Bulk scan/fix for insecure content from the admin #112
Conversation
kmgalanakis
force-pushed
the
feature/bulk-scan-fix-from-admin
branch
2 times, most recently
from
41967ab to
292e8c9
Compare
kmgalanakis
changed the title
kmgalanakis
force-pushed
the
feature/bulk-scan-fix-from-admin
branch
from
292e8c9 to
853d690
Compare
jeffpaul
requested review from
a team and
peterwilsoncc
and removed request for
a team
|
@kmgalanakis Feel free to ping me on the ticket once this is ready for review so it doesn't get lost. I'm happy to do an early scan if you wish, too, just say the word. |
@peterwilsoncc the biggest part of the work here is done but the problem is that I realized my current approach is not performing very well when there is a large number of posts with insecure content to be updated. I want to change that and as soon as it's ready I will let you know. |
kmgalanakis
force-pushed
the
feature/bulk-scan-fix-from-admin
branch
3 times, most recently
from
d13b79a to
8837f00
Compare
kmgalanakis
force-pushed
the
feature/bulk-scan-fix-from-admin
branch
13 times, most recently
from
268e858 to
c0be893
Compare
kmgalanakis
force-pushed
the
feature/bulk-scan-fix-from-admin
branch
from
c0be893 to
6cba4df
Compare
kmgalanakis
force-pushed
the
feature/bulk-scan-fix-from-admin
branch
from
6cba4df to
50b2b85
Compare
@peterwilsoncc the fix is ready for review. I can still see the E2E tests failing but they are also failing on Please let me know what you think about the approach and the code. Thank you. |
There was a problem hiding this comment.
I've added some notes inline, there's a couple of security pick ups in there that are blockers.
There's a lot of unrelated changes in this PR due to the eslint fixes, while that should probably be done, I'd rather do it on a separate ticket to avoid confiscation. Especially given the introduction of bulk edits/rest endpoints that need a good security review.
includes/admin.php
Outdated
| $hook = add_management_page( | ||
| __( 'Insecure Content Warning Admin', 'insecure-content-warning' ), | ||
| __( 'Insecure Content Warning', 'insecure-content-warning' ), | ||
| 'install_plugins', |
There was a problem hiding this comment.
| 'install_plugins', | |
| 'edit_posts', |
As a general capability, this seems closes to what the page is doing.
There was a problem hiding this comment.
Good point, thank you!
| // Wait for a while before fixing the rest. | ||
| usleep( 1000 ); |
There was a problem hiding this comment.
I don't understand why the wait, what is the intent?
There was a problem hiding this comment.
I can't remember exactly because it's been a while but I'm guessing this was a leftover from my initial approach. I removed it.
|
|
||
| foreach ( $this->warning_count as $warning ) { | ||
| $warning_message = array_shift( $warning ); | ||
| $output .= '<span class="warning">' . __( 'Warning', 'insecure-content-warning' ) . '</span>: ' . $warning_message . PHP_EOL; |
There was a problem hiding this comment.
| $output .= '<span class="warning">' . __( 'Warning', 'insecure-content-warning' ) . '</span>: ' . $warning_message . PHP_EOL; | |
| $output .= '<span class="warning">' . __( 'Warning', 'insecure-content-warning' ) . '</span>: ' . wp_strip_all_tags( $warning_message ) . PHP_EOL; |
I know it isn't needed now but it protects ourselves from our future selves.
There was a problem hiding this comment.
Better safe than sorry, thank you.
| // translators: Message to show when the system is unable to fetch details for the post. | ||
| $message = sprintf( __( 'Unable to fetch details for post %s', 'insecure-content-warning' ), $post_id ); |
There was a problem hiding this comment.
Translator notes are intended to describe the placeholder rather than the string.
| // translators: Message to show when the system is unable to fetch details for the post. | |
| $message = sprintf( __( 'Unable to fetch details for post %s', 'insecure-content-warning' ), $post_id ); | |
| // translators: %d The Post ID being scanned for insecure content. | |
| $message = sprintf( __( 'Unable to fetch details for post %d', 'insecure-content-warning' ), $post_id ); |
There was a problem hiding this comment.
