Merge pull request #297 from plausible/fix_speed_module

Dan0sz · web-flow · commit ceda3b977a40 · 2026-05-05T16:09:44.000+02:00
Improved: hardened Proxy Speed Module, to make sure it doesn't disable plugins on non-proxy requests.
diff --git a/mu-plugin/plausible-proxy-speed-module.php b/mu-plugin/plausible-proxy-speed-module.php
@@ -4,26 +4,26 @@
  * Description: Speeds up Plausible Analytics' proxy for avoiding ad blockers.
  * Plugin URI: https://plausible.io
  * Author: Plausible HQ
- * Version: 1.0.0
+ * Version: 1.0.1
  * Author URI: https://plausible.io
  *
  * Text Domain: plausible-analytics
  */
 
 class PlausibleProxySpeed {
 	/**
-	 * Is current request a request to our proxy?
+	 * Is the current request a request to our proxy?
 	 *
 	 * @var bool
 	 */
-	private $is_proxy_request = false;
+	private $is_proxy_request;
 
 	/**
 	 * Current request URI.
 	 *
 	 * @var string
 	 */
-	private $request_uri = '';
+	private $request_uri;
 
 	/**
 	 * Build properties.
@@ -38,27 +38,42 @@ public function __construct() {
 	}
 
 	/**
-	 * Helper method to retrieve Request URI. Checks several globals.
+	 * Helper method to retrieve Request URI.
 	 *
-	 * @return mixed
+	 * @return string
 	 */
 	private function get_request_uri() {
-		return $_SERVER[ 'REQUEST_URI' ];
+		return $_SERVER['REQUEST_URI'] ?? '';
 	}
 
 	/**
-	 * Check if current request is a proxy request.
+	 * Check if the current request is a proxy request.
+	 *
+	 * The namespace must appear as a path segment under the REST prefix
+	 * (e.g. /wp-json/<namespace>[/...]). Substring matches in query
+	 * strings, fragments, or unrelated path segments are rejected.
 	 *
 	 * @return bool
 	 */
 	private function is_proxy_request() {
-		$namespace = get_option( 'plausible_analytics_proxy_resources' )[ 'namespace' ] ?? '';
+		$namespace = get_option( 'plausible_analytics_proxy_resources' )['namespace'] ?? '';
 
 		if ( ! $namespace ) {
 			return false;
 		}
 
-		return strpos( $this->request_uri, $namespace ) !== false;
+		$path = parse_url( $this->request_uri, PHP_URL_PATH );
+
+		if ( ! is_string( $path ) || $path === '' ) {
+			return false;
+		}
+
+		$expected = function_exists( 'rest_url' )
+			? untrailingslashit( (string) wp_parse_url( rest_url( trim( $namespace, '/' ) ), PHP_URL_PATH ) )
+			: '/wp-json/' . trim( $namespace, '/' );
+
+		return $path === $expected
+		       || str_starts_with( $path, $expected . '/' );
 	}
 
 	/**
@@ -73,6 +88,10 @@ private function init() {
 	/**
 	 * Filter the list of active plugins for custom endpoint requests.
 	 *
+	 * Uses basename() exact-match comparison instead of strpos(), so a
+	 * plugin file path can only match if its filename is exactly in the
+	 * allowlist.
+	 *
 	 * @param array $active_plugins The list of active plugins.
 	 *
 	 * @return array The filtered list of active plugins.
@@ -86,11 +105,8 @@ public function filter_active_plugins( $active_plugins ) {
 		$filtered_plugins     = [];
 
 		foreach ( $active_plugins as $plugin ) {
-			foreach ( $allowed_plugin_files as $allowed_plugin_file ) {
-				if ( strpos( $plugin, $allowed_plugin_file ) !== false ) {
-					$filtered_plugins[] = $plugin;
-					break;
-				}
+			if ( in_array( basename( $plugin ), $allowed_plugin_files, true ) ) {
+				$filtered_plugins[] = $plugin;
 			}
 		}
 
