vhad/wordpress-develop
1
0
Fork 0
mirror of https://github.com/gosticks/wordpress-develop.git synced 2026-06-28 22:30:04 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

REST API: Don’t remove unregistered properties from objects in schema.

Browse Source 
In r41727 the ability to sanitise and validate objects from JSON schema was added, with a whitelist approach. It was decided we should pass through all non-registered properties to reflect the behaviour of the root object in register_rest_route. To prevent arbitrary extra data via setting objects, we force additionalProperties to false in the settings endpoint.

See #38583.

git-svn-id: https://develop.svn.wordpress.org/trunk@42000 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Joe Hoyle
2017-10-24 21:04:50 +00:00
parent 36f253d1d9
commit fb2e44456e
6 changed files with 118 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
tests/phpunit/tests/rest-api/rest-schema-sanitization.php
View File

@@ -157,6 +157,22 @@ class WP_Test_REST_Schema_Sanitization extends WP_UnitTestCase {
);
$this->assertEquals( array( 'a' => 1 ), rest_sanitize_value_from_schema( array( 'a' => 1 ), $schema ) );
$this->assertEquals( array( 'a' => 1 ), rest_sanitize_value_from_schema( array( 'a' => '1' ), $schema ) );
$this->assertEquals( array( 'a' => 1, 'b' => 1 ), rest_sanitize_value_from_schema( array( 'a' => '1', 'b' => 1 ), $schema ) );
}
public function test_type_object_strips_additional_properties() {
$schema = array(
'type' => 'object',
'properties' => array(
'a' => array(
'type' => 'number',
),
),
'additionalProperties' => false,
);
$this->assertEquals( array( 'a' => 1 ), rest_sanitize_value_from_schema( array( 'a' => 1 ), $schema ) );
$this->assertEquals( array( 'a' => 1 ), rest_sanitize_value_from_schema( array( 'a' => '1' ), $schema ) );
$this->assertEquals( array( 'a' => 1 ), rest_sanitize_value_from_schema( array( 'a' => '1', 'b' => 1 ), $schema ) );
}
public function test_type_object_nested() {
@@ -195,7 +211,9 @@ class WP_Test_REST_Schema_Sanitization extends WP_UnitTestCase {
'a' => array(
'b' => 1,
'c' => 3,
'd' => '1',
),
'b' => 1,
),
rest_sanitize_value_from_schema(
array(

17
tests/phpunit/tests/rest-api/rest-schema-validation.php
View File

@@ -186,14 +186,29 @@ class WP_Test_REST_Schema_Validation extends WP_UnitTestCase {
'type' => 'object',
'properties' => array(
'a' => array(
'type' => 'number'
'type' => 'number',
),
),
);
$this->assertTrue( rest_validate_value_from_schema( array( 'a' => 1 ), $schema ) );
$this->assertTrue( rest_validate_value_from_schema( array( 'a' => 1, 'b' => 2 ), $schema ) );
$this->assertWPError( rest_validate_value_from_schema( array( 'a' => 'invalid' ), $schema ) );
}
public function test_type_object_additional_properties_false() {
$schema = array(
'type' => 'object',
'properties' => array(
'a' => array(
'type' => 'number',
),
),
'additionalProperties' => false,
);
$this->assertTrue( rest_validate_value_from_schema( array( 'a' => 1 ), $schema ) );
$this->assertWPError( rest_validate_value_from_schema( array( 'a' => 1, 'b' => 2 ), $schema ) );
}
public function test_type_object_nested() {
$schema = array(
'type' => 'object',

44
tests/phpunit/tests/rest-api/rest-settings-controller.php
View File

@@ -190,6 +190,10 @@ class WP_Test_REST_Settings_Controller extends WP_Test_REST_Controller_Testcase
'type' => 'object',
) );
// We have to re-register the route, as the args changes based off registered settings.
$this->server->override_by_default = true;
$this->endpoint->register_routes();
// Object is cast to correct types.
update_option( 'mycustomsetting', array( 'a' => '1' ) );
$request = new WP_REST_Request( 'GET', '/wp/v2/settings' );
@@ -209,7 +213,7 @@ class WP_Test_REST_Settings_Controller extends WP_Test_REST_Controller_Testcase
$request = new WP_REST_Request( 'GET', '/wp/v2/settings' );
$response = $this->server->dispatch( $request );
$data = $response->get_data();
$this->assertEquals( array( 'a' => 1 ), $data['mycustomsetting'] );
$this->assertEquals( null, $data['mycustomsetting'] );
unregister_setting( 'somegroup', 'mycustomsetting' );
}
@@ -372,6 +376,37 @@ class WP_Test_REST_Settings_Controller extends WP_Test_REST_Controller_Testcase
unregister_setting( 'somegroup', 'mycustomsetting' );
}
public function test_update_item_with_nested_object() {
register_setting( 'somegroup', 'mycustomsetting', array(
'show_in_rest' => array(
'schema' => array(
'type' => 'object',
'properties' => array(
'a' => array(
'type' => 'object',
'properties' => array(
'b' => array(
'type' => 'number',
),
),
),
),
),
),
'type' => 'object',
) );
// We have to re-register the route, as the args changes based off registered settings.
$this->server->override_by_default = true;
$this->endpoint->register_routes();
wp_set_current_user( self::$administrator );
$request = new WP_REST_Request( 'PUT', '/wp/v2/settings' );
$request->set_param( 'mycustomsetting', array( 'a' => array( 'b' => 1, 'c' => 1 ) ) );
$response = $this->server->dispatch( $request );
$this->assertErrorResponse( 'rest_invalid_param', $response, 400 );
}
public function test_update_item_with_object() {
register_setting( 'somegroup', 'mycustomsetting', array(
'show_in_rest' => array(
@@ -407,6 +442,13 @@ class WP_Test_REST_Settings_Controller extends WP_Test_REST_Controller_Testcase
$this->assertEquals( array(), $data['mycustomsetting'] );
$this->assertEquals( array(), get_option( 'mycustomsetting' ) );
// Provide more keys.
$request = new WP_REST_Request( 'PUT', '/wp/v2/settings' );
$request->set_param( 'mycustomsetting', array( 'a' => 1, 'b' => 2 ) );
$response = $this->server->dispatch( $request );
$this->assertErrorResponse( 'rest_invalid_param', $response, 400 );
// Setting an invalid object.
$request = new WP_REST_Request( 'PUT', '/wp/v2/settings' );
$request->set_param( 'mycustomsetting', array( 'a' => 'invalid' ) );