Improve validation and permission checks for WP_HTTP_Polling_Sync_Server#11296
Improve validation and permission checks for WP_HTTP_Polling_Sync_Server#11296chriszarate wants to merge 10 commits intoWordPress:trunkfrom
Conversation
|
The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the Core Committers: Use this line as a base for the props when committing in SVN: To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook. |
Test using WordPress PlaygroundThe changes in this pull request can previewed and tested using a WordPress Playground instance. WordPress Playground is an experimental project that creates a full WordPress instance entirely within the browser. Some things to be aware of
For more details about these limitations and more, check out the Limitations page in the WordPress Playground documentation. |
chriszarate
force-pushed
the
fix/http-polling-sync-server-validation
branch
2 times, most recently
from
8d50677 to
5c5e67b
Compare
|
|
||
| // Handle single post type entities with a defined object ID. | ||
| if ( 'postType' === $entity_kind && is_numeric( $object_id ) ) { | ||
| if ( get_post_type( $object_id ) !== $entity_name ) { |
There was a problem hiding this comment.
I noticed a type issue here:
I've added 7fd0372 to improve this. With this change, $object_id is guaranteed to be int<1, max>|null.
src/wp-includes/collaboration/class-wp-http-polling-sync-server.php
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Pull request overview
Hardens the WP_HTTP_Polling_Sync_Server REST endpoint (/wp-sync/v1/updates) by tightening request validation limits and strengthening permission checks to better protect collaboration sync operations.
Changes:
- Add route-level request body size validation plus schema constraints (
maxItemsfor rooms,maxLengthfor update data). - Harden entity permission checks for object-scoped rooms (post type matching, term/comment checks).
- Add PHPUnit coverage for new schema/route validation behavior (type/enum/required fields, maxItems/maxLength, oversized body).
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
tests/phpunit/tests/rest-api/rest-sync-server.php |
Adds REST validation tests for schema enforcement and oversized body rejection. |
src/wp-includes/collaboration/class-wp-http-polling-sync-server.php |
Introduces new size/limit constants, route-level validation callback, and tighter per-entity permission checks. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| /** | ||
| * Maximum size (in bytes) of a single update data string. | ||
| * | ||
| * @since 7.0.0 | ||
| * @var int | ||
| */ | ||
| const MAX_UPDATE_DATA_SIZE = MB_IN_BYTES; |
There was a problem hiding this comment.
MAX_UPDATE_DATA_SIZE is documented as a size "in bytes", but it's currently enforced via the REST schema's maxLength (character count). If this is intended to limit the encoded string length, consider updating the docblock wording to avoid implying decoded byte size enforcement.
src/wp-includes/collaboration/class-wp-http-polling-sync-server.php
Outdated
Show resolved
Hide resolved
chriszarate
force-pushed
the
fix/http-polling-sync-server-validation
branch
from
ebab9ea to
9dd286b
Compare
Add targeted REST tests for permission checks in can_user_sync_entity_type() that previously lacked coverage: - Malformed object ID (non-numeric string like "1abc") rejected - Zero object ID rejected - Post type mismatch (e.g. postType/page for a post) rejected - Valid taxonomy term sync allowed - Non-existent taxonomy term rejected - Taxonomy term in wrong taxonomy rejected - Valid comment sync allowed - Non-existent comment rejected - Non-existent post type collection rejected
Harden
WP_HTTP_Polling_Sync_Serverendpoints to add additional validation and permission checks.Props @peterwilsoncc for contributions
Trac ticket: https://core.trac.wordpress.org/ticket/64890