Fix security vulnerabilities

auth0 · Mar 31, 2020 · 43e4d8f · 43e4d8f
1 parent 10b1fc9
commit 43e4d8f
Show file tree

Hide file tree

Showing 16 changed files with 213 additions and 85 deletions.
diff --git a/WP_Auth0.php b/WP_Auth0.php
@@ -368,6 +368,12 @@ function wp_auth0_errorlog_clear_error_log() {
 
 function wp_auth0_export_settings_admin_action() {
 
+ $nonce = $_POST['_wpnonce'] ?? null;
+ if ( ! wp_verify_nonce( $nonce, WP_Auth0_Import_Settings::EXPORT_NONCE_ACTION ) ) {
+ wp_nonce_ays( WP_Auth0_Import_Settings::IMPORT_NONCE_ACTION );
+ exit;
+ }
+
  if ( ! current_user_can( 'manage_options' ) ) {
  wp_die( __( 'Unauthorized.', 'wp-auth0' ) );
  exit;

diff --git a/lib/WP_Auth0_Import_Settings.php b/lib/WP_Auth0_Import_Settings.php
@@ -2,6 +2,10 @@
 
 class WP_Auth0_Import_Settings {
 
+ const IMPORT_NONCE_ACTION = 'wp_auth0_import_settings';
+
+ const EXPORT_NONCE_ACTION = 'wp_auth0_export_settings';
+
  protected $a0_options;
 
  public function __construct( WP_Auth0_Options $a0_options ) {
@@ -14,6 +18,11 @@ public function render_import_settings_page() {
 
  public function import_settings() {
 
+ if ( empty( $_POST['_wpnonce'] ) || ! wp_verify_nonce( $_POST['_wpnonce'], self::IMPORT_NONCE_ACTION ) ) {
+ wp_nonce_ays( self::IMPORT_NONCE_ACTION );
+ exit;
+ }
+
  if ( ! current_user_can( 'manage_options' ) ) {
  wp_die( __( 'Unauthorized.', 'wp-auth0' ) );
  exit;

diff --git a/lib/WP_Auth0_Routes.php b/lib/WP_Auth0_Routes.php
@@ -131,8 +131,8 @@ protected function coo_fallback() {
  auth0.crossOriginAuthenticationCallback();
  </script></head><body></body></html>',
  esc_url( apply_filters( 'auth0_coo_auth0js_url', WPA0_AUTH0_JS_CDN_URL ) ),
- sanitize_text_field( $this->a0_options->get( 'client_id' ) ),
- sanitize_text_field( $this->a0_options->get_auth_domain() ),
+ esc_attr( $this->a0_options->get( 'client_id' ) ),
+ esc_attr( $this->a0_options->get_auth_domain() ),
  esc_url( $this->a0_options->get_wp_auth0_url( $protocol ) )
  );
  }

diff --git a/lib/initial-setup/WP_Auth0_InitialSetup_AdminUser.php b/lib/initial-setup/WP_Auth0_InitialSetup_AdminUser.php
@@ -2,6 +2,8 @@
 
 class WP_Auth0_InitialSetup_AdminUser {
 
+ const SETUP_NONCE_ACTION = 'wp_auth0_callback_step3';
+
  protected $a0_options;
 
  public function __construct( WP_Auth0_Options $a0_options ) {
@@ -14,6 +16,16 @@ public function render( $step ) {
 
  public function callback() {
 
+ if ( empty( $_POST['_wpnonce'] ) || ! wp_verify_nonce( $_POST['_wpnonce'], self::SETUP_NONCE_ACTION ) ) {
+ wp_nonce_ays( self::SETUP_NONCE_ACTION );
+ exit;
+ }
+
+ if ( ! current_user_can( 'manage_options' ) ) {
+ wp_die( __( 'Unauthorized.', 'wp-auth0' ) );
+ exit;
+ }
+
  $current_user = wp_get_current_user();
 
