Changeset 3488388

Timestamp:

03/22/2026 07:54:44 PM (7 days ago)

Author:

freelancebo

Message:

v2.4.0: Security audit fixes - SSL verification configurable, auto-patch requires approval, HMAC anti-replay, REST rate limiting, firewall regex validation, input sanitization, trusted proxy validation

Location:

freelancebo-sentra-control/trunk

Files:

• admin/views/settings.php (modified) (1 diff)
• freelancebo-sentra-control.php (modified) (6 diffs)
• includes/class-sentra-api-client.php (modified) (1 diff)
• includes/class-sentra-event-queue.php (modified) (1 diff)
• includes/class-sentra-heartbeat.php (modified) (3 diffs)
• includes/modules/class-sentra-auto-patcher.php (modified) (5 diffs)
• includes/modules/class-sentra-firewall.php (modified) (3 diffs)
• includes/modules/class-sentra-ip-blocker.php (modified) (1 diff)
• includes/modules/class-sentra-login-guard.php (modified) (4 diffs)
• includes/modules/class-sentra-malware-scanner.php (modified) (1 diff)
• readme.txt (modified) (3 diffs)

freelancebo-sentra-control/trunk/admin/views/settings.php

@@ -62 +62 @@
                 </td>
             </tr>
+            <tr>
+                <th scope="row"><label for="sentra_auto_patch_enabled"><?php echo esc_html__( 'Auto-Patching', 'freelancebo-sentra-control' ); ?></label></th>
+                <td>
+                    <label>
+                        <input type="checkbox" id="sentra_auto_patch_enabled" name="sentra_auto_patch_enabled" value="1"
+                               <?php checked(get_option('sentra_auto_patch_enabled', '0'), '1'); ?> />
+                        <?php echo esc_html__( 'Enable automatic patching from server (without manual approval)', 'freelancebo-sentra-control' ); ?>
+                    </label>
+                    <p class="description">
+                        <?php echo esc_html__( 'When disabled (default), patches pushed from the server require manual approval in the Auto-Patch page.', 'freelancebo-sentra-control' ); ?>
+                    </p>
+                </td>
+            </tr>
+            <tr>
+                <th scope="row"><label for="sentra_ssl_verify"><?php echo esc_html__( 'SSL Verification', 'freelancebo-sentra-control' ); ?></label></th>
+                <td>
+                    <label>
+                        <input type="checkbox" id="sentra_ssl_verify" name="sentra_ssl_verify" value="1"
+                               <?php checked(get_option('sentra_ssl_verify', '1'), '1'); ?> />
+                        <?php echo esc_html__( 'Verify SSL certificates when connecting to Sentra server', 'freelancebo-sentra-control' ); ?>
+                    </label>
+                    <p class="description" style="color: #b32d2e;">
+                        <?php echo esc_html__( 'Warning: Disabling SSL verification is insecure and should only be used for testing with self-signed certificates.', 'freelancebo-sentra-control' ); ?>
+                    </p>
+                </td>
+            </tr>
         </table>
 

freelancebo-sentra-control/trunk/freelancebo-sentra-control.php

@@ -4 +4 @@
  * Plugin URI: https://freelancebo.it
  * Description: WordPress security agent - connects to FreelanceBo Sentra Control central console for WAF, malware scanning, brute force protection, and file integrity monitoring.
- * Version: 2.3.1
+ * Version: 2.4.0
  * Author: Freelancebo
  * License: GPL-2.0-or-later
@@ -12 +12 @@
 if (!defined('ABSPATH')) exit;
 
-define("SENTRA_VERSION", "2.3.1");
+define("SENTRA_VERSION", "2.4.0");
 define('SENTRA_PLUGIN_DIR', plugin_dir_path(__FILE__));
 define('SENTRA_PLUGIN_URL', plugin_dir_url(__FILE__));
@@ -157 +157 @@
         ]);
 
+        register_setting('sentra_settings', 'sentra_auto_patch_enabled', ['sanitize_callback' => 'sanitize_text_field', 'default' => '0']);
+        register_setting('sentra_settings', 'sentra_ssl_verify', ['sanitize_callback' => 'sanitize_text_field', 'default' => '1']);
+
         // AJAX test connection
         add_action('wp_ajax_sentra_test_connection', [$this, 'ajax_test_connection']);
@@ -202 +205 @@
 
