search

pronamic / wp-pay-core

Core components for the WordPress payment processing library. This library is used in the WordPress plugin Pronamic Pay: https://www.pronamicpay.com/, but also allows other plugin developers to set up a payment plugin.
https://www.wp-pay.org/
GNU General Public License v3.0
27 stars 3 forks source link

Allowing Direct File Access to plugin files #144

Closed remcotolsma closed 1 year ago

remcotolsma commented 1 year ago

From the WordPress.org plugin review team:

Direct file access is when someone directly queries your file. This can be done by simply entering the complete path to the file in the URL bar of the browser but can also be done by doing a POST request directly to the file. For files that only contain a PHP class the risk of something funky happening when directly accessed is pretty small. For files that contain procedural code, functions and function calls, the chance of security risks is a lot bigger.

You can avoid this by putting this code at the top of all php files:

if ( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly

Example(s) from your plugin:

pronamic-pay-with-mollie-for-woocommerce/packages/wp-pay-gateways/mollie/views/page-mollie.php:13 
pronamic-pay-with-mollie-for-woocommerce/packages/woocommerce/action-scheduler/lib/WP_Async_Request.php:15 
pronamic-pay-with-mollie-for-woocommerce/packages/wp-pay/core/views/meta-box-form-options.php:14 
pronamic-pay-with-mollie-for-woocommerce/packages/wp-pay/core/views/pointer-dashboard.php:12 
pronamic-pay-with-mollie-for-woocommerce/packages/wp-pay-gateways/mollie/views/meta-box-payment.php:14 
pronamic-pay-with-mollie-for-woocommerce/packages/wp-pay/core/views/meta-box-gateway-test.php:16 
pronamic-pay-with-mollie-for-woocommerce/packages/wp-pay/core/views/meta-box-subscription-update.php:16 
pronamic-pay-with-mollie-for-woocommerce/packages/wp-pay/core/views/pointer-start.php:12 
pronamic-pay-with-mollie-for-woocommerce/packages/wp-pay/core/views/meta-box-subscription-info.php:18

... out of a total of 41 coincidences.

remcotolsma commented 1 year ago

Fixed in https://github.com/pronamic/wp-pay-core/commit/94869c53486eefaae03372c7b3f5726a73f1299b and https://github.com/pronamic/wp-pronamic-pay-mollie/commit/48c927b97f30e9ff8b87d3b346589ac849001aa4, asked the plugin review team for a sniff:

I received an review from the plugin review team with a section “Allowing Direct File Access to plugin files” and a list of files from the reviewd plugin: “Example(s) from your plugin” ... “... out of a total of 41 coincidences.“. Does the review team use a certain WordPress Coding Standards sniff for this? I found this related issue: https://github.com/WordPress/WordPress-Coding-Standards/issues/1850. The review email does not list all the files, if we can check it with a sniff that would be great.

https://wordpress.slack.com/archives/C1LBM36LC/p1692695272604879

remcotolsma commented 1 year ago