-
Notifications
You must be signed in to change notification settings - Fork 30
Added WooCommerce request verification token #1253
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|
@@ -457,6 +457,17 @@ function( $headers ) { | |||||||||||||||||
| } | ||||||||||||||||||
| } | ||||||||||||||||||
|
|
||||||||||||||||||
| // Check if this is a WooCommerce endpoint request and add verification token. | ||||||||||||||||||
| if ( $this->is_woocommerce_request( $url ) ) { | ||||||||||||||||||
| // Generate a unique token for this specific request. | ||||||||||||||||||
| $token = wp_generate_password( 32, false ); | ||||||||||||||||||
| set_transient( 'visualizer_wc_token_' . $token, time(), 60 ); | ||||||||||||||||||
| if ( ! isset( $args['headers'] ) ) { | ||||||||||||||||||
| $args['headers'] = array(); | ||||||||||||||||||
| } | ||||||||||||||||||
| $args['headers']['X-Visualizer-Token'] = $token; | ||||||||||||||||||
| } | ||||||||||||||||||
|
Comment on lines
+460
to
+469
|
||||||||||||||||||
|
|
||||||||||||||||||
| do_action( 'themeisle_log_event', Visualizer_Plugin::NAME, sprintf( 'Connecting to %s with args = %s ', $url, print_r( $args, true ) ), 'debug', __FILE__, __LINE__ ); | ||||||||||||||||||
|
||||||||||||||||||
| do_action( 'themeisle_log_event', Visualizer_Plugin::NAME, sprintf( 'Connecting to %s with args = %s ', $url, print_r( $args, true ) ), 'debug', __FILE__, __LINE__ ); | |
| // Avoid logging sensitive headers such as X-Visualizer-Token. | |
| $log_args = $args; | |
| if ( isset( $log_args['headers'] ) && is_array( $log_args['headers'] ) ) { | |
| unset( $log_args['headers']['X-Visualizer-Token'] ); | |
| } | |
| do_action( 'themeisle_log_event', Visualizer_Plugin::NAME, sprintf( 'Connecting to %s with args = %s ', $url, print_r( $log_args, true ) ), 'debug', __FILE__, __LINE__ ); |
Copilot
AI
Mar 2, 2026
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This code performs a server-side HTTP request to a user-controlled URL using wp_remote_request with no host or protocol restrictions. An authenticated attacker who can reach the JSON import AJAX endpoints (e.g. via visualizer-json-get-roots / visualizer-json-get-data) can supply an arbitrary URL (including internal hosts like http://127.0.0.1/ or cloud metadata IPs), turning this into an SSRF primitive that can probe internal services and, when the response is JSON, exfiltrate data via the chart preview. To mitigate, validate and restrict $_args['url']/$this->_url to an allowlist of expected domains or at minimum block private/reserved IP ranges and non-HTTP(S) schemes before calling wp_remote_request.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The PR description says the token is validated (e.g., via
woocommerce_rest_check_permissions), but in this repo the token is only generated/stored and sent; there is no code that readsX-Visualizer-Tokenor checks/deletes the corresponding transient. As-is, this doesn’t provide any additional protection and leaves behind short-lived transients on every matched request. Add server-side verification on REST requests (read the header,get_transient()/delete_transient()for single-use, and reject when missing/invalid).