  $data = [

diff --git a/lib/initial-setup/WP_Auth0_InitialSetup_ConnectionProfile.php b/lib/initial-setup/WP_Auth0_InitialSetup_ConnectionProfile.php
@@ -2,6 +2,8 @@
 
 class WP_Auth0_InitialSetup_ConnectionProfile {
 
+ const SETUP_NONCE_ACTION = 'wp_auth0_callback_step1';
+
  protected $a0_options;
  protected $domain;
 
@@ -16,6 +18,16 @@ public function render( $step ) {
 
  public function callback() {
 
+ if ( empty( $_POST['_wpnonce'] ) || ! wp_verify_nonce( $_POST['_wpnonce'], self::SETUP_NONCE_ACTION ) ) {
+ wp_nonce_ays( self::SETUP_NONCE_ACTION );
+ exit;
+ }
+
+ if ( ! current_user_can( 'manage_options' ) ) {
+ wp_die( __( 'Unauthorized.', 'wp-auth0' ) );
+ exit;
+ }
+
  if ( isset( $_REQUEST['apitoken'] ) && ! empty( $_REQUEST['apitoken'] ) ) {
 
  $token = $_REQUEST['apitoken'];

diff --git a/lib/profile/WP_Auth0_Profile_Change_Password.php b/lib/profile/WP_Auth0_Profile_Change_Password.php
@@ -48,14 +48,23 @@ public function validate_new_password( $errors, $user ) {
 
  $field_name = ! empty( $_POST['pass1'] ) ? 'pass1' : 'password_1';
  $new_password = wp_unslash( $_POST[ $field_name ] );
+ $wp_user_id = null;
 
- if ( isset( $_POST['user_id'] ) ) {
- // Input field from user edit or profile update.
- $wp_user_id = absint( $_POST['user_id'] );
- } elseif ( is_object( $user ) && ! empty( $user->ID ) ) {
- // User object passed in from an action.
+ // User object passed in from an action.
+ if ( is_object( $user ) && ! empty( $user->ID ) ) {
  $wp_user_id = absint( $user->ID );
- } else {
+ }
+
+ // Input field from user edit or profile update.
+ if ( ! $wp_user_id && isset( $_POST['user_id'] ) ) {
+ $user_editing_allowed = ( current_user_can( 'edit_users' ) || $_POST['user_id'] == get_current_user_id() );
+
+ if ( $user_editing_allowed ) {
+ $wp_user_id = absint( $_POST['user_id'] );
+ }
+ }
+
+ if ( ! $wp_user_id ) {
  return false;
  }
 

diff --git a/templates/a0-widget-setup-form.php b/templates/a0-widget-setup-form.php
@@ -41,17 +41,17 @@
  <div class="radio-wrapper">
  <input id="<?php echo $this->get_field_id( 'gravatar' ); ?>_yes"
  name="<?php echo $this->get_field_name( 'gravatar' ); ?>"
- type="radio" value="1" <?php echo esc_attr( $gravatar ) == 1 ? 'checked="true"' : ''; ?> />
+ type="radio" value="1" <?php echo $gravatar == 1 ? 'checked="true"' : ''; ?> />
  <label for="<?php echo $this->get_field_id( 'gravatar' ); ?>_yes"><?php _e( 'Yes', 'wp-auth0' ); ?></label>
  &nbsp;
  <input id="<?php echo $this->get_field_id( 'gravatar' ); ?>_no"
  name="<?php echo $this->get_field_name( 'gravatar' ); ?>"
- type="radio" value="0" <?php echo esc_attr( $gravatar ) == 0 ? 'checked="true"' : ''; ?> />
+ type="radio" value="0" <?php echo $gravatar == 0 ? 'checked="true"' : ''; ?> />
  <label for="<?php echo $this->get_field_id( 'gravatar' ); ?>_no"><?php _e( 'No', 'wp-auth0' ); ?></label>
  &nbsp;
  <input id="<?php echo $this->get_field_id( 'gravatar' ); ?>_inherit"
  name="<?php echo $this->get_field_name( 'gravatar' ); ?>"
- type="radio" value="" <?php echo esc_attr( $gravatar ) === '' ? 'checked="true"' : ''; ?> />
+ type="radio" value="" <?php echo $gravatar === '' ? 'checked="true"' : ''; ?> />
  <label for="<?php echo $this->get_field_id( 'gravatar' ); ?>_inherit"><?php _e( 'Default Setting', 'wp-auth0' ); ?></label>
  </div>
 
