Merge pull request #1066 from Codeinwp/bugfix/pro/634

fix: nonce verification

Author: vytisbulkevicius

cron-system/assets/js/debug-test.js

@@ -84,7 +84,7 @@
 						{
 							type: "GET",
 							url: ajaxurl,
-							data: { 'action': 'reset_local_auth_key' },
+							data: { 'action': 'reset_local_auth_key', 'nonce': rop_debug.nonce },
 							dataType: 'json', // xml, html, script, json, jsonp, text
 							success: function ( data ) {
 								if ( true === data.success ) {
@@ -143,7 +143,7 @@
 						{
 							type: "GET",
 							url: ajaxurl,
-							data: { 'action': 'remove_remote_account' },
+							data: { 'action': 'remove_remote_account', 'nonce': rop_debug.nonce },
 							dataType: 'json', // xml, html, script, json, jsonp, text
 							success: function ( data ) {
 								if ( true === data.success ) {

cron-system/includes/class-debug-page.php

@@ -43,6 +43,15 @@ function __construct() {
 	 * Used to delete the remote user account.
 	 */
 	public function cron_system_delete_account() {
+
+		if ( ! isset( $_GET['nonce'] ) || empty( $_GET['nonce'] ) || ! wp_verify_nonce( $_GET['nonce'], 'rop_debug' ) ) {
+			wp_send_json_error( array( 'message' => __( 'Nonce is invalid', 'tweet-old-post' ) ) );
+		}
+
+		if ( ! current_user_can( 'manage_options' ) ) {
+			wp_send_json_error( array( 'message' => __( 'Insufficient permissions', 'tweet-old-post' ) ) );
+		}
+
 		$response = array();
 
 		$token = get_option( 'rop_access_token', '' );
@@ -83,6 +92,15 @@ public function cron_system_delete_account() {
 	 * @since 0.0.1
 	 */
 	public function reset_local_client() {
+
+		if ( ! isset( $_GET['nonce'] ) || empty( $_GET['nonce'] ) || ! wp_verify_nonce( $_GET['nonce'], 'rop_debug' ) ) {
+			wp_send_json_error( array( 'message' => __( 'Nonce is invalid', 'tweet-old-post' ) ) );
+		}
+
+		if ( ! current_user_can( 'manage_options' ) ) {
+			wp_send_json_error( array( 'message' => __( 'Insufficient permissions', 'tweet-old-post' ) ) );
+		}
+
 		$response = array();
 
 		// Delete local key.
@@ -110,16 +128,10 @@ public function load_custom_wp_admin_style( $hook ) {
 		// Load the JS library ony on this page
 		if ( 'revive-old-posts_page_rop_service_debug' === $hook ) {
 			wp_enqueue_script( 'rop-debug', ROP_LITE_URL . 'cron-system/assets/js/debug-test.js', array( 'jquery' ), '1.0.0', true );
-			// Generate a pseudo-random string of bytes.
-			$random_key = Rop_Helpers::openssl_random_pseudo_bytes();
-			// Auth token creation.
-			$created_token = hash( 'sha256', SECURE_AUTH_SALT . $random_key, false );
-
-			update_option( 'rop_temp_debug', $created_token, 'no' );
 
 			$data_tables = array(
 				'local_url'      => get_site_url() . '/wp-json/tweet-old-post-cron/v1/debug-test/',
-				'nonce'          => $created_token,
+				'nonce'          => wp_create_nonce( 'rop_debug' ),
 				'remote_url'     => ROP_CRON_DOMAIN . '/wp-json/account-status/v1/debug-test/',
 				'action_success' => __( 'Request completed', 'tweet-old-post' ),
 				'action_fail'    => __( 'Requested failed to complete.', 'tweet-old-post' ),

cron-system/rest-endpoints/class-rop-debug-ping.php

@@ -96,20 +96,13 @@ public function register_routes() {
 	 * @access public
 	 */
 	public function process_the_request( WP_REST_Request $request ) {
-		$key       = $request->get_param( 'secret_temp_key' );
-		$local_key = trim( get_option( 'rop_temp_debug', '' ) );
+		$key = $request->get_param( 'secret_temp_key' );
 
-		$return_data = array(
-			'success' => false,
-		);
-
-		if ( ! empty( $local_key ) ) {
-			if ( $key === $local_key ) {
-				$return_data['success'] = true;
-			}
+		if ( ! empty( $key ) || ! wp_verify_nonce( $key, 'rop_debug' ) ) {
+			return array( 'success' => false );
 		}
 
-		wp_send_json( $return_data );
+		return array( 'success' => true );
 	}
 
 	/**

phpstan-baseline.neon

@@ -102,12 +102,6 @@ parameters:
 			count: 1
 			path: cron-system/class-rop-cron-core.php
 
-		-
-			message: '#^Constant SECURE_AUTH_SALT not found\.$#'
-			identifier: constant.notFound
-			count: 1
-			path: cron-system/includes/class-debug-page.php
-
 		-
 			message: '#^Method RopCronSystem\\Pages\\Debug_Page\:\:cron_system_delete_account\(\) has no return type specified\.$#'
 			identifier: missingType.return
@@ -138,12 +132,6 @@ parameters:
 			count: 1
 			path: cron-system/includes/class-debug-page.php
 
-		-
-			message: '#^Parameter \#3 \$autoload of function update_option expects bool\|null, string given\.$#'
-			identifier: argument.type
-			count: 1
-			path: cron-system/includes/class-debug-page.php
-
 		-
 			message: '#^Constant SECURE_AUTH_SALT not found\.$#'
 			identifier: constant.notFound