Fixes to Security Issues Reported by Signal Labs

[ideadude]

Description

On March 18th, Signal Labs shared a vulnerability report with 5 security issues.

1. There were XSS vulnerabilities, which have been fixed by this PR.
2. TPDF and assignment downloads with missing permission checks that could be exploited. These are fixed in this PR and others in the affected add ons.
3. An unlimited number of assignment files could be uploaded by directly posting to the end points. This has been fixed in a PR to the affected assignments add on.
4. The my-grades endpoint was vulnerable to SQL injections which could be used for DDOS attacks. This has been fixed in this PR.

A fifth issue around nonces being used more than once was reported back to Signal Labs as "will not fix". This is a known issue with WordPress nonces. More information can be found here: https://developer.wordpress.org/news/2023/08/01/understand-and-use-wordpress-nonces-properly/

We don't feel the need currently to implement "true" one-time-use nonces for any of the form submissions or actions managed by the LifterLMS codebase.

Thanks again to Signal Labs for the responsible disclosure of these issues.

How has this been tested?

Manually and some unit testing.

Checklist:

• [x] This PR requires and contains at least one changelog file. <!-- To create a changelog yml file: npm run dev changelog add -- -i and follow the prompt. See also: https://github.com/gocodebox/lifterlms/blob/trunk/packages/dev/README.md#changelog-add -->
• [x] My code has been tested.
• [x] My code passes all existing automated tests.
• [x] My code follows the LifterLMS Coding & Documentation Standards.