From c6bda294264955a455e348053a55249a7e4fb8bb Mon Sep 17 00:00:00 2001 From: Emili Castells Guasch Date: Wed, 19 Apr 2023 12:45:37 +0200 Subject: [PATCH 1/5] Add nonce to onboarding return url --- .../src/Repository/PartnerReferralsData.php | 2 +- .../src/Settings/SettingsListener.php | 13 +++++-------- 2 files changed, 6 insertions(+), 9 deletions(-) diff --git a/modules/ppcp-api-client/src/Repository/PartnerReferralsData.php b/modules/ppcp-api-client/src/Repository/PartnerReferralsData.php index a955dcf23..f1bd33b5b 100644 --- a/modules/ppcp-api-client/src/Repository/PartnerReferralsData.php +++ b/modules/ppcp-api-client/src/Repository/PartnerReferralsData.php @@ -84,7 +84,7 @@ class PartnerReferralsData { */ 'return_url' => apply_filters( 'woocommerce_paypal_payments_partner_config_override_return_url', - admin_url( 'admin.php?page=wc-settings&tab=checkout§ion=ppcp-gateway' ) + add_query_arg( 'ppcp-return-url-nonce', wp_create_nonce( 'ppcp-return-url' ), admin_url( 'admin.php?page=wc-settings&tab=checkout§ion=ppcp-gateway' ) ) ), /** * Returns the description of the URL which will be opened at the end of onboarding. diff --git a/modules/ppcp-wc-gateway/src/Settings/SettingsListener.php b/modules/ppcp-wc-gateway/src/Settings/SettingsListener.php index adf2c605a..eb8ee8598 100644 --- a/modules/ppcp-wc-gateway/src/Settings/SettingsListener.php +++ b/modules/ppcp-wc-gateway/src/Settings/SettingsListener.php @@ -168,23 +168,20 @@ class SettingsListener { * Listens if the merchant ID should be updated. */ public function listen_for_merchant_id() { - if ( ! $this->is_valid_site_request() ) { return; } - /** - * No nonce provided. - * phpcs:disable WordPress.Security.NonceVerification.Missing - * phpcs:disable WordPress.Security.NonceVerification.Recommended - */ + $nonce = wc_clean( wp_unslash( $_GET['ppcp-return-url-nonce'] ?? '' ) ); + if ( ! $nonce || ! wp_verify_nonce( $nonce, 'ppcp-return-url' ) ) { + return; + } + if ( ! isset( $_GET['merchantIdInPayPal'] ) || ! isset( $_GET['merchantId'] ) ) { return; } $merchant_id = sanitize_text_field( wp_unslash( $_GET['merchantIdInPayPal'] ) ); $merchant_email = sanitize_text_field( wp_unslash( $_GET['merchantId'] ) ); - // phpcs:enable WordPress.Security.NonceVerification.Missing - // phpcs:enable WordPress.Security.NonceVerification.Recommended $this->settings->set( 'merchant_id', $merchant_id ); $this->settings->set( 'merchant_email', $merchant_email ); From 678ec31bc2535e2eea0aa1dfc3af651f73078875 Mon Sep 17 00:00:00 2001 From: Emili Castells Guasch Date: Wed, 19 Apr 2023 12:59:59 +0200 Subject: [PATCH 2/5] Fix psalm --- modules/ppcp-wc-gateway/src/Settings/SettingsListener.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/ppcp-wc-gateway/src/Settings/SettingsListener.php b/modules/ppcp-wc-gateway/src/Settings/SettingsListener.php index eb8ee8598..85865b4fd 100644 --- a/modules/ppcp-wc-gateway/src/Settings/SettingsListener.php +++ b/modules/ppcp-wc-gateway/src/Settings/SettingsListener.php @@ -173,7 +173,7 @@ class SettingsListener { } $nonce = wc_clean( wp_unslash( $_GET['ppcp-return-url-nonce'] ?? '' ) ); - if ( ! $nonce || ! wp_verify_nonce( $nonce, 'ppcp-return-url' ) ) { + if ( ! $nonce || ! is_string($nonce) || ! wp_verify_nonce( $nonce, 'ppcp-return-url' ) ) { return; } From 1039ab6e721434bb4434c185d0f0e63aca36c4ed Mon Sep 17 00:00:00 2001 From: Emili Castells Guasch Date: Thu, 20 Apr 2023 14:32:30 +0200 Subject: [PATCH 3/5] Revert as we are caching signup links, nonce could fail --- .../ppcp-api-client/src/Repository/PartnerReferralsData.php | 2 +- modules/ppcp-wc-gateway/src/Settings/SettingsListener.php | 5 ----- 2 