Skip to content

Make sure payment gateway title is a string before sanitizing #33434

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
barryhughes merged 4 commits into from
Jun 15, 2022
Merged

Make sure payment gateway title is a string before sanitizing #33434

barryhughes merged 4 commits into from
Jun 15, 2022

Conversation

@jorgeatorres
Copy link
Member

@jorgeatorres jorgeatorres commented Jun 15, 2022

All Submissions:

Changes proposed in this Pull Request:

This PR casts the gateway title to string before passing it through our new sanitizing methods to prevent possible fatal errors due to a type mismatch.
This seems very unlikely to happen (with only one gateway detected so far that is affected).

How to test the changes in this Pull Request:

  1. Check out the latest trunk.
  2. Install and activate the "Paytm Payments" plugin.
  3. Go to WC > Settings > Payments.
  4. You'll get a fatal error.
  5. Check out this branch.
  6. No fatal error on WC > Settings > Payments.

Other information:

  • Have you added an explanation of what your changes do and why you'd like us to include them?
  • Have you written new tests for your changes, as applicable?
  • Have you successfully run tests with your changes locally?
  • Have you created a changelog file for each project being changed, ie pnpm changelog add --filter=<project>?

FOR PR REVIEWER ONLY:

  • I have reviewed that everything is sanitized/escaped appropriately for any SQL or XSS injection possibilities. I made sure Linting is not ignored or disabled.

@jorgeatorres jorgeatorres requested a review from barryhughes June 15, 2022 16:06
@github-actions github-actions bot added the plugin: woocommerce Issues related to the WooCommerce Core plugin. label Jun 15, 2022
barryhughes
barryhughes reviewed Jun 15, 2022
View reviewed changes
Copy link
Member

@barryhughes barryhughes left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good and it solves the issue in the stack-trace we saw; but it now makes me wonder about this related piece of code:

WC_Settings_API::validate_safe_text_field()

The $value it receives can also be null and so in principle the same problem could apply here.

Older methods take care of coercing the value to string in a manual fashion, perhaps we need to do the same (and drop the type-hinting in ::validate_safe_text_field(), unless we can always cast to string before passing to individual validation methods—not immediately sure if that could lead to other back-compat issues).

The above is related, but that doesn't mean we need to address it in this PR (since it's not triggering the fatal error we became aware of), but I wanted to pause, flag and get your thoughts ...

barryhughes
barryhughes previously approved these changes Jun 15, 2022
View reviewed changes
Copy link
Member

@barryhughes barryhughes left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pre-emptively approving, because this looks good and works well: so, if we decide not to address the issue in my earlier comment, we can ship this ✅

@botwoo
Copy link
Collaborator

botwoo commented Jun 15, 2022
edited
Loading

📊 Test reports for this pull request have been published and are accessible through the following links:

Latest commit referenced in the reports: Update plugins/woocommerce/includes/abstracts/abstract-wc-settings-ap… d81b680
This comment will automatically be updated with the latest referenced commit when you push new changes to this pull request.

Visit the WooCommerce Test Reports homepage to view all published reports. See the FAQs page if you're having problems accessing them.

@jorgeatorres
Copy link
Member Author

jorgeatorres commented Jun 15, 2022

Hey @barryhughes!

Thanks for the quick review 💯.

Older methods take care of coercing the value to string in a manual fashion, perhaps we need to do the same (and drop the type-hinting in ::validate_safe_text_field(), unless we can always cast to string before passing to individual validation methods—not immediately sure if that could lead to other back-compat issues).

I liked the type-hint but if the method can in fact receive a null arg, this makes the most sense at least for now (principle of least effort?).
I've added a change to implement this in 3186116. Please let me know what you think.

@jorgeatorres jorgeatorres requested a review from barryhughes June 15, 2022 16:52
barryhughes
barryhughes previously approved these changes Jun 15, 2022
View reviewed changes
Copy link
Member

@barryhughes barryhughes left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left a further note, but, it's an optional change. This looks good!

@jorgeatorres
Copy link
Member Author

jorgeatorres commented Jun 15, 2022

Thanks @barryhughes! I've committed the suggested change.

barryhughes
barryhughes approved these changes Jun 15, 2022
View reviewed changes
Copy link
Member

@barryhughes barryhughes left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM: I'll keep an eye on the tests/checks and merge when done 👍

@barryhughes barryhughes merged commit f0b9adc into trunk Jun 15, 2022
@barryhughes barryhughes deleted the html-sanitizer-on-null-gateway-title branch June 15, 2022 17:49
@github-actions github-actions bot added this to the 6.7.0 milestone Jun 15, 2022
@github-actions
Copy link
Contributor

github-actions bot commented Jun 15, 2022

Hi @barryhughes, thanks for merging this pull request. Please take a look at these follow-up tasks you may need to perform:

  • Add the release: add testing instructions label

@jonathansadowski jonathansadowski modified the milestones: 6.7.0, 6.6.0 Jun 17, 2022
@jonathansadowski jonathansadowski mentioned this pull request Jun 17, 2022
Merged
@peterfabian peterfabian mentioned this pull request Jun 21, 2022
Closed
6 tasks
@github-actions github-actions bot mentioned this pull request Jun 22, 2022
Closed
This was referenced Jul 4, 2022
Closed
Closed
Closed
Closed
@github-actions github-actions bot mentioned this pull request Jul 8, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@barryhughes barryhughes barryhughes approved these changes

Assignees

No one assigned

Labels

plugin: woocommerce Issues related to the WooCommerce Core plugin.

Projects

None yet

Milestone

6.6.0

Development

Successfully merging this pull request may close these issues.

5 participants

@jorgeatorres @botwoo @barryhughes @jonathansadowski