From 727492e48c2f6309bae7e6e436bb4eb8ec0a8cea Mon Sep 17 00:00:00 2001 From: "Alex P." Date: Wed, 16 Jul 2025 08:01:41 +0300 Subject: [PATCH] Fix nonce ignoring --- modules/ppcp-axo/src/Gateway/AxoGateway.php | 8 ++++---- .../src/Endpoint/CartScriptParamsEndpoint.php | 3 ++- modules/ppcp-button/src/Helper/ContextTrait.php | 13 ++++++++----- modules/ppcp-compat/src/AdminContextTrait.php | 3 ++- .../ppcp-compat/src/PPEC/SubscriptionsHandler.php | 11 +++++------ .../src/TrackingAvailabilityTrait.php | 3 ++- .../src/PayPalSubscriptionsModule.php | 2 ++ .../src/SavePaymentMethodsModule.php | 3 ++- modules/ppcp-vaulting/src/VaultingModule.php | 1 + .../PayUponInvoice/PayUponInvoiceGateway.php | 5 ++--- 10 files changed, 30 insertions(+), 22 deletions(-) diff --git a/modules/ppcp-axo/src/Gateway/AxoGateway.php b/modules/ppcp-axo/src/Gateway/AxoGateway.php index 445f41380..0322431a9 100644 --- a/modules/ppcp-axo/src/Gateway/AxoGateway.php +++ b/modules/ppcp-axo/src/Gateway/AxoGateway.php @@ -264,9 +264,9 @@ class AxoGateway extends WC_Payment_Gateway { ); } - // phpcs:ignore WordPress.Security.NonceVerification.Missing - $axo_nonce = wc_clean( wp_unslash( $_POST['axo_nonce'] ?? '' ) ); - // phpcs:ignore WordPress.Security.NonceVerification.Recommended + // phpcs:disable WordPress.Security.NonceVerification + + $axo_nonce = wc_clean( wp_unslash( $_POST['axo_nonce'] ?? '' ) ); $token_param = wc_clean( wp_unslash( $_GET['token'] ?? '' ) ); if ( empty( $axo_nonce ) && ! empty( $token_param ) ) { @@ -274,7 +274,6 @@ class AxoGateway extends WC_Payment_Gateway { } try { - // phpcs:ignore WordPress.Security.NonceVerification.Missing $fastlane_member = wc_clean( wp_unslash( $_POST['fastlane_member'] ?? '' ) ); if ( $fastlane_member ) { $payment_method_title = __( 'Debit & Credit Cards (via Fastlane by PayPal)', 'woocommerce-paypal-payments' ); @@ -341,6 +340,7 @@ class AxoGateway extends WC_Payment_Gateway { 'result' => 'success', 'redirect' => $this->get_return_url( $wc_order ), ); + // phpcs:enable WordPress.Security.NonceVerification } /** diff --git a/modules/ppcp-button/src/Endpoint/CartScriptParamsEndpoint.php b/modules/ppcp-button/src/Endpoint/CartScriptParamsEndpoint.php index 553afef20..2f6bc375d 100644 --- a/modules/ppcp-button/src/Endpoint/CartScriptParamsEndpoint.php +++ b/modules/ppcp-button/src/Endpoint/CartScriptParamsEndpoint.php @@ -76,7 +76,8 @@ class CartScriptParamsEndpoint implements EndpointInterface { wc_maybe_define_constant( 'WOOCOMMERCE_CART', true ); } - $include_shipping = (bool) wc_clean( wp_unslash( $_GET['shipping'] ?? '' ) ); // phpcs:ignore WordPress.Security.NonceVerification.Recommended + // phpcs:ignore WordPress.Security.NonceVerification.Recommended + $include_shipping = (bool) wc_clean( wp_unslash( $_GET['shipping'] ?? '' ) ); $script_data = $this->smart_button->script_data(); if ( ! $script_data ) { diff --git a/modules/ppcp-button/src/Helper/ContextTrait.php b/modules/ppcp-button/src/Helper/ContextTrait.php index 122908b36..cb96143b6 100644 --- a/modules/ppcp-button/src/Helper/ContextTrait.php +++ b/modules/ppcp-button/src/Helper/ContextTrait.php @@ -301,8 +301,9 @@ trait ContextTrait { * @return bool */ private function is_subscription_change_payment_method_page(): bool { - if ( isset( $_GET['change_payment_method'] ) ) { // phpcs:ignore WordPress.Security.NonceVerification - return wcs_is_subscription( wc_clean( wp_unslash( $_GET['change_payment_method'] ) ) ); // phpcs:ignore WordPress.Security.NonceVerification + // phpcs:disable WordPress.Security.NonceVerification + if ( isset( $_GET['change_payment_method'] ) ) { + return wcs_is_subscription( wc_clean( wp_unslash( $_GET['change_payment_method'] ) ) ); } return false; @@ -325,12 +326,14 @@ trait ContextTrait { * @return bool */ protected function is_wc_settings_payments_tab(): bool { - if ( ! is_admin() || isset( $_GET['section'] ) ) { // phpcs:ignore WordPress.Security.NonceVerification + // phpcs:disable WordPress.Security.NonceVerification + if ( ! is_admin() || isset( $_GET['section'] ) ) { return