diff --git a/src/Admin/Upgrades.php b/src/Admin/Upgrades.php
@@ -26,9 +26,9 @@ class Upgrades {
 	/**
 	 * Constructor for Upgrades.
 	 *
-	 * @return void
 	 * @since  1.3.0
 	 * @access public
+	 * @return void
 	 */
 	public function __construct() {
 		add_action( 'init', [ $this, 'run' ] );
@@ -38,13 +38,13 @@ public function __construct() {
 	 * Register routines for upgrades.
 	 * This is intended for automatic upgrade routines having less resource intensive tasks.
 	 *
+	 * @since  1.3.0
+	 * @access public
 	 * @return void
 	 *
 	 * @throws Exception
 	 *
 	 * @codeCoverageIgnore
-	 * @since  1.3.0
-	 * @access public
 	 */
 	public function run() {
 		$plausible_analytics_version = get_option( 'plausible_analytics_version' );
@@ -98,17 +98,21 @@ public function run() {
 			$this->upgrade_to_254();
 		}
 
+		if ( version_compare( $plausible_analytics_version, '2.5.8', '<' ) ) {
+			$this->upgrade_to_258();
+		}
+
 		// Add required upgrade routines for future versions here.
 	}
 
 	/**
 	 * Upgrade routine for 1.2.5
 	 * Cleans Custom Domain related options from database, as it was removed in this version.
 	 *
-	 * @return void
-	 * @codeCoverageIgnore
 	 * @since  1.2.5
 	 * @access public
+	 * @return void
+	 * @codeCoverageIgnore
 	 */
 	public function upgrade_to_125() {
 		$old_settings = Helpers::get_settings();
@@ -138,13 +142,12 @@ public function upgrade_to_125() {
 	/**
 	 * Get rid of the previous "example.com" default for self_hosted_domain.
 	 *
+	 * @since 1.2.6
 	 * @return void
 	 * @codeCoverageIgnore
-	 * @since 1.2.6
 	 */
 	public function upgrade_to_126() {
 		$old_settings = Helpers::get_settings();
-		$new_settings = $old_settings;
 
 		if ( ! empty( $old_settings['self_hosted_domain'] ) && strpos( $old_settings['self_hosted_domain'], 'example.com' ) !== false ) {
 			Helpers::update_setting( 'self_hosted_domain', '' );
@@ -265,11 +268,11 @@ public function upgrade_to_210() {
 	/**
 	 * If EDD is active and Ecommerce is enabled, create goals after updating the plugin.
 	 *
+	 * @since              v2.3.0
+	 *
 	 * @return void
 	 *
 	 * @codeCoverageIgnore because all we'd be doing is testing the Plugins API.
-	 * @since              v2.3.0
-	 *
 	 */
 	public function upgrade_to_230() {
 		$settings = Helpers::get_settings();
@@ -367,7 +370,7 @@ public function upgrade_to_254() {
 			return;
 		}
 
-		// Show CE notice if self-hosted domain is set, otherwise show Cloud notice.
+		// Show CE notice if Self-hosted Domain is set, otherwise show Cloud notice.
 		if ( ! empty( $self_hosted_domain ) ) {
 			add_action( 'admin_notices', [ $this, 'show_ce_api_token_notice' ] );
 
@@ -377,6 +380,25 @@ public function upgrade_to_254() {
 		add_action( 'admin_notices', [ $this, 'show_cloud_api_token_notice' ] );
 	}
 
+	/**
+	 * Updates the Proxy Module if Proxy is enabled.
+	 *
+	 * @return void
+	 *
+	 * @codeCoverageIgnore
+	 */
+	public function upgrade_to_258() {
+		$proxy_enabled = Helpers::proxy_enabled();
+
+		if ( $proxy_enabled ) {
+			$installer = new Module();
+
+			$installer->install();
+		}
+
+		update_option( 'plausible_analytics_version', '2.5.8' );
+	}
+
 	/**
 	 * Display a notice to CE users that haven't entered an API token yet.
 	 *
