Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WAF: Fix request body problem #38621

Merged
merged 7 commits into from
Aug 6, 2024
Merged

WAF: Fix request body problem #38621

merged 7 commits into from
Aug 6, 2024

Conversation

dkmyta
Copy link
Contributor

@dkmyta dkmyta commented Jul 30, 2024

Fixes #
The WAF currently defaults to retrieving values from $_POST when the provided Content-Type isn't "application/json". This works and is a very simple way to not parse everything ourselves. However, it also means that it won't retrieve any parameters whatsoever if the HTTP method used isn't POST, since PHP will not populate $_POST in those cases.

Proposed changes:

Other information:

  • Have you written new tests for your changes, if applicable?
  • Have you checked the E2E test CI results, and verified that your changes do not break them?
  • Have you tested your changes on WordPress.com, if applicable (if so, you'll see a generated comment below with a script to run)?

Jetpack product discussion

Does this pull request change what data or activity we track or use?

  • No

Testing instructions:

  • Ensure that the new logic covers cases like curl --url $URL -X PATCH --data 'test=<script>alert(1);</script>'
  • Run unit tests and verify they all succeed
  • Verify no regressions are introduced

Copy link
Contributor

github-actions bot commented Jul 30, 2024

Are you an Automattician? Please test your changes on all WordPress.com environments to help mitigate accidental explosions.

  • To test on WoA, go to the Plugins menu on a WordPress.com Simple site. Click on the "Upload" button and follow the upgrade flow to be able to upload, install, and activate the Jetpack Beta plugin. Once the plugin is active, go to Jetpack > Jetpack Beta, select your plugin, and enable the fix/waf-request-body-problem branch.

  • To test on Simple, run the following command on your sandbox:

    bin/jetpack-downloader test jetpack fix/waf-request-body-problem
    

Interested in more tips and information?

  • In your local development environment, use the jetpack rsync command to sync your changes to a WoA dev blog.
  • Read more about our development workflow here: PCYsg-eg0-p2
  • Figure out when your changes will be shipped to customers here: PCYsg-eg5-p2

Copy link
Contributor

Thank you for your PR!

When contributing to Jetpack, we have a few suggestions that can help us test and review your patch:

  • ✅ Include a description of your PR changes.
  • ✅ Add a "[Status]" label (In Progress, Needs Team Review, ...).
  • ✅ Add testing instructions.
  • ✅ Specify whether this PR includes any changes to data or privacy.
  • ✅ Add changelog entries to affected projects

This comment will be updated as you work on your PR and make changes. If you think that some of those checks are not needed for your PR, please explain why you think so. Thanks for cooperation 🤖


The e2e test report can be found here. Please note that it can take a few minutes after the e2e tests checks are complete for the report to be available.


Once your PR is ready for review, check one last time that all required checks appearing at the bottom of this PR are passing or skipped.
Then, add the "[Status] Needs Team Review" label and ask someone from your team review the code. Once reviewed, it can then be merged.
If you need an extra review from someone familiar with the codebase, you can update the labels from "[Status] Needs Team Review" to "[Status] Needs Review", and in that case Jetpack Approvers will do a final review of your PR.

@dkmyta dkmyta marked this pull request as ready for review July 30, 2024 20:55
@nateweller nateweller added this to the protect/3.0.0 milestone Aug 4, 2024
nateweller
nateweller previously approved these changes Aug 5, 2024
Copy link
Contributor

@nateweller nateweller left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Change looks good! Introduces the functionality nicely.

I've tested triggering the XSS rule with a foo=<script> payload using POST, PUT, and PATCH requests with success across Form-URL-Encoded, JSON, and Text Content-Types. 👍

Copy link
Contributor

@nateweller nateweller left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@dkmyta dkmyta merged commit b0583ae into trunk Aug 6, 2024
70 checks passed
@dkmyta dkmyta deleted the fix/waf-request-body-problem branch August 6, 2024 17:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants