Validate route params before making request (#8901)

Automattic · Jun 7, 2024 · bbdbafb · bbdbafb
1 parent a719ace
commit bbdbafb
Show file tree

Hide file tree

Showing 17 changed files with 56 additions and 26 deletions.
diff --git a/changelog/update-route-param-validation b/changelog/update-route-param-validation
@@ -0,0 +1,4 @@
+Significance: patch
+Type: dev
+
+Add validation for path variables.
diff --git a/includes/admin/class-wc-rest-payments-authorizations-controller.php b/includes/admin/class-wc-rest-payments-authorizations-controller.php
@@ -46,7 +46,7 @@ public function register_routes() {
 		);
 		register_rest_route(
 			$this->namespace,
-			'/' . $this->rest_base . '/(?P<payment_intent_id>\w+)',
+			'/' . $this->rest_base . '/(?P<payment_intent_id>(ch|pi|py)_[A-Za-z0-9]+)',
 			[
 				'methods'             => WP_REST_Server::READABLE,
 				'callback'            => [ $this, 'get_authorization' ],

diff --git a/includes/admin/class-wc-rest-payments-charges-controller.php b/includes/admin/class-wc-rest-payments-charges-controller.php
@@ -28,7 +28,7 @@ class WC_REST_Payments_Charges_Controller extends WC_Payments_REST_Controller {
 	public function register_routes() {
 		register_rest_route(
 			$this->namespace,
-			'/' . $this->rest_base . '/(?P<charge_id>\w+)',
+			'/' . $this->rest_base . '/(?P<charge_id>ch_[A-Za-z0-9]+)',
 			[
 				'methods'             => WP_REST_Server::READABLE,
 				'callback'            => [ $this, 'get_charge' ],
@@ -37,7 +37,7 @@ public function register_routes() {
 		);
 		register_rest_route(
 			$this->namespace,
-			'/' . $this->rest_base . '/order/(?P<order_id>\w+)',
+			'/' . $this->rest_base . '/order/(?P<order_id>[A-Za-z0-9_\-]+)',
 			[
 				'methods'             => WP_REST_Server::READABLE,
 				'callback'            => [ $this, 'generate_charge_from_order' ],

diff --git a/includes/admin/class-wc-rest-payments-customer-controller.php b/includes/admin/class-wc-rest-payments-customer-controller.php
@@ -49,7 +49,7 @@ public function __construct(
 	public function register_routes() {
 		register_rest_route(
 			$this->namespace,
-			'/' . $this->rest_base . '/(?P<customer_id>\w+)/payment_methods',
+			'/' . $this->rest_base . '/(?P<customer_id>[A-Za-z0-9_\-]+)/payment_methods',
 			[
 				[
 					'methods'             => WP_REST_Server::READABLE,

diff --git a/includes/admin/class-wc-rest-payments-deposits-controller.php b/includes/admin/class-wc-rest-payments-deposits-controller.php
@@ -55,7 +55,7 @@ public function register_routes() {
 		);
 		register_rest_route(
 			$this->namespace,
-			'/' . $this->rest_base . '/(?P<deposit_id>\w+)',
+			'/' . $this->rest_base . '/(?P<deposit_id>[A-Za-z0-9_\-]+)',
 			[
 				'methods'             => WP_REST_Server::READABLE,
 				'callback'            => [ $this, 'get_deposit' ],

diff --git a/includes/admin/class-wc-rest-payments-disputes-controller.php b/includes/admin/class-wc-rest-payments-disputes-controller.php
@@ -54,7 +54,7 @@ public function register_routes() {
 		);
 		register_rest_route(
 			$this->namespace,
-			'/' . $this->rest_base . '/(?P<dispute_id>\w+)',
+			'/' . $this->rest_base . '/(?P<dispute_id>(dp|dispute)_[A-Za-z0-9]+)',
 			[
 				'methods'             => WP_REST_Server::READABLE,
 				'callback'            => [ $this, 'get_dispute' ],
@@ -63,7 +63,7 @@ public function register_routes() {
 		);
 		register_rest_route(
 			$this->namespace,
-			'/' . $this->rest_base . '/(?P<dispute_id>\w+)',
+			'/' . $this->rest_base . '/(?P<dispute_id>(dp|dispute)_[A-Za-z0-9]+)',
 			[
 				'methods'             => WP_REST_Server::CREATABLE,
 				'callback'            => [ $this, 'update_dispute' ],
@@ -72,7 +72,7 @@ public function register_routes() {
 		);
 		register_rest_route(
 			$this->namespace,
-			'/' . $this->rest_base . '/(?P<dispute_id>\w+)/close',
+			'/' . $this->rest_base . '/(?P<dispute_id>(dp|dispute)_[A-Za-z0-9]+)/close',
 			[
 				'methods'             => WP_REST_Server::CREATABLE,
 				'callback'            => [ $this, 'close_dispute' ],

diff --git a/includes/admin/class-wc-rest-payments-files-controller.php b/includes/admin/class-wc-rest-payments-files-controller.php
@@ -35,7 +35,7 @@ public function register_routes() {
 
 		register_rest_route(
 			$this->namespace,
-			'/' . $this->rest_base . '/(?P<file_id>\w+)/details',
+			'/' . $this->rest_base . '/(?P<file_id>[A-Za-z0-9_\-]+)/details',
 			[
 				'methods'             => WP_REST_Server::READABLE,
 				'callback'            => [ $this, 'get_file_detail' ],
@@ -45,7 +45,7 @@ public function register_routes() {
 
 		register_rest_route(
 			$this->namespace,
-			'/' . $this->rest_base . '/(?P<file_id>\w+)/content',
+			'/' . $this->rest_base . '/(?P<file_id>[A-Za-z0-9_\-]+)/content',
 			[
 				'methods'             => WP_REST_Server::READABLE,
 				'callback'            => [ $this, 'get_file_content' ],
@@ -55,7 +55,7 @@ public function register_routes() {
 
 		register_rest_route(
 			$this->namespace,
-			'/' . $this->rest_base . '/(?P<file_id>\w+)',
+			'/' . $this->rest_base . '/(?P<file_id>[A-Za-z0-9_\-]+)',
 			[
 				'methods'             => WP_REST_Server::READABLE,
 				'callback'            => [ $this, 'get_file' ],

diff --git a/includes/admin/class-wc-rest-payments-fraud-outcomes-controller.php b/includes/admin/class-wc-rest-payments-fraud-outcomes-controller.php
@@ -25,7 +25,7 @@ class WC_REST_Payments_Fraud_Outcomes_Controller extends WC_Payments_REST_Contro
 	public function register_routes() {
 		register_rest_route(
 			$this->namespace,
-			'/' . $this->rest_base . '/(?P<id>\w+)/latest',
+			'/' . $this->rest_base . '/(?P<id>[A-Za-z0-9_\-]+)/latest',
 			[
 				'methods'             => WP_REST_Server::READABLE,
 				'callback'            => [ $this, 'get_latest_fraud_outcome' ],

diff --git a/includes/admin/class-wc-rest-payments-orders-controller.php b/includes/admin/class-wc-rest-payments-orders-controller.php
@@ -68,7 +68,7 @@ public function __construct( WC_Payments_API_Client $api_client, WC_Payment_Gate
 	public function register_routes() {
 		register_rest_route(
 			$this->namespace,
-			$this->rest_base . '/(?P<order_id>\w+)/capture_terminal_payment',
+			$this->rest_base . '/(?P<order_id>[A-Za-z0-9_\-]+)/capture_terminal_payment',
 			[
 				'methods'             => WP_REST_Server::CREATABLE,
 				'callback'            => [ $this, 'capture_terminal_payment' ],
@@ -82,7 +82,7 @@ public function register_routes() {
 		);
 		register_rest_route(
 			$this->namespace,
-			$this->rest_base . '/(?P<order_id>\w+)/capture_authorization',
+			$this->rest_base . '/(?P<order_id>[A-Za-z0-9_\-]+)/capture_authorization',
 			[
 				'methods'             => WP_REST_Server::CREATABLE,
 				'callback'            => [ $this, 'capture_authorization' ],
@@ -96,7 +96,7 @@ public function register_routes() {
 		);
 		register_rest_route(
 			$this->namespace,
-			$this->rest_base . '/(?P<order_id>\w+)/cancel_authorization',
+			$this->rest_base . '/(?P<order_id>[A-Za-z0-9_\-]+)/cancel_authorization',
 			[
 				'methods'             => WP_REST_Server::CREATABLE,
 				'callback'            => [ $this, 'cancel_authorization' ],
@@ -110,7 +110,7 @@ public function register_routes() {
 		);
 		register_rest_route(
 			$this->namespace,
-			$this->rest_base . '/(?P<order_id>\w+)/create_terminal_intent',
+			$this->rest_base . '/(?P<order_id>[A-Za-z0-9_\-]+)/create_terminal_intent',
 			[
 				'methods'             => WP_REST_Server::CREATABLE,
 				'callback'            => [ $this, 'create_terminal_intent' ],

