Merge pull request #5 from udx/develop-alexey

balexey88 · web-flow · commit d25e82e09fa8 · 2024-02-13T16:05:19.000+02:00
Improve security while processing AJAX requests in Admin Panel
diff --git a/changes.md b/changes.md
@@ -1,3 +1,7 @@
+### 1.2.3
+
+* Improve security while processing AJAX requests in Admin Panel.
+
 ### 1.2.2
 
 * Remove dependency from `udx/lib-utility`.
diff --git a/gruntfile.js b/gruntfile.js
@@ -2,7 +2,7 @@
  * Build Plugin.
  *
  * @author potanin@UD
- * @version 1.2.2
+ * @version 1.2.3
  * @param grunt
  */
 module.exports = function( grunt ) {
diff --git a/lib/classes/class-bootstrap.php b/lib/classes/class-bootstrap.php
@@ -18,7 +18,7 @@ class Bootstrap extends Scaffold {
       /**
        *
        */
-      public static $version = '1.2.2';
+      public static $version = '1.2.3';
     
       /**
        *
diff --git a/lib/classes/class-update-checker.php b/lib/classes/class-update-checker.php
@@ -349,115 +349,116 @@ public function check_response_for_errors( $response ) {
 
           $plugins = get_plugins();
           $name = isset( $plugins[$this->name] ) ? $plugins[$this->name]['Name'] : $this->name;
+          $nonce = wp_create_nonce( 'ud_api_dismiss' );
           
           if ( isset( $response->errors['no_key'] ) && $response->errors['no_key'] == 'no_key' && isset( $response->errors['no_subscription'] ) && $response->errors['no_subscription'] == 'no_subscription' ) {
 
             $no_key_dismissed = get_option( 'dismissed_error_' .  sanitize_key( $name ) . '_no_key', '' );
             $show_no_key_error = $this->check_dismiss_time( $no_key_dismissed );
             if( $show_no_key_error ) {
-                $this->errors[] = sprintf( __( 'A license key for %s could not be found. Maybe you forgot to enter a license key when setting up %s, or the key was deactivated in your account. You can reactivate or purchase a license key from your account <a href="%s" target="_blank">Licences</a> | <a class="dismiss-error dismiss" data-key="dismissed_error_%s_no_key" href="#">dismiss</a>.', $this->text_domain ), $name, $name, $this->renew_license_url, sanitize_key( $name ) );
+                $this->errors[] = sprintf( __( 'A license key for %s could not be found. Maybe you forgot to enter a license key when setting up %s, or the key was deactivated in your account. You can reactivate or purchase a license key from your account <a href="%s" target="_blank">Licences</a> | <a class="dismiss-error dismiss" data-key="dismissed_error_%s_no_key" data-nonce="%s" href="#">dismiss</a>.', $this->text_domain ), $name, $name, $this->renew_license_url, sanitize_key( $name ), $nonce );
             }
 
             $no_subscription_dismissed = get_option( 'dismissed_error_' .  sanitize_key( $name ) . '_no_subscription', '' );
             $show_no_subscription_error = $this->check_dismiss_time( $no_subscription_dismissed );
             if( $show_no_subscription_error ) {
-                $this->errors[] = sprintf( __( 'A subscription for %s could not be found. You can purchase a subscription from your account <a href="%s" target="_blank">dashboard</a> | <a class="dismiss-error dismiss" data-key="dismissed_error_%s_no_subscription" href="#">dismiss</a>.', $this->text_domain ), $name, $this->renew_license_url, sanitize_key( $name ) );
+                $this->errors[] = sprintf( __( 'A subscription for %s could not be found. You can purchase a subscription from your account <a href="%s" target="_blank">dashboard</a> | <a class="dismiss-error dismiss" data-key="dismissed_error_%s_no_subscription" data-nonce="%s" href="#">dismiss</a>.', $this->text_domain ), $name, $this->renew_license_url, sanitize_key( $name ), $nonce );
             }
 
           } else if ( isset( $response->errors['exp_license'] ) && $response->errors['exp_license'] == 'exp_license' ) {
 
