Merge pull request #72 from matomo-org/AS-494

Added validation rule for apiMethod parameter in getTreemapData API call, #AS-494

Author: AltamashShaikh

API.php

@@ -13,8 +13,10 @@
 use Piwik\API\Request;
 use Piwik\Common;
 use Piwik\DataTable;
+use Piwik\Http\BadRequestException;
 use Piwik\Metrics;
 use Piwik\Period\Range;
+use Piwik\Piwik;
 use Piwik\Plugins\TreemapVisualization\Visualizations\Treemap;
 
 /**
@@ -49,9 +51,15 @@ public function getTreemapData(
         $availableHeight = false,
         $show_evolution_values = false
     ) {
-        if (!Request::isCurrentApiRequestTheRootApiRequest()) {
+        if (!Request::isCurrentApiRequestTheRootApiRequest() && !defined('PIWIK_TEST_MODE')) {
             return [];
         }
+        list($module, $method) = explode('.', $apiMethod);
+        $disAllowedApiActions = ['getBulkRequest'];
+        // Block if API action does not start with get
+        if (!$method || in_array($method, $disAllowedApiActions) || stripos($method, 'get') !== 0) {
+            throw new BadRequestException(Piwik::translate('TreemapVisualization_InvalidApiMethodException'));
+        }
 
         if (
             $period == 'range'

CHANGELOG.md

@@ -1,5 +1,8 @@
 ## Changelog
 
+# 5.0.5 - 2026-02-16
+- Added validation rules for ApiAction
+
 # 5.0.4 - 2025-07-07
 - Textual changes
 

lang/en.json

@@ -1,6 +1,7 @@
 {
     "TreemapVisualization": {
         "PluginDescription": "Visualise any report in Matomo as a Treemap. Click on the Treemap icon in each report to load the visualisation.",
-        "Treemap": "Treemap"
+        "Treemap": "Treemap",
+        "InvalidApiMethodException": "Invalid API method."
     }
 }

plugin.json

@@ -1,6 +1,6 @@
 {
     "name": "TreemapVisualization",
-    "version": "5.0.4",
+    "version": "5.0.5",
     "description": "Visualise any report in Matomo as a Treemap. Click on the Treemap icon in each report to load the visualisation.",
     "keywords": ["treemap", "graph", "visualization", "infovis", "jit"],
     "license": "GPL v3+",

tests/Integration/ApiTest.php

@@ -0,0 +1,78 @@
+<?php
+
+/**
+ * Matomo - free/libre analytics platform
+ *
+ * @link    https://matomo.org
+ * @license https://www.gnu.org/licenses/gpl-3.0.html GPL v3 or later
+ */
+
+namespace Piwik\Plugins\TreemapVisualization\tests\Integration;
+
+use Piwik\Http\BadRequestException;
+use Piwik\Plugins\TreemapVisualization\API;
+use Piwik\Tests\Framework\Fixture;
+use Piwik\Tests\Framework\TestCase\IntegrationTestCase;
+
+/**
+ * @group TreemapVisualization
+ * @group ApiTest
+ * @group Plugins
+ */
+class ApiTest extends IntegrationTestCase
+{
+    private $api;
+
+    public function setUp(): void
+    {
+        parent::setUp();
+
+        Fixture::createSuperUser();
+        $this->api = API::getInstance();
+    }
+
+    /**
+     * @dataProvider validMethod
+     */
+    public function testGetTreemapDataAllowsValidApiMethod($method): void
+    {
+        $result = $this->api->getTreemapData(
+            $method,
+            'nb_visits',
+            'day',
+            '2025-02-03'
+        );
+
+        $this->assertIsArray($result);
+    }
+
+    /**
+     * @dataProvider inValidMethod
+     */
+    public function testGetTreemapDataRejectsInvalidApiMethod($method): void
+    {
+        $this->expectException(BadRequestException::class);
+        $this->api->getTreemapData(
+            $method,
+            'nb_visits',
+            'day',
+            '2025-02-03'
+        );
+    }
+
+    public function validMethod()
+    {
+        return [
+            ['API.getMatomoVersion'],
+            ['API.getPhpVersion'],
+        ];
+    }
+
+    public function inValidMethod()
+    {
+        return [
+            ['API.getBulkRequest'],
+            ['UsersManager.deleteUser'],
+        ];
+    }
+}