     /**
-     * Allow self-signed SSL for the Sentra server URL.
+     * Allow self-signed SSL for the Sentra server URL (only when SSL verify is disabled).
      */
     public function allow_sentra_ssl($args, $url) {
         $server = get_option('sentra_server_url', '');
         if ($server && strpos($url, rtrim($server, '/')) === 0) {
-            $args['sslverify'] = false;
-            $args['reject_unsafe_urls'] = false;
+            if (get_option('sentra_ssl_verify', '1') !== '1') {
+                $args['sslverify'] = false;
+                $args['reject_unsafe_urls'] = false;
+            }
         }
         return $args;
@@ -344 +349 @@
             'target'         => sanitize_text_field($patch_data['target'] ?? ''),
             'severity'       => sanitize_text_field($patch_data['severity'] ?? 'medium'),
-            'source_finding' => $patch_data['source_finding'] ?? [],
+            'source_finding' => $this->sanitize_recursive($patch_data['source_finding'] ?? []),
             'patch_payload'  => $patch_data['patch_payload'] ?? [],
         ];
@@ -478 +483 @@
 
         if (isset($_POST['body'])) {
-            $raw_body = json_decode(sanitize_text_field(wp_unslash($_POST['body'])), true);
+            $raw_body = json_decode(wp_unslash($_POST['body']), true); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- sanitize_recursive below handles sanitization
             if (is_array($raw_body)) {
                 $body = $this->sanitize_recursive($raw_body);

freelancebo-sentra-control/trunk/includes/class-sentra-api-client.php

@@ -33 +33 @@
         $signature = hash_hmac('sha256', $sign_string, $this->api_secret);
 
+        $sslverify = get_option('sentra_ssl_verify', '1') === '1';
+
         $args = [
             'method'    => strtoupper($method),
             'timeout'   => 15,
-            'sslverify' => false,
-            'reject_unsafe_urls' => false,
+            'sslverify' => $sslverify,
+            'reject_unsafe_urls' => $sslverify,
             'headers'   => [
                 'Content-Type'    => 'application/json',

freelancebo-sentra-control/trunk/includes/class-sentra-event-queue.php

@@ -92 +92 @@
     private function get_client_ip() {
         $remote_addr = sanitize_text_field(wp_unslash($_SERVER['REMOTE_ADDR'] ?? '127.0.0.1'));
-        $trusted_proxies = array_filter(array_map('trim', explode(',', get_option('sentra_trusted_proxies', ''))));
+        $trusted_proxies = array_filter(
+            array_map('trim', explode(',', get_option('sentra_trusted_proxies', ''))),
+            function($ip) { return filter_var($ip, FILTER_VALIDATE_IP) !== false; }
+        );
 
         // Only trust proxy headers if request comes from a trusted proxy

freelancebo-sentra-control/trunk/includes/class-sentra-heartbeat.php

@@ -66 +66 @@
         }
 
+        // Anti-replay: reject duplicate signatures within 2 minutes
+        $nonce_key = 'sentra_nonce_' . md5($signature);
+        if (get_transient($nonce_key)) {
+            return new WP_Error('auth_failed', __( 'Replay detected', 'freelancebo-sentra-control' ), ['status' => 401]);
+        }
+        set_transient($nonce_key, 1, 120);
+
         return true;
     }
@@ -74 +81 @@
      */
     public function rest_run_pending( $request ) {
+        // Rate limiting: 1 request per 10 seconds per IP
+        $rate_key = 'sentra_rest_rate_' . md5(isset($_SERVER['REMOTE_ADDR']) ? sanitize_text_field(wp_unslash($_SERVER['REMOTE_ADDR'])) : '');
+        if (get_transient($rate_key)) {
+            return new WP_REST_Response(['error' => 'Rate limited'], 429);
+        }
+        set_transient($rate_key, 1, 10);
+
         // Always send heartbeat when server pushes
         $this->send_heartbeat();
@@ -201 +215 @@
     }
 }
-