diff --git a/includes/admin/class-wc-rest-payments-payment-intents-controller.php b/includes/admin/class-wc-rest-payments-payment-intents-controller.php
@@ -32,7 +32,7 @@ class WC_REST_Payments_Payment_Intents_Controller extends WC_Payments_REST_Contr
 	public function register_routes() {
 		register_rest_route(
 			$this->namespace,
-			'/' . $this->rest_base . '/(?P<payment_intent_id>\w+)',
+			'/' . $this->rest_base . '/(?P<payment_intent_id>(ch|pi|py)_[A-Za-z0-9]+)',
 			[
 				'methods'             => WP_REST_Server::READABLE,
 				'callback'            => [ $this, 'get_payment_intent' ],

diff --git a/includes/admin/class-wc-rest-payments-reader-controller.php b/includes/admin/class-wc-rest-payments-reader-controller.php
@@ -114,7 +114,7 @@ public function register_routes() {
 
 		register_rest_route(
 			$this->namespace,
-			'/' . $this->rest_base . '/charges/(?P<transaction_id>\w+)',
+			'/' . $this->rest_base . '/charges/(?P<transaction_id>[A-Za-z0-9_\-]+)',
 			[
 				'methods'             => WP_REST_Server::READABLE,
 				'callback'            => [ $this, 'get_summary' ],
@@ -132,7 +132,7 @@ public function register_routes() {
 		);
 		register_rest_route(
 			$this->namespace,
-			'/' . $this->rest_base . '/receipts/(?P<payment_intent_id>\w+)',
+			'/' . $this->rest_base . '/receipts/(?P<payment_intent_id>(ch|pi|py)_[A-Za-z0-9]+)',
 			[
 				'methods'             => WP_REST_Server::READABLE,
 				'callback'            => [ $this, 'generate_print_receipt' ],

diff --git a/includes/admin/class-wc-rest-payments-terminal-locations-controller.php b/includes/admin/class-wc-rest-payments-terminal-locations-controller.php
@@ -38,7 +38,7 @@ public function register_routes() {
 		);
 		register_rest_route(
 			$this->namespace,
-			'/' . $this->rest_base . '/(?P<location_id>\w+)',
+			'/' . $this->rest_base . '/(?P<location_id>[A-Za-z0-9_\-]+)',
 			[
 				'methods'             => WP_REST_Server::DELETABLE,
 				'callback'            => [ $this, 'delete_location' ],
@@ -47,7 +47,7 @@ public function register_routes() {
 		);
 		register_rest_route(
 			$this->namespace,
-			'/' . $this->rest_base . '/(?P<location_id>\w+)',
+			'/' . $this->rest_base . '/(?P<location_id>[A-Za-z0-9_\-]+)',
 			[
 				'methods'             => WP_REST_Server::CREATABLE,
 				'callback'            => [ $this, 'update_location' ],
@@ -66,7 +66,7 @@ public function register_routes() {
 		);
 		register_rest_route(
 			$this->namespace,
-			'/' . $this->rest_base . '/(?P<location_id>\w+)',
+			'/' . $this->rest_base . '/(?P<location_id>[A-Za-z0-9_\-]+)',
 			[
 				'methods'             => WP_REST_Server::READABLE,
 				'callback'            => [ $this, 'get_location' ],

diff --git a/includes/admin/class-wc-rest-payments-timeline-controller.php b/includes/admin/class-wc-rest-payments-timeline-controller.php
@@ -24,7 +24,7 @@ class WC_REST_Payments_Timeline_Controller extends WC_Payments_REST_Controller {
 	public function register_routes() {
 		register_rest_route(
 			$this->namespace,
-			'/' . $this->rest_base . '/(?P<intention_id>\w+)',
+			'/' . $this->rest_base . '/(?P<intention_id>(ch|pi|py)_[A-Za-z0-9]+)',
 			[
 				'methods'             => WP_REST_Server::READABLE,
 				'callback'            => [ $this, 'get_timeline' ],

