Improve security while processing AJAX requests in Admin Panel

changelog.txt

@@ -1,4 +1,7 @@
 == Changelog ==
+= 3.4.1 =
+FIX - improve security while processing AJAX requests in Admin Panel
+
 = 3.4.0 =
 * ENHANCEMENT - removed `udx/lib-settings` package dependency for security reasons. 
 * ENHANCEMENT - removed `udx/lib-utility` package dependency for security reasons.

changes.md

@@ -1,3 +1,6 @@
+#### 3.4.1
+FIX - improve security while processing AJAX requests in Admin Panel
+
 #### 3.4.0
 * ENHANCEMENT - removed `udx/lib-settings` package dependency for security reasons. 
 * ENHANCEMENT - removed `udx/lib-utility` package dependency for security reasons.

lib/classes/class-ajax.php

@@ -48,6 +48,8 @@ public function __construct() {
        * @author peshkov@UD
        */
       public function request() {
+        check_ajax_referer('sm_inline_sync');
+
         global $doing_manual_sync;
 
         $response = array(

lib/classes/class-bootstrap.php

@@ -1216,6 +1216,9 @@ public function admin_init() {
 
         /* Attachment or upload page */
         wp_register_script('wp-stateless-uploads-js', $this->path('static/scripts/wp-stateless-uploads.js', 'url'), array('jquery'), self::$version);
+        wp_localize_script('wp-stateless-uploads-js', 'stateless_upload', [
+          'inline_sync_nonce' => wp_create_nonce('sm_inline_sync'),
+        ]);
 
         /* Setup wizard styles. */
         wp_register_style('wp-stateless-setup-wizard', $this->path('static/styles/wp-stateless-setup-wizard.css', 'url'), array(), self::$version);

lib/classes/class-errors.php

@@ -181,7 +181,10 @@ public function admin_notices() {
         wp_localize_script( "ud-dismiss", "_ud_vars", array(
             "ajaxurl" => admin_url( 'admin-ajax.php' ),
         ) );
-
+        wp_localize_script( "sateless-error-notice-js", "stateless_error_notice_vars", array(
+          "dismiss_nonce" => wp_create_nonce( 'stateless_notice_dismiss' ),
+          "enable_action_nonce" => wp_create_nonce( 'stateless_enable_notice_button_action' ),
+        ) );
 
         //** Don't show the message if the user has no enough permissions. */
         if ( ! function_exists( 'wp_get_current_user' ) ) {
@@ -248,20 +251,24 @@ public function admin_notices() {
        * dismiss the notice ajax callback
        * @throws \Exception
        */
-      public function dismiss_notices(){
+      public function dismiss_notices() {
+        check_ajax_referer('stateless_notice_dismiss');
+
         $response = array(
           'success' => '0',
           'error' => __( 'There was an error in request.', $this->domain ),
         );
+
         $error = false;
 
-        if( empty($_POST['key']) && strpos($_POST['key'], 'dismissed_notice_') !== false ) {
+        $option_key = isset($_POST['key']) ? sanitize_key($_POST['key']) : '';
+
+        if ( strpos($option_key, 'dismissed_') !== 0 ) {
           $response['error'] = __( 'Invalid key', $this->domain );
           $error = true;
         }
-        else {
-          $option_key = sanitize_key($_POST['key']);
-          update_option( $option_key, time() );
+
+        if ( !$error && update_option( $option_key, time() ) ) {
           $response['success'] = '1';
           $response['error'] = null;
         }
@@ -274,6 +281,8 @@ public function dismiss_notices(){
        * @throws \Exception
        */
       public function stateless_enable_notice_button_action(){
+        check_ajax_referer('stateless_enable_notice_button_action');
+
         $response = array(
           'success' => '1',
         );

readme.txt

@@ -5,8 +5,8 @@ Tags: google, google cloud, google cloud storage, cdn, uploads, media, stateless
 License: GPLv2 or later
 Requires PHP: 8.0
 Requires at least: 5.0
-Tested up to: 6.4.2
-Stable tag: 3.4.0
+Tested up to: 6.4.3
+Stable tag: 3.4.1
 
 Upload and serve your WordPress media files from Google Cloud Storage.
 
@@ -112,6 +112,9 @@ Before upgrading to WP-Stateless 3.2.0, please, make sure you use PHP 7.2 or abo
 Before upgrading to WP-Stateless 3.0, please, make sure you tested it on your development environment.
 
 == Changelog ==
+= 3.4.1 =
+FIX - improve security while processing AJAX requests in Admin Panel
+
 = 3.4.0 =
 * ENHANCEMENT - removed `udx/lib-settings` package dependency for security reasons. 
 * ENHANCEMENT - removed `udx/lib-utility` package dependency for security reasons.

static/scripts/error-notice.js

@@ -15,6 +15,7 @@ jQuery( document ).ready( function ($) {
     var data = {
       action: 'stateless_enable_notice_button_action',
       key: _this.data('key'),
+      _ajax_nonce: stateless_error_notice_vars.enable_action_nonce ?? '',
     }
 
     jQuery.post( ajaxurl, data, function ( result_data ) {
@@ -41,6 +42,7 @@ jQuery( document ).ready( function ($) {
     var data = {
       action: 'stateless_notice_dismiss',
       key: _this.data('key'),
+      _ajax_nonce: stateless_error_notice_vars.dismiss_nonce ?? '',
     }
 
     jQuery.post( ajaxurl, data, function ( result_data ) {

static/scripts/wp-stateless-uploads.js

@@ -19,7 +19,8 @@ jQuery(document).ready(function(){
         data: {
           action: that.data('type') == 'image' ? "stateless_process_image" : "stateless_process_file",
           id: that.data('id'),
-          size: that.data('size')
+          size: that.data('size'),
+          _ajax_nonce: stateless_upload.inline_sync_nonce ?? '',
         }
       })
       .done(function( response ) {

wp-stateless-media.php

@@ -4,7 +4,7 @@
  * Plugin URI: https://stateless.udx.io/
  * Description: Upload and serve your WordPress media files from Google Cloud Storage.
  * Author: UDX
- * Version: 3.4.0
+ * Version: 3.4.1
  * Text Domain: stateless-media
  * Author URI: https://www.udx.io
  *