false; } - $page = wc_clean( wp_unslash( $_GET['page'] ?? '' ) ); // phpcs:ignore WordPress.Security.NonceVerification - $tab = wc_clean( wp_unslash( $_GET['tab'] ?? '' ) ); // phpcs:ignore WordPress.Security.NonceVerification + $page = wc_clean( wp_unslash( $_GET['page'] ?? '' ) ); + $tab = wc_clean( wp_unslash( $_GET['tab'] ?? '' ) ); + // phpcs:enable WordPress.Security.NonceVerification return $page === 'wc-settings' && $tab === 'checkout'; } diff --git a/modules/ppcp-compat/src/AdminContextTrait.php b/modules/ppcp-compat/src/AdminContextTrait.php index ed5583774..caaafb69a 100644 --- a/modules/ppcp-compat/src/AdminContextTrait.php +++ b/modules/ppcp-compat/src/AdminContextTrait.php @@ -20,7 +20,8 @@ trait AdminContextTrait { * @return bool */ private function is_paypal_order_edit_page(): bool { - $post_id = wc_clean( wp_unslash( $_GET['id'] ?? $_GET['post'] ?? '' ) ); // phpcs:ignore WordPress.Security.NonceVerification.Recommended + // phpcs:ignore WordPress.Security.NonceVerification + $post_id = wc_clean( wp_unslash( $_GET['id'] ?? $_GET['post'] ?? '' ) ); if ( ! $post_id ) { return false; } diff --git a/modules/ppcp-compat/src/PPEC/SubscriptionsHandler.php b/modules/ppcp-compat/src/PPEC/SubscriptionsHandler.php index 217374007..640ab607f 100644 --- a/modules/ppcp-compat/src/PPEC/SubscriptionsHandler.php +++ b/modules/ppcp-compat/src/PPEC/SubscriptionsHandler.php @@ -150,6 +150,8 @@ class SubscriptionsHandler { return true; } + // phpcs:disable WordPress.Security.NonceVerification + // Checks that require Subscriptions. if ( class_exists( \WC_Subscriptions::class ) ) { // My Account > Subscriptions > (Subscription). @@ -160,15 +162,15 @@ class SubscriptionsHandler { } // Changing payment method? - if ( is_wc_endpoint_url( 'order-pay' ) && isset( $_GET['change_payment_method'] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended + if ( is_wc_endpoint_url( 'order-pay' ) && isset( $_GET['change_payment_method'] ) ) { $subscription = wcs_get_subscription( absint( get_query_var( 'order-pay' ) ) ); return ( $subscription && PPECHelper::PPEC_GATEWAY_ID === $subscription->get_payment_method() ); } // Early renew (via modal). - if ( isset( $_GET['process_early_renewal'], $_GET['subscription_id'] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended - $subscription = wcs_get_subscription( absint( $_GET['subscription_id'] ) ); // phpcs:ignore WordPress.Security.NonceVerification.Recommended + if ( isset( $_GET['process_early_renewal'], $_GET['subscription_id'] ) ) { + $subscription = wcs_get_subscription( absint( $_GET['subscription_id'] ) ); return ( $subscription && PPECHelper::PPEC_GATEWAY_ID === $subscription->get_payment_method() ); } @@ -185,7 +187,6 @@ class SubscriptionsHandler { } // Are we editing an order or subscription tied to PPEC? - // phpcs:ignore WordPress.Security.NonceVerification $order_id = wc_clean( wp_unslash( $_GET['id'] ?? $_GET['post'] ?? $_POST['post_ID'] ?? '' ) ); if ( $order_id ) { $order = wc_get_order( $order_id ); @@ -199,9 +200,7 @@ class SubscriptionsHandler { * @psalm-suppress UndefinedClass */ $post_type_or_page = class_exists( OrderUtil::class ) && OrderUtil::custom_orders_table_usage_is_enabled() - // phpcs:ignore WordPress.Security.NonceVerification ? wc_clean( wp_unslash( $_GET['page'] ?? '' ) ) - // phpcs:ignore WordPress.Security.NonceVerification : wc_clean( wp_unslash( $_GET['post_type'] ?? $_POST['post_type'] ?? '' ) ); if ( $post_type_or_page === 'shop_subscription' || $post_type_or_page === 'wc-orders--shop_subscription' ) { return true; diff --git a/modules/ppcp-order-tracking/src/TrackingAvailabilityTrait.php b/modules/ppcp-order-tracking/src/TrackingAvailabilityTrait.php index b149259a3..3accf383b 100644 --- a/modules/ppcp-order-tracking/src/TrackingAvailabilityTrait.php +++ b/modules/ppcp-order-tracking/src/TrackingAvailabilityTrait.php @@ -24,7 +24,8 @@ trait TrackingAvailabilityTrait { * @return bool */ protected function is_tracking_enabled( Bearer $bearer ): bool { - $post_id = (int) wc_clean( wp_unslash( $_GET['id'] ?? $_GET['post'] ?? '' ) ); // phpcs:ignore WordPress.Security.NonceVerification.Recommended + // phpcs:ignore WordPress.Security.NonceVerification + $post_id = (int) wc_clean( wp_unslash( $_GET['id'] ?? $_GET['post'] ?? '' ) ); if ( ! $post_id ) { return false; } diff --git a/modules/ppcp-paypal-subscriptions/src/PayPalSubscriptionsModule.php b/modules/ppcp-paypal-subscriptions/src/PayPalSubscriptionsModule.php index 0f469a436..4dea48817 100644 --- a/modules/ppcp-paypal-subscriptions/src/PayPalSubscriptionsModule.php +++ b/modules/ppcp-paypal-subscriptions/src/PayPalSubscriptionsModule.php @@ -167,6 +167,7 @@ class PayPalSubscriptionsModule implements ServiceModule, ExtendingModule, Execu return; } + // phpcs:ignore WordPress.Security.NonceVerification $nonce = wc_clean( wp_unslash( $_POST['_wcsnonce'] ?? '' ) ); if ( $subscriptions_mode !== 'subscriptions_api' @@ -250,6 +251,7 @@ class PayPalSubscriptionsModule implements ServiceModule, ExtendingModule, Execu * @psalm-suppress MissingClosureParamType */ function( $variation_id ) use ( $c ) { + // phpcs:ignore WordPress.Security.NonceVerification $wcsnonce_save_variations = wc_clean( wp_unslash( $_POST['_wcsnonce_save_variations'] ?? '' ) ); if ( diff --git a/modules/ppcp-save-payment-methods/src/SavePaymentMethodsModule.php b/modules/ppcp-save-payment-methods/src/SavePaymentMethodsModule.php index eb8e406c6..d47c5e3e8 100644 --- a/modules/ppcp-save-payment-methods/src/SavePaymentMethodsModule.php +++ b/modules/ppcp-save-payment-methods/src/SavePaymentMethodsModule.php @@ -285,7 +285,8 @@ class SavePaymentMethodsModule implements ServiceModule, ExtendingModule, Execut ? apply_filters( 'woocommerce_paypal_payments_three_d_secure_contingency', $settings->get( '3d_secure_contingency' ) ) : ''; - $change_payment_method = wc_clean( wp_unslash( $_GET['change_payment_method'] ?? '' ) ); // phpcs:ignore WordPress.Security.NonceVerification + // phpcs:ignore WordPress.Security.NonceVerification + $change_payment_method = wc_clean( wp_unslash( $_GET['change_payment_method'] ?? '' ) ); wp_localize_script( 'ppcp-add-payment-method', diff --git a/modules/ppcp-vaulting/src/VaultingModule.php b/modules/ppcp-vaulting/src/VaultingModule.php index 427ff79c1..b820fb516 100644 --- a/modules/ppcp-vaulting/src/VaultingModule.php +++ b/modules/ppcp-vaulting/src/VaultingModule.php @@ -207,6 +207,7 @@ class VaultingModule implements ServiceModule, ExtendingModule, ExecutableModule return; } + // phpcs:ignore WordPress.Security.NonceVerification $wpnonce = wc_clean( wp_unslash( $_REQUEST['_wpnonce'] ?? '' ) ); $token_id_string = (string) $token_id; $action = 'delete-payment-method-' . $token_id_string; diff --git a/modules/ppcp-wc-gateway/src/Gateway/PayUponInvoice/PayUponInvoiceGateway.php b/modules/ppcp-wc-gateway/src/Gateway/PayUponInvoice/PayUponInvoiceGateway.php index 1622123bc..952df2c8a 100644 --- a/modules/ppcp-wc-gateway/src/Gateway/PayUponInvoice/PayUponInvoiceGateway.php +++ b/modules/ppcp-wc-gateway/src/Gateway/PayUponInvoice/PayUponInvoiceGateway.php @@ -247,9 +247,8 @@ class PayUponInvoiceGateway extends WC_Payment_Gateway { */ public function process_payment( $order_id ) { $wc_order = wc_get_order( $order_id ); - // phpcs:disable WordPress.Security.NonceVerification.Missing + // phpcs:disable WordPress.Security.NonceVerification $birth_date = wc_clean( wp_unslash( $_POST['billing_birth_date'] ?? '' ) ); - // phpcs:disable WordPress.Security.NonceVerification.Recommended $pay_for_order = wc_clean( wp_unslash( $_GET['pay_for_order'] ?? '' ) ); if ( 'true' === $pay_for_order ) { if ( ! $this->checkout_helper->validate_birth_date( $birth_date ) ) { @@ -261,7 +260,7 @@ class PayUponInvoiceGateway extends WC_Payment_Gateway { } $phone_number = wc_clean( wp_unslash( $_POST['billing_phone'] ?? '' ) ); - // phpcs:enable WordPress.Security.NonceVerification.Missing + // phpcs:enable WordPress.Security.NonceVerification if ( $phone_number ) { $wc_order->set_billing_phone( $phone_number ); $wc_order->save();