diff --git a/includes/admin/class-wc-rest-payments-transactions-controller.php b/includes/admin/class-wc-rest-payments-transactions-controller.php
@@ -100,7 +100,7 @@ public function register_routes() {
 		);
 		register_rest_route(
 			$this->namespace,
-			'/' . $this->rest_base . '/(?P<transaction_id>\w+)',
+			'/' . $this->rest_base . '/(?P<transaction_id>[A-Za-z0-9_\-]+)',
 			[
 				'methods'             => WP_REST_Server::READABLE,
 				'callback'            => [ $this, 'get_transaction' ],

diff --git a/includes/reports/class-wc-rest-payments-reports-authorizations-controller.php b/includes/reports/class-wc-rest-payments-reports-authorizations-controller.php
@@ -40,7 +40,7 @@ public function register_routes() {
 		);
 		register_rest_route(
 			$this->namespace,
-			'/' . $this->rest_base . '/(?P<id>\w+)',
+			'/' . $this->rest_base . '/(?P<id>[A-Za-z0-9_\-]+)',
 			[
 				[
 					'methods'             => WP_REST_Server::READABLE,

diff --git a/includes/reports/class-wc-rest-payments-reports-transactions-controller.php b/includes/reports/class-wc-rest-payments-reports-transactions-controller.php
@@ -39,7 +39,7 @@ public function register_routes() {
 		);
 		register_rest_route(
 			$this->namespace,
-			'/' . $this->rest_base . '/(?P<id>\w+)',
+			'/' . $this->rest_base . '/(?P<id>[A-Za-z0-9_\-]+)',
 			[
 				[
 					'methods'             => WP_REST_Server::READABLE,

diff --git a/includes/wc-payment-api/class-wc-payments-api-client.php b/includes/wc-payment-api/class-wc-payments-api-client.php
@@ -518,8 +518,17 @@ public function get_disputes( array $filters = [] ) {
 	 *
 	 * @param string $dispute_id id of requested dispute.
 	 * @return array dispute object.
+	 * @throws API_Exception - Exception thrown in case route validation fails.
 	 */
 	public function get_dispute( $dispute_id ) {
+		if ( ! preg_match( '/(dp|dispute)_[A-Za-z0-9]+/', $dispute_id ) ) {
+			throw new API_Exception(
+				__( 'Route param validation failed.', 'woocommerce-payments' ),
+				'wcpay_route_validation_failure',
+				400
+			);
+		}
+
 		$dispute = $this->request( [], self::DISPUTES_API . '/' . $dispute_id, self::GET );
 
 		if ( is_wp_error( $dispute ) ) {
@@ -726,8 +735,17 @@ public function create_token( $request ) {
 	 * @return array
 	 *
 	 * @throws Exception - Exception thrown on request failure.
+	 * @throws API_Exception - Exception thrown in case route validation fails.
 	 */
 	public function get_timeline( $id ) {
+		if ( ! preg_match( '/(ch|pi|py)_[A-Za-z0-9]+/', $id ) ) {
+			throw new API_Exception(
+				__( 'Route param validation failed.', 'woocommerce-payments' ),
+				'wcpay_route_validation_failure',
+				400
+			);
+		}
+
 		$timeline = $this->request( [], self::TIMELINE_API . '/' . $id, self::GET );
 
 		$has_fraud_outcome_event = false;
@@ -1199,6 +1217,14 @@ public function update_charge( string $charge_id, array $data = [] ) {
 	 * @throws API_Exception
 	 */
 	public function get_charge( string $charge_id ) {
+		if ( ! preg_match( '/(ch|pi|py)_[A-Za-z0-9]+/', $charge_id ) ) {
+			throw new API_Exception(
+				__( 'Route param validation failed.', 'woocommerce-payments' ),
+				'wcpay_route_validation_failure',
+				400
+			);
+		}
+
 		return $this->request(
 			[],
 			self::CHARGES_API . '/' . $charge_id,