REST API: Harden Real Time Collaboration endpoint.

Adds additional validation and permission checks the the Real Time Collaboration endpoint to ensure only input in the expected format is supported.

Props czarate, westonruter, joefusco.
Fixes #64890.



Built from https://develop.svn.wordpress.org/trunk@62198


git-svn-id: http://core.svn.wordpress.org/trunk@61478 1a063a9b-81f0-0310-95a4-ce76da25c4cd

wp-includes/collaboration/class-wp-http-polling-sync-server.php

@@ -37,6 +37,30 @@ class WP_HTTP_Polling_Sync_Server {
 	 */
 	const COMPACTION_THRESHOLD = 50;
 
+	/**
+	 * Maximum total size (in bytes) of the request body.
+	 *
+	 * @since 7.0.0
+	 * @var int
+	 */
+	const MAX_BODY_SIZE = 16 * MB_IN_BYTES;
+
+	/**
+	 * Maximum number of rooms allowed per request.
+	 *
+	 * @since 7.0.0
+	 * @var int
+	 */
+	const MAX_ROOMS_PER_REQUEST = 50;
+
+	/**
+	 * Maximum length of a single update data string.
+	 *
+	 * @since 7.0.0
+	 * @var int
+	 */
+	const MAX_UPDATE_DATA_SIZE = MB_IN_BYTES;
+
 	/**
 	 * Sync update type: compaction.
 	 *
@@ -96,8 +120,9 @@ class WP_HTTP_Polling_Sync_Server {
 		$typed_update_args = array(
 			'properties' => array(
 				'data' => array(
-					'type'     => 'string',
-					'required' => true,
+					'type'      => 'string',
+					'required'  => true,
+					'maxLength' => self::MAX_UPDATE_DATA_SIZE,
 				),
 				'type' => array(
 					'type'     => 'string',
@@ -149,12 +174,14 @@ class WP_HTTP_Polling_Sync_Server {
 				'methods'             => array( WP_REST_Server::CREATABLE ),
 				'callback'            => array( $this, 'handle_request' ),
 				'permission_callback' => array( $this, 'check_permissions' ),
+				'validate_callback'   => array( $this, 'validate_request' ),
 				'args'                => array(
 					'rooms' => array(
 						'items'    => array(
 							'properties' => $room_args,
 							'type'       => 'object',
 						),
+						'maxItems' => self::MAX_ROOMS_PER_REQUEST,
 						'required' => true,
 						'type'     => 'array',
 					),
@@ -223,6 +250,30 @@ class WP_HTTP_Polling_Sync_Server {
 		return true;
 	}
 
+	/**
+	 * Validates that the request body does not exceed the maximum allowed size.
+	 *
+	 * Runs as the route-level validate_callback, after per-arg schema
+	 * validation has already passed.
+	 *
+	 * @since 7.0.0
+	 *
+	 * @param WP_REST_Request $request The REST request.
+	 * @return true|WP_Error True if valid, WP_Error if the body is too large.
+	 */
+	public function validate_request( WP_REST_Request $request ) {
+		$body = $request->get_body();
+		if ( is_string( $body ) && strlen( $body ) > self::MAX_BODY_SIZE ) {
+			return new WP_Error(
+				'rest_sync_body_too_large',
+				__( 'Request body is too large.' ),
+				array( 'status' => 413 )
+			);
+		}
+
+		return true;
+	}
+
 	/**
 	 * Handles request: stores sync updates and awareness data, and returns
 	 * updates the client is missing.
@@ -278,24 +329,47 @@ class WP_HTTP_Polling_Sync_Server {
 	 *
 	 * @param string      $entity_kind The entity kind, e.g. 'postType', 'taxonomy', 'root'.
 	 * @param string      $entity_name The entity name, e.g. 'post', 'category', 'site'.
-	 * @param string|null $object_id   The object ID / entity key for single entities, null for collections.
+	 * @param string|null $object_id   The numeric object ID / entity key for single entities, null for collections.
 	 * @return bool True if user has permission, otherwise false.
 	 */
 	private function can_user_sync_entity_type( string $entity_kind, string $entity_name, ?string $object_id ): bool {
-		// Handle single post type entities with a defined object ID.
-		if ( 'postType' === $entity_kind && is_numeric( $object_id ) ) {
-			return current_user_can( 'edit_post', (int) $object_id );
+		if ( is_string( $object_id ) ) {
+			if ( ! ctype_digit( $object_id ) ) {
+				return false;
+			}
+			$object_id = (int) $object_id;
+		}
+		if ( null !== $object_id && $object_id <= 0 ) {
+			// Object ID must be numeric if provided.
+			return false;
 		}
 
-		// Handle single taxonomy term entities with a defined object ID.
-		if ( 'taxonomy' === $entity_kind && is_numeric( $object_id ) ) {
-			$taxonomy = get_taxonomy( $entity_name );
-			return isset( $taxonomy->cap->assign_terms ) && current_user_can( $taxonomy->cap->assign_terms );
-		}
+		// Validate permissions for the provided object ID.
+		if ( is_int( $object_id ) ) {
+			// Handle single post type entities with a defined object ID.
+			if ( 'postType' === $entity_kind ) {
+				if ( get_post_type( $object_id ) !== $entity_name ) {
+					// Post is not of the specified post type.
+					return false;
+				}
+				return current_user_can( 'edit_post', $object_id );
+			}
 
-		// Handle single comment entities with a defined object ID.
-		if ( 'root' === $entity_kind && 'comment' === $entity_name && is_numeric( $object_id ) ) {
-			return current_user_can( 'edit_comment', (int) $object_id );
+			// Handle single taxonomy term entities with a defined object ID.
+			if ( 'taxonomy' === $entity_kind ) {
+				$term_exists = term_exists( $object_id, $entity_name );
+				if ( ! is_array( $term_exists ) || ! isset( $term_exists['term_id'] ) ) {
+					// Either term doesn't exist OR term is not in specified taxonomy.
+					return false;
+				}
+
+				return current_user_can( 'edit_term', $object_id );
+			}
+
+			// Handle single comment entities with a defined object ID.
+			if ( 'root' === $entity_kind && 'comment' === $entity_name ) {
+				return current_user_can( 'edit_comment', $object_id );
+			}
 		}
 
 		// All the remaining checks are for collections. If an object ID is provided,

wp-includes/version.php

@@ -16,7 +16,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '7.1-alpha-62196';
+$wp_version = '7.1-alpha-62198';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.