Polyfills/zipball/134921bfca9b02d8f374c48381451da1d98402f9
    • Triggering command: REDACTED, pid is -1 (http block)
  • https://api.github.com/repos/darylldoyle/svg-sanitizer/zipball/0afa95ea74be155a7bcd6c6fb60c276c39984500
    • Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/gNINUS /usr/bin/composer install HEAD /snap/bin/git __(.*?connectionbase64 --type php git rev-�� --abbrev-ref HEAD /home/REDACTED/.cargo/bin/git --abbrev-ref HEAD ndor/bin/git git (http block)
  • https://api.github.com/repos/doctrine/instantiator/zipball/0a0fa9780f5d4e507415a065172d26a98d02047b
    • Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/gNINUS /usr/bin/composer install HEAD /snap/bin/git __(.*?connectionbase64 --type php git rev-�� --abbrev-ref HEAD /home/REDACTED/.cargo/bin/git --abbrev-ref HEAD ndor/bin/git git (http block)
  • https://api.github.com/repos/myclabs/DeepCopy/zipball/024473a478be9df5fdaca2c793f2232fe788e414
    • Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/gNINUS /usr/bin/composer install HEAD /snap/bin/git __(.*?connectionbase64 --type php git rev-�� --abbrev-ref HEAD /home/REDACTED/.cargo/bin/git --abbrev-ref HEAD ndor/bin/git git (http block)
  • https://api.github.com/repos/nikic/PHP-Parser/zipball/447a020a1f875a434d62f2a401f53b82a396e494
    • Triggering command: REDACTED, pid is -1 (http block)
  • https://api.github.com/repos/phar-io/manifest/zipball/54750ef60c58e43759730615a392c31c80e23176
    • Triggering command: REDACTED, pid is -1 (http block)
  • https://api.github.com/repos/phar-io/version/zipball/4f7fd7836c6f332bb2933569e566a0d6c4cbed74
    • Triggering command: REDACTED, pid is -1 (http block)
  • https://api.github.com/repos/php-stubs/wordpress-stubs/zipball/9c8e22e437463197c1ec0d5eaa9ddd4a0eb6d7f8
    • Triggering command: REDACTED, pid is -1 (http block)
  • https://api.github.com/repos/php-stubs/wp-cli-stubs/zipball/af16401e299a3fd2229bd0fa9a037638a4174a9d
    • Triggering command: REDACTED, pid is -1 (http block)
  • https://api.github.com/repos/phpstan/phpstan/zipball/e126cad1e30a99b137b8ed75a85a676450ebb227
    • Triggering command: REDACTED, pid is -1 (http block)
  • https://api.github.com/repos/sebastianbergmann/cli-parser/zipball/2b56bea83a09de3ac06bb18b92f068e60cc6f50b
    • Triggering command: REDACTED, pid is -1 (http block)
  • https://api.github.com/repos/sebastianbergmann/code-unit-reverse-lookup/zipball/ac91f01ccec49fb77bdc6fd1e548bc70f7faa3e5
    • Triggering command: REDACTED, pid is -1 (http block)
  • https://api.github.com/repos/sebastianbergmann/code-unit/zipball/1fc9f64c0927627ef78ba436c9b17d967e68e120
    • Triggering command: REDACTED, pid is -1 (http block)
  • https://api.github.com/repos/sebastianbergmann/comparator/zipball/fa0f136dd2334583309d32b62544682ee972b51a
    • Triggering command: REDACTED, pid is -1 (http block)
  • https://api.github.com/repos/sebastianbergmann/complexity/zipball/25f207c40d62b8b7aa32f5ab026c53561964053a
    • Triggering command: REDACTED, pid is -1 (http block)
  • https://api.github.com/repos/sebastianbergmann/diff/zipball/ba01945089c3a293b01ba9badc29ad55b106b0bc
    • Triggering command: REDACTED, pid is -1 (http block)
  • https://api.github.com/repos/sebastianbergmann/environment/zipball/830c43a844f1f8d5b7a1f6d6076b784454d8b7ed
    • Triggering command: REDACTED, pid is -1 (http block)
  • https://api.github.com/repos/sebastianbergmann/exporter/zipball/78c00df8f170e02473b682df15bfcdacc3d32d72
    • Triggering command: REDACTED, pid is -1 (http block)
  • https://api.github.com/repos/sebastianbergmann/global-state/zipball/bca7df1f32ee6fe93b4d4a9abbf69e13a4ada2c9
    • Triggering command: REDACTED, pid is -1 (http block)
  • https://api.github.com/repos/sebastianbergmann/lines-of-code/zipball/e1e4a170560925c26d424b6a03aed157e7dcc5c5
    • Triggering command: REDACTED, pid is -1 (http block)
