Skip to content

Fix #38: Add nonce verification to all state-changing operations #39

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
pbking merged 1 commit into from
Aug 25, 2025
Merged

Fix #38: Add nonce verification to all state-changing operations #39

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 31 additions & 1 deletion includes/class-pattern-builder-api.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -323,9 +323,13 @@ public function register_patterns() {


/**
*
* Filters delete calls and if the item being deleted is a 'tbell_pattern_block' (theme pattern)
* delete the related pattern php file as well.
*
* @param mixed $response The response from the REST API.
* @param WP_REST_Server $server The REST server instance.
* @param WP_REST_Request $request The REST request object.
* @return mixed|WP_Error The response or WP_Error on failure.
*/
function handle_hijack_block_delete( $response, $server, $request ) {

Expand All @@ -338,6 +342,16 @@ function handle_hijack_block_delete( $response, $server, $request ) {

if ( $post && $post->post_type === 'tbell_pattern_block' && $request->get_method() === 'DELETE' ) {

// Verify nonce for additional security
$nonce = $request->get_header( 'X-WP-Nonce' );
if ( ! $nonce || ! wp_verify_nonce( $nonce, 'wp_rest' ) ) {
return new WP_Error(
'rest_cookie_invalid_nonce',
__( 'Cookie nonce is invalid', 'pattern-builder' ),
array( 'status' => 403 )
);
}

$deleted = wp_delete_post( $id, true );

if ( ! $deleted ) {
Expand Down Expand Up @@ -578,9 +592,25 @@ private function sanitize_pattern_input( $input ) {

/**
* When anything is saved any wp:block that references a theme pattern is converted to a wp:pattern block instead.
*
* @param mixed $response The response from the REST API.
* @param mixed $handler The handler object.
* @param WP_REST_Request $request The REST request object.
* @return mixed The response, potentially modified.
*/
public function handle_block_to_pattern_conversion( $response, $handler, $request ) {
if ( $request->get_method() === 'PUT' || $request->get_method() === 'POST' ) {

// Verify nonce for additional security on state-changing operations
$nonce = $request->get_header( 'X-WP-Nonce' );
if ( ! $nonce || ! wp_verify_nonce( $nonce, 'wp_rest' ) ) {
return new WP_Error(
'rest_cookie_invalid_nonce',
__( 'Cookie nonce is invalid', 'pattern-builder' ),
array( 'status' => 403 )
);
}

$body = json_decode( $request->get_body(), true );

// Validate JSON decode was successful
Expand Down