files changed, 1 insertion(+), 6 deletions(-) diff --git a/modules/ppcp-api-client/src/Repository/PartnerReferralsData.php b/modules/ppcp-api-client/src/Repository/PartnerReferralsData.php index f1bd33b5b..a955dcf23 100644 --- a/modules/ppcp-api-client/src/Repository/PartnerReferralsData.php +++ b/modules/ppcp-api-client/src/Repository/PartnerReferralsData.php @@ -84,7 +84,7 @@ class PartnerReferralsData { */ 'return_url' => apply_filters( 'woocommerce_paypal_payments_partner_config_override_return_url', - add_query_arg( 'ppcp-return-url-nonce', wp_create_nonce( 'ppcp-return-url' ), admin_url( 'admin.php?page=wc-settings&tab=checkout§ion=ppcp-gateway' ) ) + admin_url( 'admin.php?page=wc-settings&tab=checkout§ion=ppcp-gateway' ) ), /** * Returns the description of the URL which will be opened at the end of onboarding. diff --git a/modules/ppcp-wc-gateway/src/Settings/SettingsListener.php b/modules/ppcp-wc-gateway/src/Settings/SettingsListener.php index 85865b4fd..b8a343a94 100644 --- a/modules/ppcp-wc-gateway/src/Settings/SettingsListener.php +++ b/modules/ppcp-wc-gateway/src/Settings/SettingsListener.php @@ -172,11 +172,6 @@ class SettingsListener { return; } - $nonce = wc_clean( wp_unslash( $_GET['ppcp-return-url-nonce'] ?? '' ) ); - if ( ! $nonce || ! is_string($nonce) || ! wp_verify_nonce( $nonce, 'ppcp-return-url' ) ) { - return; - } - if ( ! isset( $_GET['merchantIdInPayPal'] ) || ! isset( $_GET['merchantId'] ) ) { return; } From 5834c42e113dff4d4835fbb9f9f536fac9a29430 Mon Sep 17 00:00:00 2001 From: Emili Castells Guasch Date: Thu, 20 Apr 2023 14:52:38 +0200 Subject: [PATCH 4/5] Prevents disconnect store when already onboarded via URL params --- modules/ppcp-wc-gateway/src/Settings/SettingsListener.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/ppcp-wc-gateway/src/Settings/SettingsListener.php b/modules/ppcp-wc-gateway/src/Settings/SettingsListener.php index b8a343a94..d0d75658d 100644 --- a/modules/ppcp-wc-gateway/src/Settings/SettingsListener.php +++ b/modules/ppcp-wc-gateway/src/Settings/SettingsListener.php @@ -168,7 +168,7 @@ class SettingsListener { * Listens if the merchant ID should be updated. */ public function listen_for_merchant_id() { - if ( ! $this->is_valid_site_request() ) { + if ( ! $this->is_valid_site_request() || $this->state->current_state() === State::STATE_ONBOARDED ) { return; } From 115dd7931b072f189e92b9ccfc0fcb6ce2eafa65 Mon Sep 17 00:00:00 2001 From: Emili Castells Guasch Date: Thu, 27 Apr 2023 10:54:18 +0200 Subject: [PATCH 5/5] Revert phpcs comments --- modules/ppcp-wc-gateway/src/Settings/SettingsListener.php | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/modules/ppcp-wc-gateway/src/Settings/SettingsListener.php b/modules/ppcp-wc-gateway/src/Settings/SettingsListener.php index d0d75658d..9bd20ba37 100644 --- a/modules/ppcp-wc-gateway/src/Settings/SettingsListener.php +++ b/modules/ppcp-wc-gateway/src/Settings/SettingsListener.php @@ -172,11 +172,18 @@ class SettingsListener { return; } + /** + * No nonce provided. + * phpcs:disable WordPress.Security.NonceVerification.Missing + * phpcs:disable WordPress.Security.NonceVerification.Recommended + */ if ( ! isset( $_GET['merchantIdInPayPal'] ) || ! isset( $_GET['merchantId'] ) ) { return; } $merchant_id = sanitize_text_field( wp_unslash( $_GET['merchantIdInPayPal'] ) ); $merchant_email = sanitize_text_field( wp_unslash( $_GET['merchantId'] ) ); + // phpcs:enable WordPress.Security.NonceVerification.Missing + // phpcs:enable WordPress.Security.NonceVerification.Recommended $this->settings->set( 'merchant_id', $merchant_id ); $this->settings->set( 'merchant_email', $merchant_email );