Commit 122d741
authored
Security hardening: authorization, input validation, and logging (#2923)
* scope dynamic records map endpoints to caller's viewable records
- authorize and scope cluster_geojson, get_grid_totals,
get_list_by_grid_id and points_geojson callbacks
- personal map limits results to records shared with the current user;
records map requires all-access or project metrics permission
* fix sql injection in date_range_activity user_select filter
cast the user id to an integer before building the meta_value clause
so a crafted value.ID can no longer break out of the query
* harden contact receive-transfer against object injection
- validate the transfer token before inserting or processing meta,
rejecting forged or missing tokens
- decode postmeta values with allowed_classes disabled so serialized
objects can no longer be instantiated
* require a real user for get_settings instead of a dead guard
wp_get_current_user() always returns an object, so check ->exists()
so the settings endpoint fails closed for logged-out requests
* stop logging magic-link request params to the php error log
remove leftover debug error_log calls in the dt-home endpoint that
wrote the magic-link public_key to the log on every request
* stop logging the cleartext password on password change
remove the dt_write_log call that wrote the new password to debug.log
* escape stored values when rendering revert and name dialogs
render activity revert values, merge target name, and delete-filter
name as text instead of html to prevent stored xss
* require update permission for activity revert and post merge
both operations write to records but were gated on can_view; check
can_update so a view-only user cannot revert or merge records
* throttle brute-force attempts on the jwt token endpoint
cap repeated failed logins per client ip on /jwt-auth/v1/token using
transients; scoped to the token endpoint and disableable via filter
* protect the assigned user's share from removal by collaborators
the prior guard was unreachable; a user with only a share could remove
the assigned user's share and lock them out. allow self-removal, and
restrict removing the assignee's share to that user or update_any holders
* validate upload content type and prevent inline-executable files
detect the real mime type from the file bytes instead of trusting the
client, and store anything that is not a raster image as octet-stream
* use constant-time comparison for site-link transfer tokens
replace loose == checks with hash_equals so token matching is
constant-time and not subject to numeric string type juggling
* validate plugin-install download url against ssrf
reject non-http(s) schemes and hosts resolving to private, loopback,
link-local or reserved ranges, and fetch via the http api
* keep peoplegroups locale search inside the permission group
the locale clause was appended after the search parenthesis, so its OR
escaped the share gate; move it inside so access filters still apply
* explain why the assigned user cannot be unshared
state the reason (the user is assigned to the record) and make the
message translatable instead of a generic permission error
* phpcs1 parent c2ee7bd commit 122d741
17 files changed
Lines changed: 242 additions & 55 deletions
File tree
- dt-apps/dt-home
- dt-assets/js
- dt-contacts
- dt-core
- admin
- dt-metrics/records
- dt-posts
- dt-users
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
491 | 491 | | |
492 | 492 | | |
493 | 493 | | |
494 | | - | |
495 | | - | |
496 | | - | |
497 | | - | |
498 | 494 | | |
499 | | - | |
500 | 495 | | |
501 | 496 | | |
502 | 497 | | |
| |||
511 | 506 | | |
512 | 507 | | |
513 | 508 | | |
514 | | - | |
515 | | - | |
516 | 509 | | |
517 | 510 | | |
518 | 511 | | |
| |||
524 | 517 | | |
525 | 518 | | |
526 | 519 | | |
527 | | - | |
528 | | - | |
529 | 520 | | |
530 | 521 | | |
531 | 522 | | |
| |||
541 | 532 | | |
542 | 533 | | |
543 | 534 | | |
544 | | - | |
545 | | - | |
546 | | - | |
547 | 535 | | |
548 | 536 | | |
549 | 537 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
731 | 731 | | |
732 | 732 | | |
733 | 733 | | |
734 | | - | |
735 | | - | |
736 | | - | |
| 734 | + | |
| 735 | + | |
| 736 | + | |
737 | 737 | | |
738 | 738 | | |
739 | 739 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1103 | 1103 | | |
1104 | 1104 | | |
1105 | 1105 | | |
1106 | | - | |
| 1106 | + | |
1107 | 1107 | | |
1108 | 1108 | | |
1109 | 1109 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
667 | 667 | | |
668 | 668 | | |
669 | 669 | | |
670 | | - | |
| 670 | + | |
671 | 671 | | |
672 | 672 | | |
673 | 673 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
536 | 536 | | |
537 | 537 | | |
538 | 538 | | |
539 | | - | |
| 539 | + | |
| 540 | + | |
| 541 | + | |
| 542 | + | |
| 543 | + | |
540 | 544 | | |
541 | 545 | | |
542 | 546 | | |
| |||
554 | 558 | | |
555 | 559 | | |
556 | 560 | | |
557 | | - | |
| 561 | + | |
558 | 562 | | |
559 | 563 | | |
560 | 564 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
485 | 485 | | |
486 | 486 | | |
487 | 487 | | |
| 488 | + | |
| 489 | + | |
| 490 | + | |
| 491 | + | |
| 492 | + | |
488 | 493 | | |
489 | 494 | | |
490 | 495 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
787 | 787 | | |
788 | 788 | | |
789 | 789 | | |
790 | | - | |
| 790 | + | |
| 791 | + | |
| 792 | + | |
| 793 | + | |
| 794 | + | |
| 795 | + | |
| 796 | + | |
| 797 | + | |
| 798 | + | |
| 799 | + | |
| 800 | + | |
| 801 | + | |
| 802 | + | |
| 803 | + | |
| 804 | + | |
| 805 | + | |
| 806 | + | |
| 807 | + | |
791 | 808 | | |
792 | | - | |
793 | | - | |
794 | | - | |
795 | | - | |
796 | | - | |
797 | | - | |
798 | | - | |
799 | | - | |
800 | | - | |
801 | | - | |
802 | | - | |
803 | | - | |
| 809 | + | |
| 810 | + | |
| 811 | + | |
| 812 | + | |
| 813 | + | |
| 814 | + | |
| 815 | + | |
| 816 | + | |
| 817 | + | |
| 818 | + | |
| 819 | + | |
| 820 | + | |
804 | 821 | | |
805 | 822 | | |
806 | 823 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1419 | 1419 | | |
1420 | 1420 | | |
1421 | 1421 | | |
1422 | | - | |
| 1422 | + | |
1423 | 1423 | | |
1424 | 1424 | | |
1425 | 1425 | | |
| |||
1429 | 1429 | | |
1430 | 1430 | | |
1431 | 1431 | | |
1432 | | - | |
1433 | | - | |
1434 | | - | |
| 1432 | + | |
| 1433 | + | |
| 1434 | + | |
1435 | 1435 | | |
1436 | 1436 | | |
1437 | 1437 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
55 | 55 | | |
56 | 56 | | |
57 | 57 | | |
58 | | - | |
59 | | - | |
| 58 | + | |
| 59 | + | |
60 | 60 | | |
61 | 61 | | |
62 | 62 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
165 | 165 | | |
166 | 166 | | |
167 | 167 | | |
| 168 | + | |
| 169 | + | |
| 170 | + | |
| 171 | + | |
| 172 | + | |
| 173 | + | |
| 174 | + | |
| 175 | + | |
| 176 | + | |
| 177 | + | |
| 178 | + | |
| 179 | + | |
| 180 | + | |
| 181 | + | |
| 182 | + | |
| 183 | + | |
168 | 184 | | |
169 | 185 | | |
170 | 186 | | |
171 | 187 | | |
172 | 188 | | |
173 | | - | |
| 189 | + | |
174 | 190 | | |
175 | 191 | | |
176 | 192 | | |
| |||
0 commit comments