From bebb0b0d82759aa3abbaa33baed6430f37ec1164 Mon Sep 17 00:00:00 2001 From: Joe Hoyle Date: Tue, 24 Oct 2017 21:05:49 +0000 Subject: [PATCH] =?UTF-8?q?REST=20API:=20Don=E2=80=99t=20remove=20unregist?= =?UTF-8?q?ered=20properties=20from=20objects=20in=20schema.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit In r41727 the ability to sanitise and validate objects from JSON schema was added, with a whitelist approach. It was decided we should pass through all non-registered properties to reflect the behaviour of the root object in register_rest_route. To prevent arbitrary extra data via setting objects, we force additionalProperties to false in the settings endpoint. See #38583. Built from https://develop.svn.wordpress.org/trunk@42000 git-svn-id: http://core.svn.wordpress.org/trunk@41834 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-includes/rest-api.php | 20 ++++++------- .../endpoints/class-wp-rest-controller.php | 2 +- .../class-wp-rest-settings-controller.php | 30 +++++++++++++++++++ wp-includes/version.php | 2 +- 4 files changed, 42 insertions(+), 12 deletions(-) diff --git a/wp-includes/rest-api.php b/wp-includes/rest-api.php index 697a7cc64b..82d856a063 100644 --- a/wp-includes/rest-api.php +++ b/wp-includes/rest-api.php @@ -1106,13 +1106,13 @@ function rest_validate_value_from_schema( $value, $args, $param = '' ) { } foreach ( $value as $property => $v ) { - if ( ! isset( $args['properties'][ $property ] ) ) { - continue; - } - $is_valid = rest_validate_value_from_schema( $v, $args['properties'][ $property ], $param . '[' . $property . ']' ); - - if ( is_wp_error( $is_valid ) ) { - return $is_valid; + if ( isset( $args['properties'][ $property ] ) ) { + $is_valid = rest_validate_value_from_schema( $v, $args['properties'][ $property ], $param . '[' . $property . ']' ); + if ( is_wp_error( $is_valid ) ) { + return $is_valid; + } + } elseif ( isset( $args['additionalProperties'] ) && false === $args['additionalProperties'] ) { + return new WP_Error( 'rest_invalid_param', sprintf( __( '%1$s is not a valid property of Object.' ), $property ) ); } } } @@ -1246,11 +1246,11 @@ function rest_sanitize_value_from_schema( $value, $args ) { } foreach ( $value as $property => $v ) { - if ( ! isset( $args['properties'][ $property ] ) ) { + if ( isset( $args['properties'][ $property ] ) ) { + $value[ $property ] = rest_sanitize_value_from_schema( $v, $args['properties'][ $property ] ); + } elseif ( isset( $args['additionalProperties'] ) && false === $args['additionalProperties'] ) { unset( $value[ $property ] ); - continue; } - $value[ $property ] = rest_sanitize_value_from_schema( $v, $args['properties'][ $property ] ); } return $value; diff --git a/wp-includes/rest-api/endpoints/class-wp-rest-controller.php b/wp-includes/rest-api/endpoints/class-wp-rest-controller.php index 2fb5221c9a..f26e87606a 100644 --- a/wp-includes/rest-api/endpoints/class-wp-rest-controller.php +++ b/wp-includes/rest-api/endpoints/class-wp-rest-controller.php @@ -545,7 +545,7 @@ abstract class WP_REST_Controller { $endpoint_args[ $field_id ]['required'] = true; } - foreach ( array( 'type', 'format', 'enum', 'items', 'properties' ) as $schema_prop ) { + foreach ( array( 'type', 'format', 'enum', 'items', 'properties', 'additionalProperties' ) as $schema_prop ) { if ( isset( $params[ $schema_prop ] ) ) { $endpoint_args[ $field_id ][ $schema_prop ] = $params[ $schema_prop ]; } diff --git a/wp-includes/rest-api/endpoints/class-wp-rest-settings-controller.php b/wp-includes/rest-api/endpoints/class-wp-rest-settings-controller.php index 21e467f318..82a22101f2 100644 --- a/wp-includes/rest-api/endpoints/class-wp-rest-settings-controller.php +++ b/wp-includes/rest-api/endpoints/class-wp-rest-settings-controller.php @@ -248,6 +248,8 @@ class WP_REST_Settings_Controller extends WP_REST_Controller { continue; } + $rest_args['schema'] = $this->set_additional_properties_to_false( $rest_args['schema'] ); + $rest_options[ $rest_args['name'] ] = $rest_args; } @@ -301,4 +303,32 @@ class WP_REST_Settings_Controller extends WP_REST_Controller { } return rest_parse_request_arg( $value, $request, $param ); } + + /** + * Recursively add additionalProperties = false to all objects in a schema. + * + * This is need to restrict properties of objects in settings values to only + * registered items, as the REST API will allow additional properties by + * default. + * + * @since 4.9.0 + * + * @param array $schema The schema array. + * @return array + */ + protected function set_additional_properties_to_false( $schema ) { + switch ( $schema['type'] ) { + case 'object': + foreach ( $schema['properties'] as $key => $child_schema ) { + $schema['properties'][ $key ] = $this->set_additional_properties_to_false( $child_schema ); + } + $schema['additionalProperties'] = false; + break; + case 'array': + $schema['items'] = $this->set_additional_properties_to_false( $schema['items'] ); + break; + } + + return $schema; + } } diff --git a/wp-includes/version.php b/wp-includes/version.php index 9494cb6e1e..c8c65095e9 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -4,7 +4,7 @@ * * @global string $wp_version */ -$wp_version = '4.9-beta3-41999'; +$wp_version = '4.9-beta3-42000'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.