@@ -60,7 +60,7 @@
  <label for="<?php echo $this->get_field_id( 'icon_url' ); ?>"><?php _e( 'Icon URL:', 'wp-auth0' ); ?></label>
  <input type="text" id="<?php echo $this->get_field_id( 'icon_url' ); ?>"
  name="<?php echo $this->get_field_name( 'icon_url' ); ?>"
- value="<?php echo $icon_url; ?>"/>
+ value="<?php echo esc_attr( $icon_url ); ?>"/>
  <a href="javascript:void(0);" id="wpa0_choose_icon"
  related="<?php echo $this->get_field_id( 'icon_url' ); ?>"
  class="button-secondary"><?php _e( 'Choose Icon', 'wp-auth0' ); ?></a>
@@ -69,7 +69,7 @@ class="button-secondary"><?php _e( 'Choose Icon', 'wp-auth0' ); ?></a>
 <p>
  <label for="<?php echo $this->get_field_id( 'dict' ); ?>"><?php _e( 'Translation:', 'wp-auth0' ); ?></label>
  <textarea class="widefat" id="<?php echo $this->get_field_id( 'dict' ); ?>"
- name="<?php echo $this->get_field_name( 'dict' ); ?>"><?php echo $dict; ?></textarea>
+ name="<?php echo $this->get_field_name( 'dict' ); ?>"><?php echo sanitize_text_field( $dict ); ?></textarea>
  <br><span class="description">
  <?php _e( 'The languageDictionary parameter for the Auth0 login form. ', 'wp-auth0' ); ?>
  </span>
@@ -91,7 +91,7 @@ class="button-secondary"><?php _e( 'Choose Icon', 'wp-auth0' ); ?></a>
 <p>
  <label for="<?php echo $this->get_field_id( 'extra_conf' ); ?>"><?php _e( 'Extra Settings', 'wp-auth0' ); ?></label>
  <textarea class="widefat" id="<?php echo $this->get_field_id( 'extra_conf' ); ?>"
- name="<?php echo $this->get_field_name( 'extra_conf' ); ?>"><?php echo $extra_conf; ?></textarea>
+ name="<?php echo $this->get_field_name( 'extra_conf' ); ?>"><?php echo sanitize_text_field( $extra_conf ); ?></textarea>
  <br><span class="description">
  <?php _e( 'Valid JSON for Lock options configuration; will override all options set elsewhere.', 'wp-auth0' ); ?>
  <a target="_blank" href="https://auth0.com/docs/libraries/lock/v11/configuration"><?php _e( 'See options and examples', 'wp-auth0' ); ?></a>

diff --git a/templates/import_settings.php b/templates/import_settings.php
@@ -27,14 +27,14 @@
  <div class="tab-pane" id="panel-import" style="display: block">
 
  <form action="options.php" method="post" enctype="multipart/form-data">
- <input type="hidden" name="action" value="wpauth0_import_settings" />
-
  <p class="a0-step-text top-margin">
  <?php
  _e( 'Paste the settings JSON in the field below. ', 'wp-auth0' );
  _e( 'Settings that are not in the imported JSON will use existing values. ', 'wp-auth0' );
  _e( 'Setting values will be validated so check the final values once import is complete. ', 'wp-auth0' );
  ?>
+ <input type="hidden" name="action" value="wpauth0_import_settings" />
+ <?php wp_nonce_field( WP_Auth0_Import_Settings::IMPORT_NONCE_ACTION ); ?>
  <div class="a0-step-text top-margin"><textarea name="settings-json" class="large-text code" rows="6"></textarea></div>
 
  <div class="a0-buttons">
@@ -47,7 +47,8 @@
  <div class="tab-pane" id="panel-export" style="display: none">
 