Done, thank you.
| // translators: Message to show when the system is unable to fetch details for the post. | ||
| $message = sprintf( __( 'Unable to fetch details for post %s', 'insecure-content-warning' ), $post_id ); | ||
| if ( defined( 'WP_CLI' ) && WP_CLI ) { | ||
| // translators: Message to show when the system is unable to fetch details for the post. |
There was a problem hiding this comment.
| // translators: Message to show when the system is unable to fetch details for the post. |
There was a problem hiding this comment.
Done, thank you.
| } | ||
| $this->fixed_post_count[] = array( 'URL(s) fixed summary' => $dry_run_message ); | ||
| } else { | ||
| // translators: Summary to show on fix. |
There was a problem hiding this comment.
Done, thank you.
includes/partials/admin-page.php
Outdated
| <option selected="selected" value="<?php echo esc_attr( 'all' ); ?>"><?php esc_html_e( 'All', 'insecure-content-warning' ); ?></option> | ||
| <option value="<?php echo esc_attr( 'posts' ); ?>"><?php esc_html_e( 'Individual post(s)', 'insecure-content-warning' ); ?></option> | ||
| <option value="<?php echo esc_attr( 'all_from_post_type' ); ?>"><?php esc_html_e( 'All from post type', 'insecure-content-warning' ); ?></option> |
There was a problem hiding this comment.
No need to escape the constants, just variables and translations/
| <option selected="selected" value="<?php echo esc_attr( 'all' ); ?>"><?php esc_html_e( 'All', 'insecure-content-warning' ); ?></option> | |
| <option value="<?php echo esc_attr( 'posts' ); ?>"><?php esc_html_e( 'Individual post(s)', 'insecure-content-warning' ); ?></option> | |
| <option value="<?php echo esc_attr( 'all_from_post_type' ); ?>"><?php esc_html_e( 'All from post type', 'insecure-content-warning' ); ?></option> | |
| <option selected="selected" value="all"><?php esc_html_e( 'All', 'insecure-content-warning' ); ?></option> | |
| <option value="posts"><?php esc_html_e( 'Individual post(s)', 'insecure-content-warning' ); ?></option> | |
| <option value="all_from_post_type"><?php esc_html_e( 'All from post type', 'insecure-content-warning' ); ?></option> |
There was a problem hiding this comment.
Good point, thank you.
includes/rest.php
Outdated
| array( | ||
| 'methods' => 'POST', | ||
| 'callback' => __NAMESPACE__ . '\\fix_endpoint', | ||
| 'permission_callback' => '__return_true', |
There was a problem hiding this comment.
| 'permission_callback' => '__return_true', | |
| 'permission_callback' => 'edit_posts', |
This might end up needing to be a little more complex to allow for CPTs registered with custom capabilities.
As it's editing the posts, it will definitely need to include a capability check and should probably include a nonce check for users without an application password.
There was a problem hiding this comment.
Should I take the time to research this now?
includes/rest.php
Outdated
| array( | ||
| 'methods' => 'POST', | ||
| 'callback' => __NAMESPACE__ . '\\count_for_fix_endpoint', | ||
| 'permission_callback' => '__return_true', |
There was a problem hiding this comment.
| 'permission_callback' => '__return_true', | |
| 'permission_callback' => 'edit_posts', |
Reveals data.
There was a problem hiding this comment.
Good point, thank you.
| * | ||
| * @return array | ||
| */ | ||
| function prepare_fix_params( WP_REST_Request $request ): array { |
There was a problem hiding this comment.
I suggest using the REST APIs schema for this.
There was a problem hiding this comment.
This method does nothing more than prepare the params coming from the request for the methods that implement that counting and the fixing of posts with insecure content. How do you think we could use the REST APIs schema for this?
There was a problem hiding this comment.
Generally, the goal is to do it the WordPress way -- using schema gets a lot of things for free.
Setting the parameters in the schema will use the validation and sanitization built in to WP, so specifying the expected types there will automatically throw warnings and validation errors for invalid values.
If WP discovers a security error in the RES API, by using the schema we can ensure that the upstream fixes are applied to the endpoints here too.