             $exp_license_dismissed = get_option( 'dismissed_error_' .  sanitize_key( $name ) . '_exp_license', '' );
             $show_exp_license_error = $this->check_dismiss_time( $exp_license_dismissed );
             if( $show_exp_license_error ) {
-                $this->errors[] = sprintf( __( 'The license key for %s has expired. You can reactivate or get a license key from your account <a href="%s" target="_blank">dashboard</a> | <a class="dismiss-error dismiss" data-key="dismissed_error_%s_exp_license" href="#">dismiss</a>.', $this->text_domain ), $name, $this->renew_license_url, sanitize_key( $name ) );
+                $this->errors[] = sprintf( __( 'The license key for %s has expired. You can reactivate or get a license key from your account <a href="%s" target="_blank">dashboard</a> | <a class="dismiss-error dismiss" data-key="dismissed_error_%s_exp_license" data-nonce="%s" href="#">dismiss</a>.', $this->text_domain ), $name, $this->renew_license_url, sanitize_key( $name ), $nonce );
             }
 
           }  else if ( isset( $response->errors['hold_subscription'] ) && $response->errors['hold_subscription'] == 'hold_subscription' ) {
 
             $hold_subscription_dismissed = get_option( 'dismissed_error_' .  sanitize_key( $name ) . '_hold_subscription', '' );
             $show_hold_subscription_error = $this->check_dismiss_time( $hold_subscription_dismissed );
             if( $show_hold_subscription_error ) {
-                $this->errors[] = sprintf( __( 'The subscription for %s is on-hold. You can reactivate the subscription from your account <a href="%s" target="_blank">dashboard</a> | <a class="dismiss-error dismiss" data-key="dismissed_error_%s_hold_subscription" href="#">dismiss</a>.', $this->text_domain ), $name, $this->renew_license_url, sanitize_key( $name ) );
+                $this->errors[] = sprintf( __( 'The subscription for %s is on-hold. You can reactivate the subscription from your account <a href="%s" target="_blank">dashboard</a> | <a class="dismiss-error dismiss" data-key="dismissed_error_%s_hold_subscription" data-nonce="%s" href="#">dismiss</a>.', $this->text_domain ), $name, $this->renew_license_url, sanitize_key( $name ), $nonce );
             }
 
           } else if ( isset( $response->errors['cancelled_subscription'] ) && $response->errors['cancelled_subscription'] == 'cancelled_subscription' ) {
 
             $cancelled_subscription_dismissed = get_option( 'dismissed_error_' .  sanitize_key( $name ) . '_cancelled_subscription', '' );
             $show_cancelled_subscription_error = $this->check_dismiss_time( $cancelled_subscription_dismissed );
             if( $show_cancelled_subscription_error ) {
-                $this->errors[] = sprintf( __( 'The subscription for %s has been cancelled. You can renew the subscription from your account <a href="%s" target="_blank">dashboard</a>. A new license key will be emailed to you after your order has been completed. <a class="dismiss-error dismiss" data-key="dismissed_error_%s_cancelled_subscription" href="#">dismiss</a>.', $this->text_domain ), $name, $this->renew_license_url, sanitize_key( $name ) );
+                $this->errors[] = sprintf( __( 'The subscription for %s has been cancelled. You can renew the subscription from your account <a href="%s" target="_blank">dashboard</a>. A new license key will be emailed to you after your order has been completed. <a class="dismiss-error dismiss" data-key="dismissed_error_%s_cancelled_subscription" data-nonce="%s" href="#">dismiss</a>.', $this->text_domain ), $name, $this->renew_license_url, sanitize_key( $name ), $nonce );
             }
 
           } else if ( isset( $response->errors['exp_subscription'] ) && $response->errors['exp_subscription'] == 'exp_subscription' ) {
 
             $exp_subscription_dismissed = get_option( 'dismissed_error_' .  sanitize_key( $name ) . '_exp_subscription', '' );
             $show_exp_subscription_error = $this->check_dismiss_time( $exp_subscription_dismissed );
             if( $show_exp_subscription_error ) {
-                $this->errors[] = sprintf( __( 'The subscription for %s has expired. You can reactivate the subscription from your account <a href="%s" target="_blank">dashboard</a> | <a class="dismiss-error dismiss" data-key="dismissed_error_%s_exp_subscription" href="#">dismiss</a>.', $this->text_domain ), $name, $this->renew_license_url, sanitize_key( $name ) ) ;
+                $this->errors[] = sprintf( __( 'The subscription for %s has expired. You can reactivate the subscription from your account <a href="%s" target="_blank">dashboard</a> | <a class="dismiss-error dismiss" data-key="dismissed_error_%s_exp_subscription" data-nonce="%s" href="#">dismiss</a>.', $this->text_domain ), $name, $this->renew_license_url, sanitize_key( $name ), $nonce ) ;
             }
 
