Improve validation and permission checks for WP_HTTP_Polling_Sync_Server#11296
Improve validation and permission checks for WP_HTTP_Polling_Sync_Server#11296chriszarate wants to merge 11 commits intoWordPress:trunkfrom
Conversation
|
The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the Core Committers: Use this line as a base for the props when committing in SVN: To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook. |
Test using WordPress PlaygroundThe changes in this pull request can previewed and tested using a WordPress Playground instance. WordPress Playground is an experimental project that creates a full WordPress instance entirely within the browser. Some things to be aware of
For more details about these limitations and more, check out the Limitations page in the WordPress Playground documentation. |
8d50677 to
5c5e67b
Compare
|
|
||
| // Handle single post type entities with a defined object ID. | ||
| if ( 'postType' === $entity_kind && is_numeric( $object_id ) ) { | ||
| if ( get_post_type( $object_id ) !== $entity_name ) { |
There was a problem hiding this comment.
I noticed a type issue here:
I've added 7fd0372 to improve this. With this change, $object_id is guaranteed to be int<1, max>|null.
src/wp-includes/collaboration/class-wp-http-polling-sync-server.php
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Pull request overview
Hardens the WP_HTTP_Polling_Sync_Server REST endpoint (/wp-sync/v1/updates) by tightening request validation limits and strengthening permission checks to better protect collaboration sync operations.
Changes:
- Add route-level request body size validation plus schema constraints (
maxItemsfor rooms,maxLengthfor update data). - Harden entity permission checks for object-scoped rooms (post type matching, term/comment checks).
- Add PHPUnit coverage for new schema/route validation behavior (type/enum/required fields, maxItems/maxLength, oversized body).
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
tests/phpunit/tests/rest-api/rest-sync-server.php |
Adds REST validation tests for schema enforcement and oversized body rejection. |
src/wp-includes/collaboration/class-wp-http-polling-sync-server.php |
Introduces new size/limit constants, route-level validation callback, and tighter per-entity permission checks. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| /** | ||
| * Maximum size (in bytes) of a single update data string. | ||
| * | ||
| * @since 7.0.0 | ||
| * @var int | ||
| */ | ||
| const MAX_UPDATE_DATA_SIZE = MB_IN_BYTES; |
There was a problem hiding this comment.
MAX_UPDATE_DATA_SIZE is documented as a size "in bytes", but it's currently enforced via the REST schema's maxLength (character count). If this is intended to limit the encoded string length, consider updating the docblock wording to avoid implying decoded byte size enforcement.
src/wp-includes/collaboration/class-wp-http-polling-sync-server.php
Outdated
Show resolved
Hide resolved
ebab9ea to
9dd286b
Compare
Add targeted REST tests for permission checks in can_user_sync_entity_type() that previously lacked coverage: - Malformed object ID (non-numeric string like "1abc") rejected - Zero object ID rejected - Post type mismatch (e.g. postType/page for a post) rejected - Valid taxonomy term sync allowed - Non-existent taxonomy term rejected - Taxonomy term in wrong taxonomy rejected - Valid comment sync allowed - Non-existent comment rejected - Non-existent post type collection rejected
| 'required' => true, | ||
| 'type' => 'string', | ||
| 'required' => true, | ||
| 'maxLength' => self::MAX_UPDATE_DATA_SIZE, |
There was a problem hiding this comment.
@dd32 noted in slack that large content updates can be made via the code editor. Is there a way that can be handled, even if it's just to replace the content with the code edited version if it's too large.
There was a problem hiding this comment.
The code editor targets post_content which is represented as a Y.Text data type in the Yjs document. Updates to this field are diffed and only the delta is transmitted as an update. It should not approach the MAX_UPDATE_DATA_SIZE except in extreme edge cases (e.g., instantly replacing a 1+ MB document with a completely different 1+ MB document).