  • https://api.github.com/repos/sebastianbergmann/object-enumerator/zipball/5c9eeac41b290a3712d88851518825ad78f45c71
    • Triggering command: REDACTED, pid is -1 (http block)
  • https://api.github.com/repos/sebastianbergmann/object-reflector/zipball/b4f479ebdbf63ac605d183ece17d8d7fe49c15c7
    • Triggering command: REDACTED, pid is -1 (http block)
  • https://api.github.com/repos/sebastianbergmann/php-code-coverage/zipball/85402a822d1ecf1db1096959413d35e1c37cf1a5
    • Triggering command: REDACTED, pid is -1 (http block)
  • https://api.github.com/repos/sebastianbergmann/php-file-iterator/zipball/cf1c2e7c203ac650e352f4cc675a7021e7d1b3cf
    • Triggering command: REDACTED, pid is -1 (http block)
  • https://api.github.com/repos/sebastianbergmann/php-invoker/zipball/5a10147d0aaf65b58940a0b72f71c9ac0423cc67
    • Triggering command: REDACTED, pid is -1 (http block)
  • https://api.github.com/repos/sebastianbergmann/php-text-template/zipball/5da5f67fc95621df9ff4c4e5a84d6a8a2acf7c28
    • Triggering command: REDACTED, pid is -1 (http block)
  • https://api.github.com/repos/sebastianbergmann/php-timer/zipball/5a63ce20ed1b5bf577850e2c4e87f4aa902afbd2
    • Triggering command: REDACTED, pid is -1 (http block)
  • https://api.github.com/repos/sebastianbergmann/phpunit/zipball/f80235cb4d3caa59ae09be3adf1ded27521d1a9c
    • Triggering command: REDACTED, pid is -1 (http block)
  • https://api.github.com/repos/sebastianbergmann/recursion-context/zipball/e75bd0f07204fec2a0af9b0f3cfe97d05f92efc1
    • Triggering command: REDACTED, pid is -1 (http block)
  • https://api.github.com/repos/sebastianbergmann/resource-operations/zipball/05d5692a7993ecccd56a03e40cd7e5b09b1d404e
    • Triggering command: REDACTED, pid is -1 (http block)
  • https://api.github.com/repos/sebastianbergmann/type/zipball/75e2c2a32f5e0b3aef905b9ed0b179b953b3d7c7
    • Triggering command: REDACTED, pid is -1 (http block)
  • https://api.github.com/repos/sebastianbergmann/version/zipball/c6c1022351a901512170118436c764e473f6de8c
    • Triggering command: REDACTED, pid is -1 (http block)
  • https://api.github.com/repos/symfony/polyfill-php80/zipball/77fa7995ac1b21ab60769b7323d600a991a90433
    • Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/gNINUS /usr/bin/composer install HEAD /snap/bin/git __(.*?connectionbase64 --type php git rev-�� --abbrev-ref HEAD /home/REDACTED/.cargo/bin/git --abbrev-ref HEAD ndor/bin/git git (http block)
  • https://api.github.com/repos/szepeviktor/phpstan-wordpress/zipball/aa722f037b2d034828cd6c55ebe9e5c74961927e
    • Triggering command: REDACTED, pid is -1 (http block)
  • https://api.github.com/repos/theseer/tokenizer/zipball/737eda637ed5e28c3413cb1ebe8bb52cbf1ca7a2
    • Triggering command: REDACTED, pid is -1 (http block)

If you need me to access, download, or install something from one of these locations, you can either:

@Claude Claude AI requested a review from vytisbulkevicius June 16, 2026 09:19
@vytisbulkevicius vytisbulkevicius merged commit 5008cd3 into development Jun 16, 2026
11 of 12 checks passed
@vytisbulkevicius vytisbulkevicius deleted the bugfix/optimole-service/1703 branch June 16, 2026 09:45
@pirate-bot

pirate-bot commented Jun 16, 2026

Copy link
Copy Markdown
Collaborator

🎉 This PR is included in version 4.2.7 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

@pirate-bot pirate-bot added the released Indicate that an issue has been resolved and released in a particular version of the product. label Jun 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@Soare-Robert-Daniel Soare-Robert-Daniel Soare-Robert-Daniel approved these changes

@vytisbulkevicius vytisbulkevicius vytisbulkevicius approved these changes

Assignees

No one assigned

Labels

released Indicate that an issue has been resolved and released in a particular version of the product.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@girishpanchal30 @pirate-bot @vytisbulkevicius @Claude @Soare-Robert-Daniel