           } else if ( isset( $response->errors['suspended_subscription'] ) && $response->errors['suspended_subscription'] == 'suspended_subscription' ) {
 
             $suspended_subscription_dismissed = get_option( 'dismissed_error_' .  sanitize_key( $name ) . '_suspended_subscription', '' );
             $show_suspended_subscription_error = $this->check_dismiss_time( $suspended_subscription_dismissed );
             if( $show_suspended_subscription_error ) {
-                $this->errors[] = sprintf( __( 'The subscription for %s has been suspended. You can reactivate the subscription from your account <a href="%s" target="_blank">dashboard</a> | <a class="dismiss-error dismiss" data-key="dismissed_error_%s_suspended_subscription" href="#">dismiss</a>.', $this->text_domain ), $name, $this->renew_license_url, sanitize_key( $name ) ) ;
+                $this->errors[] = sprintf( __( 'The subscription for %s has been suspended. You can reactivate the subscription from your account <a href="%s" target="_blank">dashboard</a> | <a class="dismiss-error dismiss" data-key="dismissed_error_%s_suspended_subscription" data-nonce="%s" href="#">dismiss</a>.', $this->text_domain ), $name, $this->renew_license_url, sanitize_key( $name ), $nonce ) ;
             }
 
           } else if ( isset( $response->errors['pending_subscription'] ) && $response->errors['pending_subscription'] == 'pending_subscription' ) {
 
             $pending_subscription_dismissed = get_option( 'dismissed_error_' .  sanitize_key( $name ) . '_pending_subscription', '' );
             $show_pending_subscription_error = $this->check_dismiss_time( $pending_subscription_dismissed );
             if( $show_pending_subscription_error ) {
-                $this->errors[] = sprintf( __( 'The subscription for %s is still pending. You can check on the status of the subscription from your account <a href="%s" target="_blank">dashboard</a> | <a class="dismiss-error dismiss" data-key="dismissed_error_%s_pending_subscription" href="#">dismiss</a>.', $this->text_domain ), $name, $this->renew_license_url, sanitize_key( $name ) ) ;
+                $this->errors[] = sprintf( __( 'The subscription for %s is still pending. You can check on the status of the subscription from your account <a href="%s" target="_blank">dashboard</a> | <a class="dismiss-error dismiss" data-key="dismissed_error_%s_pending_subscription" data-nonce="%s" href="#">dismiss</a>.', $this->text_domain ), $name, $this->renew_license_url, sanitize_key( $name ), $nonce ) ;
             }
 
           } else if ( isset( $response->errors['trash_subscription'] ) && $response->errors['trash_subscription'] == 'trash_subscription' ) {
 
             $trash_subscription_dismissed = get_option( 'dismissed_error_' .  sanitize_key( $name ) . '_trash_subscription', '' );
             $show_trash_subscription_error = $this->check_dismiss_time( $trash_subscription_dismissed );
             if( $show_trash_subscription_error ) {
-                $this->errors[] = sprintf( __( 'The subscription for %s has been placed in the trash and will be deleted soon. You can get a new subscription from your account <a href="%s" target="_blank">dashboard</a> | <a class="dismiss-error dismiss" data-key="dismissed_error_%s_trash_subscription" href="#">dismiss</a>.', $this->text_domain ), $name, $this->renew_license_url, sanitize_key( $name ) ) ;
+                $this->errors[] = sprintf( __( 'The subscription for %s has been placed in the trash and will be deleted soon. You can get a new subscription from your account <a href="%s" target="_blank">dashboard</a> | <a class="dismiss-error dismiss" data-key="dismissed_error_%s_trash_subscription" data-nonce="%s" href="#">dismiss</a>.', $this->text_domain ), $name, $this->renew_license_url, sanitize_key( $name ), $nonce ) ;
             }
 
           } else if ( isset( $response->errors['no_subscription'] ) && $response->errors['no_subscription'] == 'no_subscription' ) {
 