freelancebo-sentra-control/trunk/includes/modules/class-sentra-auto-patcher.php

@@ -61 +61 @@
         }
 
+        // Anti-replay: reject duplicate signatures within 2 minutes
+        $nonce_key = 'sentra_nonce_' . md5($signature);
+        if (get_transient($nonce_key)) {
+            return new WP_Error('auth_failed', 'Replay detected', ['status' => 401]);
+        }
+        set_transient($nonce_key, 1, 120);
+
         return true;
     }
@@ -68 +75 @@
      */
     public function rest_auto_patch($request) {
+        // Rate limiting: 1 request per 10 seconds per IP
+        $rate_key = 'sentra_rest_patch_rate_' . md5(isset($_SERVER['REMOTE_ADDR']) ? sanitize_text_field(wp_unslash($_SERVER['REMOTE_ADDR'])) : '');
+        if (get_transient($rate_key)) {
+            return new WP_REST_Response(['error' => 'Rate limited'], 429);
+        }
+        set_transient($rate_key, 1, 10);
+
         $this->process_pending_patches();
         return new WP_REST_Response(['status' => 'ok'], 200);
@@ -99 +113 @@
      */
     public function process_pending_patches() {
+        if (get_option('sentra_auto_patch_enabled', '0') !== '1') {
+            return; // Auto-patching disabled, admin must approve manually
+        }
+
         $pending = $this->api->get('/agent/pending-patches');
         if (!is_array($pending) || empty($pending) || isset($pending['error'])) {
@@ -432 +450 @@
         if (!$this->validate_php_syntax($content)) {
             return ['status' => 'error', 'message' => 'PHP syntax error after patch, not applied'];
+        }
+
+        // Allow filtering/blocking of surgical patches
+        $approved = apply_filters('sentra_surgical_patch_approved', true, $file_path, $content);
+        if (!$approved) {
+            return ['status' => 'skipped', 'message' => 'Patch requires manual approval'];
         }
 
@@ -727 +751 @@
                 file_put_contents($index, "<?php // Silence is golden\n"); // phpcs:ignore WordPress.WP.AlternativeFunctions.file_system_operations_file_put_contents
             }
+            // Add nginx protection note
+            $nginx_note_file = $dir . '/.nginx-deny';
+            if (!file_exists($nginx_note_file)) {
+                $nginx_note = "# If using Nginx, add this to your server block:\n# location ~* /wp-content/(sentra-backups|sentra-quarantine)/ { deny all; }\n";
+                @file_put_contents($nginx_note_file, $nginx_note); // phpcs:ignore WordPress.WP.AlternativeFunctions.file_system_operations_file_put_contents
+            }
         }
     }

freelancebo-sentra-control/trunk/includes/modules/class-sentra-firewall.php

@@ -51 +51 @@
             $content_type = isset($_SERVER['CONTENT_TYPE']) ? sanitize_text_field(wp_unslash($_SERVER['CONTENT_TYPE'])) : '';
             if (stripos($content_type, 'multipart/form-data') === false) {
-                $body = file_get_contents('php://input');
-                if (strlen($body) > 10000) {
-                    $body = substr($body, 0, 10000);
+                $content_length = isset($_SERVER['CONTENT_LENGTH']) ? intval($_SERVER['CONTENT_LENGTH']) : 0;
+                if ($content_length > 10240) {
+                    $body = ''; // Skip reading very large bodies
+                } else {
+                    $body = substr(@file_get_contents('php://input'), 0, 10240);
                 }
             }
@@ -121 +123 @@
             $content_type = isset($_SERVER['CONTENT_TYPE']) ? sanitize_text_field(wp_unslash($_SERVER['CONTENT_TYPE'])) : '';
             if (stripos($content_type, 'multipart/form-data') === false) {
-                $body = file_get_contents('php://input');
-                if (strlen($body) > 10000) {
-                    $body = substr($body, 0, 10000);
+                $content_length = isset($_SERVER['CONTENT_LENGTH']) ? intval($_SERVER['CONTENT_LENGTH']) : 0;
+                if ($content_length > 10240) {
+                    $body = ''; // Skip reading very large bodies
+                } else {
+                    $body = substr(@file_get_contents('php://input'), 0, 10240);
                 }
             }
@@ -174 +178 @@
 
         if (isset($result['firewall_rules'])) {
-            update_option('sentra_firewall_rules', $result['firewall_rules'], false);
+            $rules = $result['firewall_rules'];
+            if (is_array($rules)) {
+                foreach ($rules as $key => $rule) {
+                    if (isset($rule['pattern']) && @preg_match('/' . $rule['pattern'] . '/', '') === false) {
+                        unset($rules[$key]); // Remove invalid regex
+                    }
+                    if (isset($rule['pattern']) && strlen($rule['pattern']) > 500) {
+                        unset($rules[$key]); // Remove overly long patterns
+                    }
+                }
+                $rules = array_values($rules); // Re-index
+            }
+            update_option('sentra_firewall_rules', $rules, false);
         }
         if (isset($result['blocked_ips'])) {

freelancebo-sentra-control/trunk/includes/modules/class-sentra-ip-blocker.php

@@ -69 +69 @@
     private function get_client_ip() {
         $remote_addr = sanitize_text_field(wp_unslash($_SERVER['REMOTE_ADDR'] ?? '127.0.0.1'));
-        $trusted_proxies = array_filter(array_map('trim', explode(',', get_option('sentra_trusted_proxies', ''))));
+        $trusted_proxies = array_filter(
+            array_map('trim', explode(',', get_option('sentra_trusted_proxies', ''))),
+            function($ip) { return filter_var($ip, FILTER_VALIDATE_IP) !== false; }
+        );
 
