From 352a4b82e79dc2b275b40b2adce1eaf3adf3d706 Mon Sep 17 00:00:00 2001
From: Pavel Dohnal <pavel@mailpoet.com>
Date: Mon, 27 May 2019 10:44:52 +0200
Subject: [PATCH] Accept only whitelisted fields in addList API

[MAILPOET-2093]
---
 lib/API/MP/v1/API.php                |  7 ++++---
 tests/integration/API/MP/APITest.php | 12 ++++++++++++
 2 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/lib/API/MP/v1/API.php b/lib/API/MP/v1/API.php
index a246fc4b6c..2a977f6634 100644
--- a/lib/API/MP/v1/API.php
+++ b/lib/API/MP/v1/API.php
@@ -213,9 +213,7 @@ class API {
     list($default_fields, $custom_fields) = Subscriber::extractCustomFieldsFromFromObject($subscriber);
 
     // filter out all incoming data that we don't want to change, like status, ip address, ...
-    $default_fields = array_intersect_key($default_fields, array_flip([
-      'email', 'first_name', 'last_name'
-    ]));
+    $default_fields = array_intersect_key($default_fields, array_flip(['email', 'first_name', 'last_name']));
 
     // if some required default fields are missing, set their values
     $default_fields = Subscriber::setRequiredFieldsDefaultValues($default_fields);
@@ -272,6 +270,9 @@ class API {
       );
     }
 
+    // filter out all incoming data that we don't want to change, like type,
+    $list = array_intersect_key($list, array_flip(['name', 'description']));
+
     // add list
     $new_list = Segment::create();
     $new_list->hydrate($list);
diff --git a/tests/integration/API/MP/APITest.php b/tests/integration/API/MP/APITest.php
index b03538868c..f189ccebda 100644
--- a/tests/integration/API/MP/APITest.php
+++ b/tests/integration/API/MP/APITest.php
@@ -586,6 +586,18 @@ class APITest extends \MailPoetTest {
     }
   }
 
+  function testItDoesOnlySaveWhiteListedPropertiesWhenAddingList() {
+    $result = $this->getApi()->addList([
+      'name' => 'Test segment123',
+      'description' => 'Description',
+      'type' => 'ignore this field',
+    ]);
+    expect($result['id'])->greaterThan(0);
+    expect($result['name'])->equals('Test segment123');
+    expect($result['description'])->equals('Description');
+    expect($result['type'])->equals('default');
+  }
+
   function testItDoesNotAddExistingList() {
     $segment = Segment::create();
     $segment->name = 'Test segment';