Skip to content

Improve validation and permission checks for WP_HTTP_Polling_Sync_Server #11296

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
chriszarate wants to merge 2 commits into
base: trunk
Choose a base branch
from
+70 −4
Open

Improve validation and permission checks for WP_HTTP_Polling_Sync_Server #11296

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
151e41f
Improve validation and permission checks for WP_HTTP_Polling_Sync_Server
chriszarate Mar 18, 2026
9d67764
Update qunit fixture
chriszarate Mar 19, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
70 changes: 67 additions & 3 deletions src/wp-includes/collaboration/class-wp-http-polling-sync-server.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,30 @@ class WP_HTTP_Polling_Sync_Server {
*/
const COMPACTION_THRESHOLD = 50;

/**
* Maximum total size (in bytes) of the request body.
*
* @since 7.0.0
* @var int
*/
const MAX_BODY_SIZE = 16 * MB_IN_BYTES;

/**
* Maximum number of rooms allowed per request.
*
* @since 7.0.0
* @var int
*/
const MAX_ROOMS_PER_REQUEST = 50;

/**
* Maximum size (in bytes) of a single update data string.
*
* @since 7.0.0
* @var int
*/
const MAX_UPDATE_DATA_SIZE = MB_IN_BYTES;

/**
* Sync update type: compaction.
*
Expand Down Expand Up @@ -96,8 +120,9 @@ public function register_routes(): void {
$typed_update_args = array(
'properties' => array(
'data' => array(
'type' => 'string',
'required' => true,
'type' => 'string',
'required' => true,
'maxLength' => self::MAX_UPDATE_DATA_SIZE,
),
'type' => array(
'type' => 'string',
Expand Down Expand Up @@ -149,12 +174,14 @@ public function register_routes(): void {
'methods' => array( WP_REST_Server::CREATABLE ),
'callback' => array( $this, 'handle_request' ),
'permission_callback' => array( $this, 'check_permissions' ),
'validate_callback' => array( $this, 'validate_request' ),
Copy link
Member

@westonruter westonruter Mar 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The presence of a validate_callback will prevent the input from being validated against the JSON Schema for the args, unfortunately. This is something which was pointed out to me by @deepaklalwani97 in #10966. See #10966 (comment).

I believe you'll need to explicitly validate against the schema in the validate_callback, as seen in that PR.

Copy link
Member

@westonruter westonruter Mar 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Or maybe this is different since the validate_callback is added at the endpoint level instead of at the arg level? In any case, I wanted to flag it as something to be verified.

'args' => array(
'rooms' => array(
'items' => array(
'properties' => $room_args,
'type' => 'object',
),
'maxItems' => self::MAX_ROOMS_PER_REQUEST,
'required' => true,
'type' => 'array',
),
Expand Down Expand Up @@ -223,6 +250,30 @@ public function check_permissions( WP_REST_Request $request ) {
return true;
}

/**
* Validates that the request body does not exceed the maximum allowed size.
*
* Runs as the route-level validate_callback, after per-arg schema
* validation has already passed.
*
* @since 7.0.0
*
* @param WP_REST_Request $request The REST request.
* @return true|WP_Error True if valid, WP_Error if the body is too large.
*/
public function validate_request( WP_REST_Request $request ) {
$body = $request->get_body();
if ( is_string( $body ) && strlen( $body ) > self::MAX_BODY_SIZE ) {
return new WP_Error(
'rest_sync_body_too_large',
__( 'Request body is too large.' ),
array( 'status' => 413 )
);
}

return true;
}

/**
* Handles request: stores sync updates and awareness data, and returns
* updates the client is missing.
Expand Down Expand Up @@ -282,15 +333,28 @@ public function handle_request( WP_REST_Request $request ) {
* @return bool True if user has permission, otherwise false.
*/
private function can_user_sync_entity_type( string $entity_kind, string $entity_name, ?string $object_id ): bool {
if ( ! is_null( $object_id ) && ! is_numeric( $object_id ) ) {
// Object ID must be numeric if provided.
return false;
}

// Handle single post type entities with a defined object ID.
if ( 'postType' === $entity_kind && is_numeric( $object_id ) ) {
if ( get_post_type( $object_id ) !== $entity_name ) {
// Post is not of the specified post type.
return false;
}
return current_user_can( 'edit_post', (int) $object_id );
}

// Handle single taxonomy term entities with a defined object ID.
if ( 'taxonomy' === $entity_kind && is_numeric( $object_id ) ) {
if ( term_exists( (int) $object_id, $entity_name ) === false ) {
// Either term doesn't exist OR term is not in specified taxonomy.
return false;
}
$taxonomy = get_taxonomy( $entity_name );
return isset( $taxonomy->cap->assign_terms ) && current_user_can( $taxonomy->cap->assign_terms );
return current_user_can( 'edit_term', (int) $object_id );
}

// Handle single comment entities with a defined object ID.
Expand Down
4 changes: 3 additions & 1 deletion tests/qunit/fixtures/wp-api-generated.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12845,7 +12845,8 @@ mockedApiResponse.Schema = {
"properties": {
"data": {
"type": "string",
"required": true
"required": true,
"maxLength": 1048576
},
"type": {
"type": "string",
Expand All @@ -12868,6 +12869,7 @@ mockedApiResponse.Schema = {
},
"type": "object"
},
"maxItems": 50,
"type": "array",
"required": true
}
Expand Down
Loading