Fixes XSS vuln.

Pierre-Lannoy · Dec 11, 2024 · 68d9cf6 · 68d9cf6
1 parent 7de55b3
commit 68d9cf6
Show file tree

Hide file tree

Showing 5 changed files with 19 additions and 4 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,11 @@
 All notable changes to **Traffic** are documented in this *changelog*.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and **Traffic** adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [3.1.2] - 2024-12-11
+
+### Fixed
+- [SEC005] XSS vulnerability.
 
 ## [3.1.1] - 2024-11-23
 

diff --git a/includes/features/class-analyticsfactory.php b/includes/features/class-analyticsfactory.php
@@ -35,6 +35,14 @@ class AnalyticsFactory {
 	 */
 	private static $allowed_types = [ 'domain', 'domains', 'authority', 'authorities', 'endpoint', 'endpoints' ];
 
+	/**
+	 * Allowed extras.
+	 *
+	 * @since  1.0.0
+	 * @var    array    $allowed_extras    Maintain the allowed extra views.
+	 */
+	private static $allowed_extras = [ 'codes', 'schemes', 'methods', 'countries' ];
+
 	/**
 	 * Ajax callback.
 	 *
@@ -63,18 +71,20 @@ public static function get_analytics( $reload = false ) {
 		if ( empty( $id ) ) {
 			$id = '';
 		}
+		$id = str_replace( ['http://', 'https://'], '', sanitize_url( $id ) );
 		// Domain.
 		if ( ! ( $domain = filter_input( INPUT_GET, 'domain' ) ) ) {
 			$domain = filter_input( INPUT_POST, 'domain' );
 		}
 		if ( empty( $domain ) ) {
 			$domain = '';
 		}
+		$domain = str_replace( ['http://', 'https://'], '', sanitize_url( $domain ) );
 		// Extra>.
 		if ( ! ( $extra = filter_input( INPUT_GET, 'extra' ) ) ) {
 			$extra = filter_input( INPUT_POST, 'extra' );
 		}
-		if ( empty( $extra ) ) {
+		if ( empty( $extra ) || ! in_array( $extra, self::$allowed_extras ) ) {
 			$extra = '';
 		}
 		// Analytics type.

diff --git a/init.php b/init.php
@@ -12,7 +12,7 @@
 define( 'TRAFFIC_PRODUCT_SHORTNAME', 'Traffic' );
 define( 'TRAFFIC_PRODUCT_ABBREVIATION', 'traffic' );
 define( 'TRAFFIC_SLUG', 'traffic' );
-define( 'TRAFFIC_VERSION', '3.1.1' );
+define( 'TRAFFIC_VERSION', '3.1.2' );
 define( 'TRAFFIC_API_VERSION', '2' );
 define( 'TRAFFIC_CODENAME', '"-"' );
 

diff --git a/readme.txt b/readme.txt
@@ -4,7 +4,7 @@ Tags: api, analytics, reports, rest-api, statistics
 Requires at least: 6.2
 Requires PHP: 8.1
 Tested up to: 6.7
-Stable tag: 3.1.1
+Stable tag: 3.1.2
 License: GPLv3
 License URI: https://www.gnu.org/licenses/gpl-3.0.html
 

diff --git a/traffic.php b/traffic.php
@@ -10,7 +10,7 @@
  * Plugin Name:       Traffic
  * Plugin URI:        https://perfops.one/traffic
  * Description:       Full featured monitoring & analytics for WordPress APIs.
- * Version:           3.1.1
+ * Version:           3.1.2
  * Requires at least: 6.2
  * Requires PHP:      8.1
  * Author:            Pierre Lannoy / PerfOps One