REST API: Don’t remove unregistered properties from objects in schema.

In r41727 the ability to sanitise and validate objects from JSON schema was added, with a whitelist approach. It was decided we should pass through all non-registered properties to reflect the behaviour of the root object in register_rest_route. To prevent arbitrary extra data via setting objects, we force additionalProperties to false in the settings endpoint.

See #38583.
Built from https://develop.svn.wordpress.org/trunk@42000


git-svn-id: http://core.svn.wordpress.org/trunk@41834 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
Joe Hoyle 2017-10-24 21:05:49 +00:00
parent c0d0380baa
commit bebb0b0d82
4 changed files with 42 additions and 12 deletions

View File

@ -1106,14 +1106,14 @@ function rest_validate_value_from_schema( $value, $args, $param = '' ) {
}
foreach ( $value as $property => $v ) {
if ( ! isset( $args['properties'][ $property ] ) ) {
continue;
}
if ( isset( $args['properties'][ $property ] ) ) {
$is_valid = rest_validate_value_from_schema( $v, $args['properties'][ $property ], $param . '[' . $property . ']' );
if ( is_wp_error( $is_valid ) ) {
return $is_valid;
}
} elseif ( isset( $args['additionalProperties'] ) && false === $args['additionalProperties'] ) {
return new WP_Error( 'rest_invalid_param', sprintf( __( '%1$s is not a valid property of Object.' ), $property ) );
}
}
}
@ -1246,11 +1246,11 @@ function rest_sanitize_value_from_schema( $value, $args ) {
}
foreach ( $value as $property => $v ) {
if ( ! isset( $args['properties'][ $property ] ) ) {
unset( $value[ $property ] );
continue;
}
if ( isset( $args['properties'][ $property ] ) ) {
$value[ $property ] = rest_sanitize_value_from_schema( $v, $args['properties'][ $property ] );
} elseif ( isset( $args['additionalProperties'] ) && false === $args['additionalProperties'] ) {
unset( $value[ $property ] );
}
}
return $value;

View File

@ -545,7 +545,7 @@ abstract class WP_REST_Controller {
$endpoint_args[ $field_id ]['required'] = true;
}
foreach ( array( 'type', 'format', 'enum', 'items', 'properties' ) as $schema_prop ) {
foreach ( array( 'type', 'format', 'enum', 'items', 'properties', 'additionalProperties' ) as $schema_prop ) {
if ( isset( $params[ $schema_prop ] ) ) {
$endpoint_args[ $field_id ][ $schema_prop ] = $params[ $schema_prop ];
}

View File

@ -248,6 +248,8 @@ class WP_REST_Settings_Controller extends WP_REST_Controller {
continue;
}
$rest_args['schema'] = $this->set_additional_properties_to_false( $rest_args['schema'] );
$rest_options[ $rest_args['name'] ] = $rest_args;
}
@ -301,4 +303,32 @@ class WP_REST_Settings_Controller extends WP_REST_Controller {
}
return rest_parse_request_arg( $value, $request, $param );
}
/**
* Recursively add additionalProperties = false to all objects in a schema.
*
* This is need to restrict properties of objects in settings values to only
* registered items, as the REST API will allow additional properties by
* default.
*
* @since 4.9.0
*
* @param array $schema The schema array.
* @return array
*/
protected function set_additional_properties_to_false( $schema ) {
switch ( $schema['type'] ) {
case 'object':
foreach ( $schema['properties'] as $key => $child_schema ) {
$schema['properties'][ $key ] = $this->set_additional_properties_to_false( $child_schema );
}
$schema['additionalProperties'] = false;
break;
case 'array':
$schema['items'] = $this->set_additional_properties_to_false( $schema['items'] );
break;
}
return $schema;
}
}

View File

@ -4,7 +4,7 @@
*
* @global string $wp_version
*/
$wp_version = '4.9-beta3-41999';
$wp_version = '4.9-beta3-42000';
/**
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.