You can follow the diffing logic here:
https://github.com/WordPress/gutenberg/blob/ccc474379718969f48c3ab0153b43d1e26b4ef51/packages/core-data/src/utils/crdt-blocks.ts#L645
…g_Sync_Server Backport of WordPress/wordpress-develop#11296. Hardens WP_HTTP_Polling_Sync_Server endpoints with additional validation and permission checks: - Add MAX_BODY_SIZE, MAX_ROOMS_PER_REQUEST, MAX_UPDATE_DATA_SIZE constants - Add maxLength constraint for update data strings - Add maxItems constraint for rooms per request - Add route-level validate_callback for request body size - Improve can_user_sync_entity_type() to use ctype_digit() for object ID validation, verify post type matches, validate taxonomy terms exist in the correct taxonomy, and reject zero/negative object IDs - Add comprehensive test coverage for new validation and permission checks Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…ng_Sync_Server` (#76987) * Backport: Improve validation and permission checks for WP_HTTP_Polling_Sync_Server Backport of WordPress/wordpress-develop#11296. Hardens WP_HTTP_Polling_Sync_Server endpoints with additional validation and permission checks: - Add MAX_BODY_SIZE, MAX_ROOMS_PER_REQUEST, MAX_UPDATE_DATA_SIZE constants - Add maxLength constraint for update data strings - Add maxItems constraint for rooms per request - Add route-level validate_callback for request body size - Improve can_user_sync_entity_type() to use ctype_digit() for object ID validation, verify post type matches, validate taxonomy terms exist in the correct taxonomy, and reject zero/negative object IDs - Add comprehensive test coverage for new validation and permission checks * Add backport changelog --------- Co-authored-by: chriszarate <czarate@git.wordpress.org> Co-authored-by: peterwilsoncc <peterwilsoncc@git.wordpress.org>
…ng_Sync_Server` (#76987) * Backport: Improve validation and permission checks for WP_HTTP_Polling_Sync_Server Backport of WordPress/wordpress-develop#11296. Hardens WP_HTTP_Polling_Sync_Server endpoints with additional validation and permission checks: - Add MAX_BODY_SIZE, MAX_ROOMS_PER_REQUEST, MAX_UPDATE_DATA_SIZE constants - Add maxLength constraint for update data strings - Add maxItems constraint for rooms per request - Add route-level validate_callback for request body size - Improve can_user_sync_entity_type() to use ctype_digit() for object ID validation, verify post type matches, validate taxonomy terms exist in the correct taxonomy, and reject zero/negative object IDs - Add comprehensive test coverage for new validation and permission checks * Add backport changelog --------- Co-authored-by: chriszarate <czarate@git.wordpress.org> Co-authored-by: peterwilsoncc <peterwilsoncc@git.wordpress.org>
…ng_Sync_Server` (#76987) * Backport: Improve validation and permission checks for WP_HTTP_Polling_Sync_Server Backport of WordPress/wordpress-develop#11296. Hardens WP_HTTP_Polling_Sync_Server endpoints with additional validation and permission checks: - Add MAX_BODY_SIZE, MAX_ROOMS_PER_REQUEST, MAX_UPDATE_DATA_SIZE constants - Add maxLength constraint for update data strings - Add maxItems constraint for rooms per request - Add route-level validate_callback for request body size - Improve can_user_sync_entity_type() to use ctype_digit() for object ID validation, verify post type matches, validate taxonomy terms exist in the correct taxonomy, and reject zero/negative object IDs - Add comprehensive test coverage for new validation and permission checks * Add backport changelog --------- Co-authored-by: chriszarate <czarate@git.wordpress.org> Co-authored-by: peterwilsoncc <peterwilsoncc@git.wordpress.org> Source: WordPress/gutenberg@1be2ef2
…ng_Sync_Server` (#76987) * Backport: Improve validation and permission checks for WP_HTTP_Polling_Sync_Server Backport of WordPress/wordpress-develop#11296. Hardens WP_HTTP_Polling_Sync_Server endpoints with additional validation and permission checks: - Add MAX_BODY_SIZE, MAX_ROOMS_PER_REQUEST, MAX_UPDATE_DATA_SIZE constants - Add maxLength constraint for update data strings - Add maxItems constraint for rooms per request - Add route-level validate_callback for request body size - Improve can_user_sync_entity_type() to use ctype_digit() for object ID validation, verify post type matches, validate taxonomy terms exist in the correct taxonomy, and reject zero/negative object IDs - Add comprehensive test coverage for new validation and permission checks * Add backport changelog --------- Co-authored-by: chriszarate <czarate@git.wordpress.org> Co-authored-by: peterwilsoncc <peterwilsoncc@git.wordpress.org> Source: WordPress/gutenberg@cd91928
Harden
WP_HTTP_Polling_Sync_Serverendpoints to add additional validation and permission checks.Props @peterwilsoncc for contributions
Trac ticket: https://core.trac.wordpress.org/ticket/64890