             $no_subscription_dismissed = get_option( 'dismissed_error_' .  sanitize_key( $name ) . '_no_subscription', '' );
             $show_no_subscription_error = $this->check_dismiss_time( $no_subscription_dismissed );
             if( $show_no_subscription_error ) {
-                $this->errors[] = sprintf( __( 'A subscription for %s could not be found. You can get a subscription from your account <a href="%s" target="_blank">dashboard</a> | <a class="dismiss-error dismiss" data-key="dismissed_error_%s_no_subscription" href="#">dismiss</a>.', $this->text_domain ), $name, $this->renew_license_url, sanitize_key( $name ) );
+                $this->errors[] = sprintf( __( 'A subscription for %s could not be found. You can get a subscription from your account <a href="%s" target="_blank">dashboard</a> | <a class="dismiss-error dismiss" data-key="dismissed_error_%s_no_subscription" data-nonce="%s" href="#">dismiss</a>.', $this->text_domain ), $name, $this->renew_license_url, sanitize_key( $name ), $nonce );
             }
 
           } else if ( isset( $response->errors['no_activation'] ) && $response->errors['no_activation'] == 'no_activation' ) {
 
             $no_activation_dismissed = get_option( 'dismissed_error_' .  sanitize_key( $name ) . '_no_activation', '' );
             $show_no_activation_error = $this->check_dismiss_time( $no_activation_dismissed );
             if( $show_no_activation_error ) {
-                $this->errors[] = sprintf( __( '%s has not been activated. Go to the settings page and enter the license key and license email to activate %s. <a class="dismiss-error dismiss" data-key="dismissed_error_%s_no_activation" href="#">dismiss</a>.', $this->text_domain ), $name, $name, sanitize_key( $name ) ) ;
+                $this->errors[] = sprintf( __( '%s has not been activated. Go to the settings page and enter the license key and license email to activate %s. <a class="dismiss-error dismiss" data-key="dismissed_error_%s_no_activation" data-nonce="%s" href="#">dismiss</a>.', $this->text_domain ), $name, $name, sanitize_key( $name ), $nonce ) ;
             }
 
           } else if ( isset( $response->errors['no_key'] ) && $response->errors['no_key'] == 'no_key' ) {
 
             $no_key_dismissed = get_option( 'dismissed_error_' .  sanitize_key( $name ) . '_no_key', '' );
             $show_no_key_error = $this->check_dismiss_time( $no_key_dismissed );
             if( $show_no_key_error ) {
-                $this->errors[] = sprintf( __( 'A license key for %s could not be found. Maybe you forgot to enter a license key when setting up %s, or the key was deactivated in your account. You can reactivate or get a license key from your account <a href="%s" target="_blank">Licences</a> | <a class="dismiss-error dismiss" data-key="dismissed_error_%s_no_key" href="#">dismiss</a>.', $this->text_domain ), $name, $name, $this->renew_license_url, sanitize_key( $name ) );
+                $this->errors[] = sprintf( __( 'A license key for %s could not be found. Maybe you forgot to enter a license key when setting up %s, or the key was deactivated in your account. You can reactivate or get a license key from your account <a href="%s" target="_blank">Licences</a> | <a class="dismiss-error dismiss" data-key="dismissed_error_%s_no_key" data-nonce="%s" href="#">dismiss</a>.', $this->text_domain ), $name, $name, $this->renew_license_url, sanitize_key( $name ), $nonce );
             }
 
           } else if ( isset( $response->errors['download_revoked'] ) && $response->errors['download_revoked'] == 'download_revoked' ) {
 
             $download_revoked_dismissed = get_option( 'dismissed_error_' .  sanitize_key( $name ) . '_download_revoked', '' );
             $show_download_revoked_error = $this->check_dismiss_time( $download_revoked_dismissed );
             if( $show_download_revoked_error ) {
-                $this->errors[] = sprintf( __( 'Download permission for %s has been revoked possibly due to a license key or subscription expiring. You can reactivate or get a license key from your account <a href="%s" target="_blank">dashboard</a> | <a class="dismiss-error dismiss" data-key="dismissed_error_%s_download_revoked" href="#">dismiss</a>.', $this->text_domain ), $name, $this->renew_license_url, sanitize_key( $name ) ) ;
+                $this->errors[] = sprintf( __( 'Download permission for %s has been revoked possibly due to a license key or subscription expiring. You can reactivate or get a license key from your account <a href="%s" target="_blank">dashboard</a> | <a class="dismiss-error dismiss" data-key="dismissed_error_%s_download_revoked" data-nonce="%s" href="#">dismiss</a>.', $this->text_domain ), $name, $this->renew_license_url, sanitize_key( $name ), $nonce ) ;
             }
 