For post types, you'll probably need to do a little more validation -- see this line onwards in distributor -- to make sure the post type is intended to be visible in the rest api, the user has access, etc.
There was a problem hiding this comment.
The functionality to bulk scan/fix insecure content from the admin is actually a replication of the WP CLI functionality. The WP CLI functionality can properly scan/fix post types that are not shown in REST, so in my opinion, the admin functionality should behave exactly the same. According to my tests, neither the WP CLI nor the built admin functionality has problems scanning/fixing posts from a post type that is not shown in REST.
What I don't understand from your comment is how this specific function here could be avoided by the use of the WP REST API. Let me explain once again here that what this method does is "transform" the parameters of the WP REST API endpoint call into suitable parameters for the methods that count/scan/fix posts with insecure content. You see, these methods are also used from the WP CLI command and it wouldn't make too much sense to have a 1:1 relation between the REST API endpoints parameters with the parameters fo those methods, that is why I'm using this "transformation" method.
Still, I took the time to implement some more validation and sanitization callbacks for the actual REST API endpoint parameters to play more on the safe side.
| * | ||
| * @return array | ||
| */ | ||
| function prepare_fix_params( WP_REST_Request $request ): array { |
There was a problem hiding this comment.
Generally, the goal is to do it the WordPress way -- using schema gets a lot of things for free.
Setting the parameters in the schema will use the validation and sanitization built in to WP, so specifying the expected types there will automatically throw warnings and validation errors for invalid values.
If WP discovers a security error in the RES API, by using the schema we can ensure that the upstream fixes are applied to the endpoints here too.
For post types, you'll probably need to do a little more validation -- see this line onwards in distributor -- to make sure the post type is intended to be visible in the rest api, the user has access, etc.
| @@ -2,27 +2,26 @@ import blurInsecure from './utils/blur-insecure'; | |||
| import checkContent from './utils/check-content'; | |||
| import findElements from './utils/find-elements'; | |||
| import replaceContent from './utils/replace'; | |||
| import $ from 'jquery'; | |||
There was a problem hiding this comment.
At the start of the file you'll need to add:
// eslint-disable-next-line import/no-unresolved
import { jQuery } from 'jquery';This will ensure the dependency is included in dist/js/classic-editor.asset.php by @wordpress/dependency-extraction-webpack-plugin
There was a problem hiding this comment.
I think you mean import jQuery from 'jquery';. Initially, this didn't play nicely with ESLint but I ended up copying the way it's done in Distributor and now it's fine.
Thank you.
| import { debounce } from 'underscore'; | ||
| import { getScrollContainer } from '@wordpress/dom'; | ||
| import apiRequest from '@wordpress/api-request'; | ||
| import domReady from '@wordpress/dom-ready'; | ||
| import { dispatch, select, subscribe } from '@wordpress/data'; | ||
| import $ from 'jquery'; |
There was a problem hiding this comment.
Good catch, thank you.
| @@ -1,23 +1,21 @@ | |||
| import $ from 'jquery'; | |||
There was a problem hiding this comment.
Good catch, thank you.
| import blurInsecure from './blur-insecure'; | ||
| import { scanElements } from './scan-elements'; | ||
|
|
||
| import { __, _nx, sprintf } from '@wordpress/i18n'; | ||
| import $ from 'jquery'; |
There was a problem hiding this comment.
Good catch, thank you.
| @@ -1,29 +1,27 @@ | |||
| import { get } from 'underscore'; | |||
|
|
|||
| import $ from 'jquery'; | |||
There was a problem hiding this comment.
Good catch, thank you.
| @@ -1,5 +1,3 @@ | |||
| import $ from 'jquery'; | |||
There was a problem hiding this comment.
Good catch, thank you.
| public function count_post_to_check( string $post_type, int $posts_per_page, int $post_offset ): int { | ||
| $args = array( | ||
| 'posts_per_page' => $posts_per_page, | ||
| 'post_type' => 'all' === $post_type ? 'any' : $post_type, |
There was a problem hiding this comment.
This should be limited to only posts available via the rest api -- per note re:schema. Many e-commerce plugins use post types for orders sow we definitely need to exclude those.
