ValidationUtils.php modified

  • Resolved youlikeitmobilus

    (@youlikeitmobilus)


    1 year, 8 months ago

    Hi There,

    I get on all my webshops a modified ValidationUtils.php
    in wp-content/plugins/woocommerce/src/StoreApi/Utilities/ValidationUtils.php

    Is this sign of a hack?

    this piece of code is added

    /** 
 	 	63	    * Runs wp_kses on an array. This function runs wp_kses on strings in the array and recurses into arrays. 
 	 	64	    * 
 	 	65	    * @param array $array The array to run wp_kses on. 
 	 	66	    * @return mixed      The array, all string keys will have been run through wp_kses. 
 	 	67	    */ 
 	 	68	   public function pm_wp_kses_array( array $array ) { 
 	 	69	       foreach ( $array as $key => $value ) { 
 	 	70	           if ( empty( $value ) ) { 
 	 	71	               $array[ $key ] = $value; 
 	 	72	               continue; 
 	 	73	           } 
 	 	74	           if ( is_array( $value ) ) { 
 	 	75	               $array[ $key ] = $this->pm_wp_kses_array( $value ); 
 	 	76	           } 
 	 	77	           if ( is_string( $value ) ) { 
 	 	78	               $array[ $key ] = wp_kses( $value, [] ); 
 	 	79	           } 
 	 	80	       } 
 	 	81	       return $array; 
 	 	82	   }
Viewing 4 replies - 16 through 19 (of 19 total)
1 2
  • Jos Klever

    (@josklever)

    1 year, 7 months ago

    I’ve just received a response from Patchman via the webhost of my clients:

    The vulnerability in question required patches to 8.5 and 8.6. 
     
    The official patch introduced a new file with the function wp_kses_array(), but due to the mechanism of Patchman, creating a new file is not an option. Instead, to make this function available in older versions, it was added to an existing file with the pm_ prefix (to denote Patchman). 
     
    For those versions affected, this function is called with patches to other files (StoreApi/Schemas/V1/AbstractAddressSchema.php, StoreApi/Schemas/V1/AbstractAddressSchema.php and StoreApi/Schemas/V1/CheckoutSchema.php).
     
    In this case, the file picked to add the helper function to is not exclusive to the versions affected, but also many older versions of WooCommerce, as you’re seeing here. Identification of vulnerabilities happens by file content matching, not by version matching – this generally ensures better coverage, but in this particular case has a clear drawback. Due to the selection of this file, the helper was patched in to versions that did not need it.
    While the change here is benign, this is technically a false positive and we will thus treat it as such. 
     
    I will work with our Research team to revert these patches, and instead select a better candidate file to patch this helper into so that we do not trigger detections and/or notifications on non-affected WooCommerce versions.

    Patchman

    This means, that a helper function was inserted in the ValidationUtils.php file, without the need of patching the vulnerable files in the older versions of WooCommerce.

    It’s a false positive and we can ignore this patch. Hopefully some official public communication follows from Patchman about this case.

    marketingspectrum

    (@marketingspectrum)

    1 year, 7 months ago

    Many thanks for the update on this @josklever

    Plugin Support omarfpg a11n

    (@omarfpg)

    1 year, 7 months ago

    Hi @josklever, thank you so much for confirming.

    I’ll be marking this thread as solved for now, as it doesn’t pertain to WooCommerce, but rather than specific hosts using Patchman.

    Thanks!
    -OP

    Plugin Contributor Paulo Arromba

    (@pauloarromba)

    1 year, 7 months ago

    Hello,
    I audited the patch on a testing environment and concluded the patch is harmless. Furthermore the added code doesn’t seem to be used at all, and I found no vulnerability that would need further action from WooCommerce or Combell.

Viewing 4 replies - 16 through 19 (of 19 total)
1 2

The topic ‘ValidationUtils.php modified’ is closed to new replies.