         // Only trust proxy headers if request comes from a trusted proxy

freelancebo-sentra-control/trunk/includes/modules/class-sentra-login-guard.php

@@ -30 +30 @@
         }
 
-        $attempts = get_transient('sentra_login_attempts_' . md5($ip));
-        $user_attempts = get_transient('sentra_login_attempts_user_' . md5($username));
+        $attempts = get_transient('sentra_login_attempts_' . wp_hash($ip));
+        $user_attempts = get_transient('sentra_login_attempts_user_' . wp_hash($username));
 
         if (($attempts && $attempts >= $this->max_attempts) || ($user_attempts && $user_attempts >= $this->max_attempts)) {
@@ -54 +54 @@
     public function record_failed_login($username, $error = null) {
         $ip = $this->get_client_ip();
-        $key = 'sentra_login_attempts_' . md5($ip);
+        $key = 'sentra_login_attempts_' . wp_hash($ip);
         $attempts = (int) get_transient($key);
         $attempts++;
         set_transient($key, $attempts, $this->lockout_duration);
 
-        $user_key = 'sentra_login_attempts_user_' . md5($username);
+        $user_key = 'sentra_login_attempts_user_' . wp_hash($username);
         $user_attempts = (int) get_transient($user_key);
         $user_attempts++;
@@ -126 +126 @@
     public function record_successful_login($user_login, $user) {
         $ip = $this->get_client_ip();
-        delete_transient('sentra_login_attempts_' . md5($ip));
-        delete_transient('sentra_login_attempts_user_' . md5($user_login));
+        delete_transient('sentra_login_attempts_' . wp_hash($ip));
+        delete_transient('sentra_login_attempts_user_' . wp_hash($user_login));
 
         // Deduplicate: skip if same user+IP already logged in recently (30 min)
@@ -149 +149 @@
     private function get_client_ip() {
         $remote_addr = sanitize_text_field(wp_unslash($_SERVER['REMOTE_ADDR'] ?? '127.0.0.1'));
-        $trusted_proxies = array_filter(array_map('trim', explode(',', get_option('sentra_trusted_proxies', ''))));
+        $trusted_proxies = array_filter(
+            array_map('trim', explode(',', get_option('sentra_trusted_proxies', ''))),
+            function($ip) { return filter_var($ip, FILTER_VALIDATE_IP) !== false; }
+        );
 
         // Only trust proxy headers if request comes from a trusted proxy

freelancebo-sentra-control/trunk/includes/modules/class-sentra-malware-scanner.php

@@ -88 +88 @@
     ];
 
-    private $chunk_size = 500; // files per tick
+    private $chunk_size = 2000; // files per tick
 
     public function __construct(Sentra_API_Client $api) {

freelancebo-sentra-control/trunk/readme.txt

@@ -5 +5 @@
 Tested up to: 6.9
 Requires PHP: 7.4
-Stable tag: 2.3.1
+Stable tag: 2.4.0
 License: GPLv2 or later
 License URI: https://www.gnu.org/licenses/gpl-2.0.html
@@ -74 +74 @@
 
 == Changelog ==
+
+= 2.4.0 =
+* Security: SSL verification now configurable with default ON (C3)
+* Security: Auto-patching from server now disabled by default, requires admin approval (C4)
+* Security: Added filter hook for surgical patch approval (C5)
+* Security: HMAC nonce anti-replay protection on REST API endpoints (H8)
+* Security: Firewall regex rules validated on sync (H10)
+* Security: Nginx deny rule file added to backup/quarantine directories (H11)
+* Security: Recursive sanitization on source_finding in auto-patch (M11)
+* Security: Rate limiting on REST API endpoints (M14)
+* Security: Login guard uses wp_hash instead of md5 for transient keys (M15)
+* Security: Content length check before reading php://input in firewall (M16)
+* Improved: Malware scanner file limit increased from 500 to 2000 (L1)
+* Fixed: JSON body double-sanitization in AJAX proxy (L3)
+* Security: Trusted proxy IPs validated with FILTER_VALIDATE_IP (L5)
 
 = 2.3.1 =
@@ -209 +224 @@
 == Upgrade Notice ==
 
+= 2.4.0 =
+Security hardening: SSL verify default ON, auto-patch requires approval, HMAC anti-replay, rate limiting, firewall regex validation. Recommended for all users.
+
 = 2.3.1 =
 Fixes heartbeat reliability on low-traffic sites. Recommended for all users.