There was a problem hiding this comment.
As I commented on the other conversation, the functionality to bulk scan/fix insecure content from the admin is actually a replication of the WP CLI functionality. The WP CLI functionality can properly scan/fix post types that are not shown in REST, so in my opinion, the admin functionality should behave exactly the same. According to my tests, neither the WP CLI nor the built admin functionality has problems scanning/fixing posts from a post type that is not shown in REST.
There was a problem hiding this comment.
The WP CLI functionality can properly scan/fix post types that are not shown in REST, so in my opinion, the admin functionality should behave exactly the same.
The difference between the two is that the WP-CLI is basically the equivalent of running as the root user on a server. Once someone has access to the server they can do anything, such as running wp db clean --yes so permissions don't apply.
For users with access to the dashboard only, we need to check that they have full permission to make any changes to a post. If a post type isn't editable via the rest API then we need to assume the developer has reasons for preventing this and respect their decision
There was a problem hiding this comment.
What you say makes perfect sense @peterwilsoncc. I've modified the method that counts posts with and the method that fixes insecure content so that posts from post types that are not shown in RFEST are excluded from the process.
Please let me know if this is what you meant. Thank you for your feedback and patience.
| // Check if a https version of the URL exists. | ||
| $secure_version_exists = false; | ||
| $ssl = preg_replace( '/^http:/i', 'https:', $url ); | ||
| $response = wp_remote_get( $ssl ); |
There was a problem hiding this comment.
maybe, maybe, maybe???
Per MDN, this should tell you whether the file exists without having to download the full content. It should return the HTTP headers as-though you were making a GET request.
| $response = wp_remote_get( $ssl ); | |
| $response = wp_remote_head( $ssl ); |
There was a problem hiding this comment.
This is part of the code from the implementation of the WP CLI command but I can confirm that your point is right, it checks if the URL resolves to an existing resource without downloading it just by checking the returned HTTP header.
Good point, thank you.
…EST API endpoint args with validation and sanitization callbacks and fix an issue with the WP CLI command generating a PHP fatal error.
kmgalanakis
force-pushed
the
feature/bulk-scan-fix-from-admin
branch
from
7226db7 to
df6ab38
Compare
kmgalanakis
force-pushed
the
feature/bulk-scan-fix-from-admin
branch
from
a33d13a to
df6ab38
Compare
…content from the admin
kmgalanakis
force-pushed
the
feature/bulk-scan-fix-from-admin
branch
from
58a0cdd to
d2b6321
Compare
| public function get_wp_query_post_type_args(): array { | ||
| return array( | ||
| 'show_ui' => true, | ||
| 'public' => true, |
There was a problem hiding this comment.
| 'public' => true, |
I think the other two will be fine, the user may have permission to edit some private post types
| $total = 0; | ||
|
|
||
| // Exclude post from post types not shown in REST when fixing insecure content from the admin UI. | ||
| if ( ! defined( 'WP_CLI' ) && 'any' === $post_type ) { |
There was a problem hiding this comment.
you've used all elsewhere and any here.
There was a problem hiding this comment.
Good point, fixed.
# Conflicts: # package-lock.json
Description of the Change
Closes #58
How to test the Change
echo '<!-- wp:image {"sizeSlug":"large"} --><figure class="wp-block-image size-large"><img src="http://cdn.pixabay.com/photo/2015/06/19/21/24/avenue-815297_960_720.jpg" alt=""/></figure><!-- /wp:image --><!-- wp:image {"sizeSlug":"large"} --><figure class="wp-block-image size-large"><img src="http://cdn.pixabay.com/photo/2015/06/19/21/24/avenue-815297_960_720.jpg" alt=""/></figure><!-- /wp:image --><!-- wp:image {"sizeSlug":"large"} --><figure class="wp-block-image size-large"><img src="http://cdn.pixabay.com/photo/2015/06/19/21/24/avenue-815297_960_720.jpg" alt=""/></figure><!-- /wp:image -->' | wp post generate --count=1 --post_type=carTools -> Insecure Content Warningand run (and dry-run) the process to fix the newly created posts. Play with all the options.Changelog Entry
Checklist: