Steve-Dee-Designs
/
woocommerce
mirror of https://github.com/woocommerce/woocommerce.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix Semgrep Security Scan Issues (https://github.com/woocommerce/woocommerce-blocks/pull/9204) 

* Add late escaping to  call in MiniCart.

* Add escaping to  call in AssetsController.

* Add escaping to  calls in StoreAPI pagination utils.

* Add ignore line to file require - OK.

* Minor update to grammar in code comment.
This commit is contained in:
Daniel W. Robert 2023-04-25 21:41:26 -04:00 committed by GitHub
parent 96bd0432cd
commit aa219a1aa1
4 changed files with 13 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
plugins/woocommerce-blocks/src/Assets/Api.php
View File

@ -95,6 +95,8 @@ class Api {
);
if ( file_exists( $asset_path ) ) {
// The following require is safe because we are checking if the file exists and it is not a user input.
// nosemgrep audit.php.lang.security.file.inclusion-arg.
$asset = require $asset_path;
$dependencies = isset( $asset['dependencies'] ) ? array_merge( $asset['dependencies'], $dependencies ) : $dependencies;
$version = ! empty( $asset['version'] ) ? $asset['version'] : $this->get_file_version( $relative_src );

4
plugins/woocommerce-blocks/src/AssetsController.php
View File

@ -182,7 +182,7 @@ final class AssetsController {
$this->api->get_block_asset_build_path( $filename )
);
$resources = array_merge(
[ add_query_arg( 'ver', $script_data['version'], $script_data['src'] ) ],
[ esc_url( add_query_arg( 'ver', $script_data['version'], $script_data['src'] ) ) ],
$this->get_script_dependency_src_array( $script_data['dependencies'] )
);
return array_map(
@ -208,7 +208,7 @@ final class AssetsController {
$dependencies,
function( $src, $handle ) use ( $wp_scripts ) {
if ( isset( $wp_scripts->registered[ $handle ] ) ) {
$src[] = add_query_arg( 'ver', $wp_scripts->registered[ $handle ]->ver, $this->get_absolute_url( $wp_scripts->registered[ $handle ]->src ) );
$src[] = esc_url( add_query_arg( 'ver', $wp_scripts->registered[ $handle ]->ver, $this->get_absolute_url( $wp_scripts->registered[ $handle ]->src ) ) );
$src = array_merge( $src, $this->get_script_dependency_src_array( $wp_scripts->registered[ $handle ]->deps ) );
}
return $src;

14
plugins/woocommerce-blocks/src/BlockTypes/MiniCart.php
View File

@ -181,12 +181,14 @@ class MiniCart extends AbstractBlock {
);
}
$template_part_edit_uri = add_query_arg(
array(
'postId' => sprintf( '%s//%s', $theme_slug, 'mini-cart' ),
'postType' => 'wp_template_part',
),
$site_editor_uri
$template_part_edit_uri = esc_url(
add_query_arg(
array(
'postId' => sprintf( '%s//%s', $theme_slug, 'mini-cart' ),
'postType' => 'wp_template_part',
),
$site_editor_uri
)
);
}

2
plugins/woocommerce-blocks/src/StoreApi/Utilities/Pagination.php
View File

@ -54,7 +54,7 @@ class Pagination {
* @return string
*/
protected function get_link_base( $request ) {
return add_query_arg( $request->get_query_params(), rest_url( $request->get_route() ) );
return esc_url( add_query_arg( $request->get_query_params(), rest_url( $request->get_route() ) ) );
}
/**