From a6fb397a1a669cdebaeb1b40bc0e80417443b194 Mon Sep 17 00:00:00 2001 From: barryhughes <3594411+barryhughes@users.noreply.github.com> Date: Thu, 17 Feb 2022 08:51:21 -0800 Subject: [PATCH] Protect REST API v1 and v2 from a category of accidental deletion, where the supplied product ID is invalid. --- ...-wc-rest-product-reviews-v1-controller.php | 5 +++++ ...st-product-reviews-v1-controller-tests.php | 20 +++++++++++++++---- 2 files changed, 21 insertions(+), 4 deletions(-) diff --git a/plugins/woocommerce/includes/rest-api/Controllers/Version1/class-wc-rest-product-reviews-v1-controller.php b/plugins/woocommerce/includes/rest-api/Controllers/Version1/class-wc-rest-product-reviews-v1-controller.php index 38cd1cef416..166c6baa476 100644 --- a/plugins/woocommerce/includes/rest-api/Controllers/Version1/class-wc-rest-product-reviews-v1-controller.php +++ b/plugins/woocommerce/includes/rest-api/Controllers/Version1/class-wc-rest-product-reviews-v1-controller.php @@ -365,9 +365,14 @@ class WC_REST_Product_Reviews_V1_Controller extends WC_REST_Controller { * @return bool|WP_Error|WP_REST_Response */ public function delete_item( $request ) { + $product_id = (int) $request['product_id']; $product_review_id = (int) $request['id']; $force = isset( $request['force'] ) ? (bool) $request['force'] : false; + if ( 'product' !== get_post_type( $product_id ) ) { + return new WP_Error( 'woocommerce_rest_product_invalid_id', __( 'Invalid product ID.', 'woocommerce' ), array( 'status' => 404 ) ); + } + $product_review = get_comment( $product_review_id ); if ( empty( $product_review_id ) || empty( $product_review->comment_ID ) || empty( $product_review->comment_post_ID ) ) { return new WP_Error( 'woocommerce_rest_product_review_invalid_id', __( 'Invalid product review ID.', 'woocommerce' ), array( 'status' => 404 ) ); diff --git a/plugins/woocommerce/tests/php/includes/rest-api/Controllers/Version1/class-wc-rest-product-reviews-v1-controller-tests.php b/plugins/woocommerce/tests/php/includes/rest-api/Controllers/Version1/class-wc-rest-product-reviews-v1-controller-tests.php index 529fbfdea12..f175fcfcea1 100644 --- a/plugins/woocommerce/tests/php/includes/rest-api/Controllers/Version1/class-wc-rest-product-reviews-v1-controller-tests.php +++ b/plugins/woocommerce/tests/php/includes/rest-api/Controllers/Version1/class-wc-rest-product-reviews-v1-controller-tests.php @@ -105,21 +105,33 @@ class WC_REST_Product_Reviews_V1_Controller_Tests extends WC_Unit_Test_Case { * @testdox Ensure attempts to delete product reviews are checked for user permissions. */ public function test_permissions_for_deleting_product_reviews() { - $request = new WP_REST_Request( 'DELETE', '/wc/v1/products/123456789/reviews/' . $this->review_id ); - $request->set_param( 'id', $this->review_id ); + $api_request = new WP_REST_Request( 'DELETE', '/wc/v1/products/' . $this->product_id . '/reviews/' . $this->review_id ); + $api_request->set_param( 'product_id', $this->product_id ); + $api_request->set_param( 'id', $this->review_id ); wp_set_current_user( $this->editor_id ); $this->assertEquals( 'woocommerce_rest_cannot_delete', - $this->sut->delete_item_permissions_check( $request )->get_error_code(), + $this->sut->delete_item_permissions_check( $api_request )->get_error_code(), 'A user lacking edit_comment permissions (such as an editor) cannot delete a product review.' ); wp_set_current_user( $this->shop_manager_id ); $this->assertTrue( - $this->sut->delete_item_permissions_check( $request ), + $this->sut->delete_item_permissions_check( $api_request ), 'A user (such as a shop manager) who has the edit_comment permission can delete a product review.' ); + + $nonexistent_product_id = $this->product_id * 10; + $api_request = new WP_REST_Request( 'DELETE', '/wc/v1/products/' . $nonexistent_product_id . '/reviews/' . $this->review_id ); + $api_request->set_param( 'product_id', $nonexistent_product_id ); + $api_request->set_param( 'id', $this->review_id ); + + $this->assertEquals( + 'woocommerce_rest_product_invalid_id', + $this->sut->delete_item( $api_request )->get_error_code(), + 'Attempts to delete reviews for non-existent products are rejected, even if the review ID is valid.' + ); } /**