Skip to content

Commit 3eec684

Browse files
pfefferlepfefferle
committed
Add sanitize_callback to REST API registration args
Added 'sanitize_callback' to the 'name', 'baseUrl', 'serverId', and 'publicKey' arguments in the REST API registration route to ensure input is properly sanitized. Updated handle_registration() to use sanitized parameters directly from the request, as sanitization is now handled by the route definition.
1 parent 59ea57c commit 3eec684

1 file changed

Lines changed: 22 additions & 18 deletions

File tree

includes/rest/class-fasp-controller.php

Lines changed: 22 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -64,25 +64,29 @@ public function register_routes() {
6464
'permission_callback' => array( $this, 'registration_permission_check' ),
6565
'args' => array(
6666
'name' => array(
67-
'required' => true,
68-
'type' => 'string',
69-
'description' => 'The name of the FASP.',
67+
'required' => true,
68+
'type' => 'string',
69+
'description' => 'The name of the FASP.',
70+
'sanitize_callback' => 'sanitize_text_field',
7071
),
7172
'baseUrl' => array(
72-
'required' => true,
73-
'type' => 'string',
74-
'format' => 'uri',
75-
'description' => 'The base URL of the FASP.',
73+
'required' => true,
74+
'type' => 'string',
75+
'format' => 'uri',
76+
'description' => 'The base URL of the FASP.',
77+
'sanitize_callback' => 'esc_url_raw',
7678
),
7779
'serverId' => array(
78-
'required' => true,
79-
'type' => 'string',
80-
'description' => 'The server ID generated by the FASP.',
80+
'required' => true,
81+
'type' => 'string',
82+
'description' => 'The server ID generated by the FASP.',
83+
'sanitize_callback' => 'sanitize_text_field',
8184
),
8285
'publicKey' => array(
83-
'required' => true,
84-
'type' => 'string',
85-
'description' => 'The FASP public key, base64 encoded.',
86+
'required' => true,
87+
'type' => 'string',
88+
'description' => 'The FASP public key, base64 encoded.',
89+
'sanitize_callback' => 'sanitize_text_field',
8690
),
8791
),
8892
),
@@ -200,22 +204,22 @@ private function sign_response( $response, $content ) { // phpcs:ignore Variable
200204
* @return \WP_REST_Response|\WP_Error The response or error.
201205
*/
202206
public function handle_registration( $request ) {
203-
$params = $request->get_json_params();
204207
// Use the Application user's existing RSA keypair instead of generating new keys.
205208
$blog_user_id = Actors::APPLICATION_USER_ID;
206209
$public_key = Actors::get_public_key( $blog_user_id );
207210

208211
// Generate unique FASP ID.
209212
$fasp_id = $this->generate_unique_id();
210213

211-
$fasp_public_key = \sanitize_text_field( $params['publicKey'] );
214+
// Parameters are already sanitized via sanitize_callback in register_routes().
215+
$fasp_public_key = $request->get_param( 'publicKey' );
212216

213217
// Store registration request (pending approval).
214218
$registration_data = array(
215219
'fasp_id' => $fasp_id,
216-
'name' => \sanitize_text_field( $params['name'] ),
217-
'base_url' => \esc_url_raw( $params['baseUrl'] ),
218-
'server_id' => \sanitize_text_field( $params['serverId'] ),
220+
'name' => $request->get_param( 'name' ),
221+
'base_url' => $request->get_param( 'baseUrl' ),
222+
'server_id' => $request->get_param( 'serverId' ),
219223
'fasp_public_key' => $fasp_public_key,
220224
'fasp_public_key_fingerprint' => Fasp::get_public_key_fingerprint( $fasp_public_key ),
221225
'server_public_key' => $public_key,

0 commit comments

Comments
 (0)