Cavemanon/piratepoet
7
Fork 0
Code Pull Requests Actions Releases 16 Activity

Sanitize unknown params

Browse Source 
[MAILPOET-4207]
This commit is contained in:
Jan Jakes
2022-04-13 10:52:55 +02:00
committed by Veljko V
parent 679f2200bd
commit 29df2dddb6
2 changed files with 25 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
mailpoet/lib/Automation/Engine/API/API.php
View File

@ -60,9 +60,10 @@ class API {
$this->wordPress->registerRestRoute(self::PREFIX, $route, [ $this->wordPress->registerRestRoute(self::PREFIX, $route, [
'methods' => $method, 'methods' => $method,
'callback' => function (WP_REST_Request $wpRequest) use ($endpointClass) { 'callback' => function (WP_REST_Request $wpRequest) use ($endpointClass, $schema) {
try { try {
$endpoint = $this->endpointContainer->get($endpointClass); $endpoint = $this->endpointContainer->get($endpointClass);
$wpRequest = $this->sanitizeUnknownParams($wpRequest, $schema);
$request = new Request($wpRequest); $request = new Request($wpRequest);
return $endpoint->handle($request); return $endpoint->handle($request);
} catch (Throwable $e) { } catch (Throwable $e) {
@ -87,4 +88,15 @@ class API {
} }
return $response; return $response;
} }
private function sanitizeUnknownParams(WP_REST_Request $wpRequest, array $args): WP_REST_Request {
// Remove all params that are not declared in the schema, so we use just the validated ones.
// Note that this doesn't work recursively for object properties as it is harder to solve
// with features like oneOf, anyOf, additional properties, or pattern properties.
$extraParams = array_diff(array_keys($wpRequest->get_params()), array_keys($args));
foreach ($extraParams as $extraParam) {
unset($wpRequest[(string)$extraParam]);
}
return $wpRequest;
}
} }

16
mailpoet/tests/integration/REST/Automation/API/EndpointTest.php
View File

@ -32,7 +32,6 @@ class EndpointTest extends Test {
'integer-2' => '-123', 'integer-2' => '-123',
'boolean-1' => '0', 'boolean-1' => '0',
'boolean-2' => 'true', 'boolean-2' => 'true',
'extra' => 'raw',
]]); ]]);
$this->assertInstanceOf(Request::class, $request); $this->assertInstanceOf(Request::class, $request);
@ -46,7 +45,6 @@ class EndpointTest extends Test {
'integer-2' => -123, 'integer-2' => -123,
'boolean-1' => false, 'boolean-1' => false,
'boolean-2' => true, 'boolean-2' => true,
'extra' => 'raw',
], $request->getParams()); ], $request->getParams());
} }
@ -66,7 +64,6 @@ class EndpointTest extends Test {
'integer-2' => -123, 'integer-2' => -123,
'boolean-1' => 0, 'boolean-1' => 0,
'boolean-2' => true, 'boolean-2' => true,
'extra' => 'raw',
]]); ]]);
$this->assertInstanceOf(Request::class, $request); $this->assertInstanceOf(Request::class, $request);
@ -80,7 +77,6 @@ class EndpointTest extends Test {
'integer-2' => -123, 'integer-2' => -123,
'boolean-1' => false, 'boolean-1' => false,
'boolean-2' => true, 'boolean-2' => true,
'extra' => 'raw',
], $request->getParams()); ], $request->getParams());
} }
@ -99,6 +95,18 @@ class EndpointTest extends Test {
], $response); ], $response);
} }
public function testExtraParam(): void {
$path = strtolower(__FUNCTION__);
$request = null;
$this->registerTestingGetRoute($path, function (Request $req) use (&$request) {
$request = $req;
});
$this->get("$this->prefix/$path", ['query' => ['required' => 'required', 'extra' => 'extra']]);
$this->assertInstanceOf(Request::class, $request);
$this->assertSame($request->getParams(), ['required' => 'required']);
}
private function registerTestingGetRoute(string $path, callable $requestCallback = null): void { private function registerTestingGetRoute(string $path, callable $requestCallback = null): void {
$api = $this->createApi($requestCallback); $api = $this->createApi($requestCallback);
$api->registerGetRoute("mailpoet-api-testing-route/$path", Endpoint::class); $api->registerGetRoute("mailpoet-api-testing-route/$path", Endpoint::class);