fix: better filtering and capability check for get data Codeinwp/visualizer-pro#433

preda-bogdan · preda-bogdan · commit 7bdf7d7c6bf0 · 2024-04-15T14:05:25.000+03:00
diff --git a/classes/Visualizer/Module/Chart.php b/classes/Visualizer/Module/Chart.php
@@ -59,6 +59,7 @@ public function __construct( Visualizer_Plugin $plugin ) {
 		$this->_addAjaxAction( Visualizer_Plugin::ACTION_CLONE_CHART, 'cloneChart' );
 		$this->_addAjaxAction( Visualizer_Plugin::ACTION_EXPORT_DATA, 'exportData' );
 
+		error_log( var_export( 'REGISTER ACTION', true ) );
 		$this->_addAjaxAction( Visualizer_Plugin::ACTION_FETCH_DB_DATA, 'getQueryData' );
 		$this->_addAjaxAction( Visualizer_Plugin::ACTION_SAVE_DB_QUERY, 'saveQuery' );
 
@@ -1421,6 +1422,10 @@ private function _handleDataPage() {
 	public function getQueryData() {
 		check_ajax_referer( Visualizer_Plugin::ACTION_FETCH_DB_DATA . Visualizer_Plugin::VERSION, 'security' );
 
+		if ( ! current_user_can( 'edit_posts' ) ) {
+			wp_send_json_error( array( 'msg' => __( 'Action not allowed for this user.', 'visualizer' ) ) );
+		}
+
 		$params     = wp_parse_args( $_POST['params'] );
 		$chart_id   = filter_var( $params['chart_id'], FILTER_VALIDATE_INT );
 
diff --git a/classes/Visualizer/Source/Query.php b/classes/Visualizer/Source/Query.php
@@ -80,7 +80,7 @@ public function fetch( $as_html = false, $results_as_numeric_array = false, $raw
 		}
 
 		// only select queries allowed.
-		if ( preg_match( '/^\s*(insert|delete|update|replace|create|alter|drop|truncate)\s/i', $this->_query ) ) {
+		if ( preg_match( '/\s*(insert|delete|update|replace|create|alter|drop|truncate)\s/i', $this->_query ) ) {
 			$this->_error = __( 'Only SELECT queries are allowed', 'visualizer' );
 			return false;
 		}
diff --git a/tests/test-ajax.php b/tests/test-ajax.php
@@ -0,0 +1,93 @@
+<?php
+/**
+ * WordPress unit test plugin.
+ *
+ * @package     visualizer
+ * @subpackage  Tests
+ * @license     http://opensource.org/licenses/gpl-2.0.php GNU Public License
+ * @since       3.10.12
+ */
+
+class Test_Visualizer_Ajax extends WP_Ajax_UnitTestCase {
+
+	private $admin_user_id;
+
+	public function setUp() :void {
+		parent::setUp();
+		$this->admin_user_id = $this->factory->user->create(
+			array(
+				'role' => 'administrator',
+			)
+		);
+		wp_set_current_user( $this->admin_user_id );
+
+	}
+
+	public function test_ajax_response_get_query_data_valid_query() {
+		$this->_setRole( 'administrator' );
+
+		$_GET['security'] = wp_create_nonce( Visualizer_Plugin::ACTION_FETCH_DB_DATA . Visualizer_Plugin::VERSION );
+
+		$_POST['params'] = array(
+			'query' => 'SELECT * FROM wp_posts',
+		);
+		try {
+			// Trigger the AJAX action
+			$this->_handleAjax( Visualizer_Plugin::ACTION_FETCH_DB_DATA );
+		} catch (WPAjaxDieContinueException $e) {
+			// We expected this, do nothing.
+		}
+
+		$response = json_decode( $this->_last_response );
+		$this->assertIsObject( $response );
+		$this->assertObjectHasAttribute( 'success', $response );
+		$this->assertObjectHasAttribute( 'data', $response );
+		$this->assertTrue( $response->success );
+	}
+
+	public function test_ajax_response_get_query_data_invalid_query() {
+		$this->_setRole( 'administrator' );
+
+		$_GET['security'] = wp_create_nonce( Visualizer_Plugin::ACTION_FETCH_DB_DATA . Visualizer_Plugin::VERSION );
+
+		$_POST['params'] = array(
+			'query' => "/**/UPDATE wp_options SET option_value='administrator' WHERE option_name='default_role' --",
+		);
+		try {
+			// Trigger the AJAX action
+			$this->_handleAjax( Visualizer_Plugin::ACTION_FETCH_DB_DATA );
+		} catch (WPAjaxDieContinueException $e) {
+			// We expected this, do nothing.
+		}
+
+		$response = json_decode( $this->_last_response );
+		$this->assertIsObject( $response );
+		$this->assertObjectHasAttribute( 'success', $response );
+		$this->assertObjectHasAttribute( 'data', $response );
+		$this->assertEquals( 'Only SELECT queries are allowed', $response->data->msg );
+		$this->assertFalse( $response->success );
+	}
+
+	public function test_ajax_response_get_query_data_subcriber_dissallow() {
+		$this->_setRole( 'subscriber' );
+
+		$_GET['security'] = wp_create_nonce( Visualizer_Plugin::ACTION_FETCH_DB_DATA . Visualizer_Plugin::VERSION );
+
+		$_POST['params'] = array(
+			'query' => "/**/UPDATE wp_options SET option_value='administrator' WHERE option_name='default_role' --",
+		);
+		try {
+			// Trigger the AJAX action
+			$this->_handleAjax( Visualizer_Plugin::ACTION_FETCH_DB_DATA );
+		} catch (WPAjaxDieContinueException $e) {
+			// We expected this, do nothing.
+		}
+
+		$response = json_decode( $this->_last_response );
+		$this->assertIsObject( $response );
+		$this->assertObjectHasAttribute( 'success', $response );
+		$this->assertObjectHasAttribute( 'data', $response );
+		$this->assertEquals( 'Action not allowed for this user.', $response->data->msg );
+		$this->assertFalse( $response->success );
+	}
+}

Original file line number	Diff line number	Diff line change
`@@ -80,7 +80,7 @@ public function fetch( $as_html = false, $results_as_numeric_array = false, $raw`
`80`	`80`	`}`
`81`	`81`
`82`	`82`	`// only select queries allowed.`
`83`		`- if ( preg_match( '/^\s*(insert\|delete\|update\|replace\|create\|alter\|drop\|truncate)\s/i', $this->_query ) ) {`
	`83`	`+ if ( preg_match( '/\s*(insert\|delete\|update\|replace\|create\|alter\|drop\|truncate)\s/i', $this->_query ) ) {`
`84`	`84`	`$this->_error = __( 'Only SELECT queries are allowed', 'visualizer' );`
`85`	`85`	`return false;`
`86`	`86`	`}`