  <form action="options.php" method="post">
- <input type="hidden" name="action" value="wpauth0_export_settings" />
+ <?php wp_nonce_field( WP_Auth0_Import_Settings::EXPORT_NONCE_ACTION ); ?>
+ <input type="hidden" name="action" value="wpauth0_export_settings" />
 
  <p class="a0-step-text top-margin"><?php _e( 'Download the entire plugin configuration.', 'wp-auth0' ); ?></p>
 

diff --git a/templates/initial-setup/admin-creation.php b/templates/initial-setup/admin-creation.php
@@ -22,6 +22,7 @@
  <?php } ?>
 
  <form action="options.php" method="POST">
+ <?php wp_nonce_field( WP_Auth0_InitialSetup_AdminUser::SETUP_NONCE_ACTION ); ?>
 
  <div class="row">
  <div class="a0-admin-creation col-sm-6 col-xs-10">

diff --git a/templates/initial-setup/connection_profile.php b/templates/initial-setup/connection_profile.php
@@ -31,7 +31,7 @@
  <li><?php _e( 'Delete the Domain, Client ID, and Client Secret and save changes.', 'wp-auth0' ); ?></li>
  <li><?php _e( 'Delete the created Application ', 'wp-auth0' ); ?>
  <a target="_blank"
- href="https://manage.auth0.com/#/applications/<?php echo wp_auth0_get_option( 'client_id' ); ?>/settings" >
+ href="https://manage.auth0.com/#/applications/<?php echo esc_attr( wp_auth0_get_option( 'client_id' ) ); ?>/settings" >
  <?php _e( 'here', 'wp-auth0' ); ?>
  </a>
  </li>
@@ -59,6 +59,7 @@
  </div>
 
  <form action="options.php" method="POST">
+ <?php wp_nonce_field( WP_Auth0_InitialSetup_ConnectionProfile::SETUP_NONCE_ACTION ); ?>
  <input type="hidden" name="action" value="wpauth0_callback_step1" />
  <h3><?php _e( 'Standard Setup', 'wp-auth0' ); ?></h3>
  <p>
@@ -89,6 +90,7 @@
  </form>
 
  <form action="options.php" method="POST">
+ <?php wp_nonce_field( WP_Auth0_InitialSetup_ConnectionProfile::SETUP_NONCE_ACTION ); ?>
  <input type="hidden" name="action" value="wpauth0_callback_step1"/>
  <h3><?php _e( 'User Migration Setup', 'wp-auth0' ); ?></h3>
  <p>

diff --git a/templates/initial-setup/connections.php b/templates/initial-setup/connections.php
@@ -1,7 +1,3 @@
-<?php
-$options = WP_Auth0_Options::Instance();
-$next_step = $options->get( 'migration_ws' ) ? 4 : 3;
-?>
 <div class="a0-wrap settings wrap">
 
  <div class="container-fluid">
@@ -17,15 +13,15 @@
  <div class="row">
  <div class="a0-buttons">
  <a href="https://manage.auth0.com/#/applications/
- <?php echo $options->get( 'client_id' ); ?>
+ <?php echo esc_attr( wp_auth0_get_option( 'client_id' ) ); ?>
  /connections" class="a0-button primary" target="_blank">
  <?php
  _e( 'Configure Connections', 'wp-auth0' );
  ?>
  </a>
  <a class="a0-button primary" href="
  <?php
- echo admin_url( "admin.php?page=wpa0-setup&step={$next_step}" );
+ echo admin_url( 'admin.php?page=wpa0-setup&step=' . ( wp_auth0_get_option( 'migration_ws' ) ? 4 : 3 ) );
  ?>
  " >
  <?php

diff --git a/tests/classes/WP_Auth0_Test_Case.php b/tests/classes/WP_Auth0_Test_Case.php
@@ -98,6 +98,10 @@ public function tearDown() {
  $this->stopWpDieHalting();
  }
 
+ if ( method_exists( $this, 'setGlobalUser' ) ) {
+ $this->setGlobalUser( 1 );
+ }
+
  global $wpdb;
  delete_user_meta( 1, $wpdb->prefix . 'auth0_id' );
  delete_user_meta( 1, $wpdb->prefix . 'auth0_obj' );