release: fixes

### Fixes
- **Updated internal dependencies:** Enhanced performance and security.

Author: vytisbulkevicius

.gitignore

@@ -11,4 +11,5 @@ cypress.env.json
 .DS_Store
 /cypress/videos/
 /cypress/screenshots/
-artifacts
+artifacts
+.phpunit.result.cache

classes/Visualizer/Module/Chart.php

@@ -1421,7 +1421,7 @@ private function _handleDataPage() {
 	public function getQueryData() {
 		check_ajax_referer( Visualizer_Plugin::ACTION_FETCH_DB_DATA . Visualizer_Plugin::VERSION, 'security' );
 
-		if ( ! current_user_can( 'edit_posts' ) ) {
+		if ( ! current_user_can( 'administrator' ) ) {
 			wp_send_json_error( array( 'msg' => __( 'Action not allowed for this user.', 'visualizer' ) ) );
 		}
 

classes/Visualizer/Source/Query.php

@@ -80,7 +80,43 @@ public function fetch( $as_html = false, $results_as_numeric_array = false, $raw
 		}
 
 		// only select queries allowed.
-		if ( preg_match( '/\s*(\binsert\b|\bdelete\b|\bupdate\b|\breplace\b|\bcreate\b|\balter\b|\bdrop\b|\btruncate\b)\s/i', $this->_query ) ) {
+		if ( ! preg_match( '/\s*(\bselect\b)\s/i', $this->_query ) ) {
+			$this->_error = __( 'Only SELECT queries are allowed', 'visualizer' );
+			return false;
+		}
+
+		// if previous check passed, check for disallowed query parts to prevent subqueries and other harmful queries.
+		$disallow_query_parts = array(
+			'INSERT',
+			'UPDATE',
+			'DELETE',
+			'RENAME',
+			'DROP',
+			'CREATE',
+			'TRUNCATE',
+			'ALTER',
+			'COMMIT',
+			'ROLLBACK',
+			'MERGE',
+			'CALL',
+			'EXPLAIN',
+			'LOCK',
+			'GRANT',
+			'REVOKE',
+			'SAVEPOINT',
+			'TRANSACTION',
+			'SET',
+		);
+		$disallow_regex = implode(
+			'|',
+			array_map(
+				function ( $value ) {
+					return '\b' . $value . '\b';
+				}, $disallow_query_parts
+			)
+		);
+
+		if ( preg_match( '/(' . $disallow_regex . ')/i', $this->_query) !== 0 ) {
 			$this->_error = __( 'Only SELECT queries are allowed', 'visualizer' );
 			return false;
 		}

composer.lock

@@ -20,6 +20,20 @@ class Test_Visualizer_Ajax extends WP_Ajax_UnitTestCase {
 	 */
 	private $admin_user_id;
 
+	/**
+	 * Contributor user ID.
+	 *
+	 * @var int
+	 */
+	private $contibutor_user_id;
+
+	/**
+	 * Subscriber user ID.
+	 *
+	 * @var int
+	 */
+	private $subscriber_user_id;
+
 	/**
 	 * Set up.
 	 */
@@ -32,6 +46,18 @@ public function setUp() {
 		);
 		wp_set_current_user( $this->admin_user_id );
 
+		$this->contibutor_user_id = $this->factory->user->create(
+			array(
+				'role' => 'contributor',
+			)
+		);
+
+		$this->subscriber_user_id = $this->factory->user->create(
+			array(
+				'role' => 'subscriber',
+			)
+		);
+
 	}
 
 	/**
@@ -113,10 +139,39 @@ public function test_ajax_response_get_query_data_valid_query_with_filtered_colu
 		$this->assertTrue( $response->success );
 	}
 
+	/**
+	 * Test the AJAX response for fetching the database data with user capability.
+	 */
+	public function test_ajax_response_get_query_data_contributor_dissallow() {
+		wp_set_current_user( $this->contibutor_user_id );
+		$this->_setRole( 'contributor' );
+
+		$_GET['security'] = wp_create_nonce( Visualizer_Plugin::ACTION_FETCH_DB_DATA . Visualizer_Plugin::VERSION );
+
+		$_POST['params'] = array(
+			'query' => "/**/UPDATE wp_options SET option_value='administrator' WHERE option_name='default_role' --",
+			'chart_id' => 1,
+		);
+		try {
+			// Trigger the AJAX action
+			$this->_handleAjax( Visualizer_Plugin::ACTION_FETCH_DB_DATA );
+		} catch ( WPAjaxDieContinueException $e ) {
+			// We expected this, do nothing.
+		}
+
+		$response = json_decode( $this->_last_response );
+		$this->assertIsObject( $response );
+		$this->assertObjectHasAttribute( 'success', $response );
+		$this->assertObjectHasAttribute( 'data', $response );
+		$this->assertEquals( 'Action not allowed for this user.', $response->data->msg );
+		$this->assertFalse( $response->success );
+	}
+
 	/**
 	 * Test the AJAX response for fetching the database data with user capability.
 	 */
 	public function test_ajax_response_get_query_data_subcriber_dissallow() {
+		wp_set_current_user( $this->subscriber_user_id );
 		$this->_setRole( 'subscriber' );
 
 		$_GET['security'] = wp_create_nonce( Visualizer_Plugin::ACTION_FETCH_DB_DATA . Visualizer_Plugin::VERSION );
@@ -139,4 +194,31 @@ public function test_ajax_response_get_query_data_subcriber_dissallow() {
 		$this->assertEquals( 'Action not allowed for this user.', $response->data->msg );
 		$this->assertFalse( $response->success );
 	}
+
+	/**
+	 * Test the AJAX response for fetching the database data with invalid query.
+	 */
+	public function test_ajax_response_get_query_data_invalid_query_subquery() {
+		$this->_setRole( 'administrator' );
+
+		$_GET['security'] = wp_create_nonce( Visualizer_Plugin::ACTION_FETCH_DB_DATA . Visualizer_Plugin::VERSION );
+
+		$_POST['params'] = array(
+			'query' => "UPDATE wp_options SET option_value = ( SELECT role_name FROM role_configurations WHERE condition = 'specific_condition' LIMIT 1 )WHERE option_name = 'default_role';",
+			'chart_id' => 1,
+		);
+		try {
+			// Trigger the AJAX action
+			$this->_handleAjax( Visualizer_Plugin::ACTION_FETCH_DB_DATA );
+		} catch ( WPAjaxDieContinueException $e ) {
+			// We expected this, do nothing.
+		}
+
+		$response = json_decode( $this->_last_response );
+		$this->assertIsObject( $response );
+		$this->assertObjectHasAttribute( 'success', $response );
+		$this->assertObjectHasAttribute( 'data', $response );
+		$this->assertEquals( 'Only SELECT queries are allowed', $response->data->msg );
+		$this->assertFalse( $response->success );
+	}
 }