           } else if ( isset( $response->errors['switched_subscription'] ) && $response->errors['switched_subscription'] == 'switched_subscription' ) {
 
             $switched_subscription_dismissed = get_option( 'dismissed_error_' .  sanitize_key( $name ) . '_switched_subscription', '' );
             $show_switched_subscription_error = $this->check_dismiss_time( $switched_subscription_dismissed );
             if( $show_switched_subscription_error ) {
-                $this->errors[] = sprintf( __( 'You changed the subscription for %s, so you will need to enter your new API License Key in the settings page. The License Key should have arrived in your email inbox, if not you can get it by logging into your account <a href="%s" target="_blank">dashboard</a> | <a class="dismiss-error dismiss" data-key="dismissed_error_%s_switched_subscription" href="#">dismiss</a>.', $this->text_domain ), $name, $this->renew_license_url, sanitize_key( $name ) ) ;
+                $this->errors[] = sprintf( __( 'You changed the subscription for %s, so you will need to enter your new API License Key in the settings page. The License Key should have arrived in your email inbox, if not you can get it by logging into your account <a href="%s" target="_blank">dashboard</a> | <a class="dismiss-error dismiss" data-key="dismissed_error_%s_switched_subscription" data-nonce="%s" href="#">dismiss</a>.', $this->text_domain ), $name, $this->renew_license_url, sanitize_key( $name ), $nonce ) ;
             }
 
           }
@@ -499,6 +500,7 @@ public function print_scripts() {
                         var data = {
                             action: 'ud_api_dismiss',
                             key: _this.data('key'),
+                            _ajax_nonce: _this.data('nonce'),
                         }
 
                         jQuery.post( "<?php echo admin_url( 'admin-ajax.php' ); ?>", data, function ( result_data ) {
@@ -541,21 +543,27 @@ public function check_dismiss_time( $time = '' ) {
          * @throws \Exception
          */
         public function dismiss_notices(){
+          check_ajax_referer('ud_api_dismiss');
+
           $response = array(
               'success' => '0',
               'error' => __( 'There was an error in request.', $this->text_domain ),
           );
+
           $error = false;
 
-          if( empty($_POST['key']) ) {
-            $response['error'] = __( 'Invalid key', $this->text_domain );
+          $option_key = isset($_POST['key']) ? sanitize_key($_POST['key']) : '';
+
+          if ( strpos($option_key, 'dismissed_') !== 0 ) {
+            $response['error'] = __( 'Invalid key', $this->domain );
             $error = true;
           }
-
-          if ( ! $error && update_option( ( $_POST['key'] ), time() ) ) {
+  
+          if ( !$error && update_option( $option_key, time() ) ) {
             $response['success'] = '1';
+            $response['error'] = null;
           }
-
+  
           wp_send_json( $response );
         }
 
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "lib-ud-api-client",
-  "version": "1.2.2",
+  "version": "1.2.3",
   "description": "UD Client for WooCommerce API Manager",
   "repository": {
     "type": "git",

Original file line number	Diff line number	Diff line change
`@@ -2,7 +2,7 @@`
`2`	`2`	`* Build Plugin.`
`3`	`3`	`*`
`4`	`4`	`* @author potanin@UD`
`5`		`- * @version 1.2.2`
	`5`	`+ * @version 1.2.3`
`6`	`6`	`* @param grunt`
`7`	`7`	`*/`
`8`	`8`	`module.exports = function( grunt ) {`
Original file line number	Diff line number	Diff line change
`@@ -18,7 +18,7 @@ class Bootstrap extends Scaffold {`
`18`	`18`	`/**`
`19`	`19`	`*`
`20`	`20`	`*/`
`21`		`- public static $version = '1.2.2';`
	`21`	`+ public static $version = '1.2.3';`
`22`	`22`
`23`	`23`	`/**`
`24`	`24`	`*`
Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "lib-ud-api-client",`
`3`		`- "version": "1.2.2",`
	`3`	`+ "version": "1.2.3",`
`4`	`4`	`"description": "UD Client for WooCommerce API Manager",`
`5`	`5`	`"repository": {`
`6`	`6`	`"type": "git",`