Skip to content

fix: prevent SSRF via JSON import handlers#1331

Open
Alexia-Soare wants to merge 1 commit into
developmentfrom
fix/json-import
Open

fix: prevent SSRF via JSON import handlers#1331
Alexia-Soare wants to merge 1 commit into
developmentfrom
fix/json-import

Conversation

@Alexia-Soare

@Alexia-Soare Alexia-Soare commented Jul 8, 2026

Copy link
Copy Markdown

Summary

Fixes a server-side request forgery (SSRF) in the JSON import feature. Related issue: https://github.com/Codeinwp/visualizer-pro/issues/591

The getJsonRoots() and getJsonData() AJAX handlers verified only a nonce before fetching a user-supplied URL server-side, and the fetch used the unsafe wp_remote_request(). Because the chart editor is gated by edit_posts and localizes the JSON nonces, a Contributor-level user could read the nonce and make WordPress fetch arbitrary internal URLs (127.0.0.1, private ranges, etc.), with the response reflected back in roots / table — a non-blind SSRF.

The CSV/remote path already does this correctly (wp_safe_remote_get() + wp_http_validate_url()); only the JSON source was left on the raw transport.

Changes

  • classes/Visualizer/Module/Chart.php — add a current_user_can( 'edit_posts' ) guard to getJsonRoots() and getJsonData(), matching the sibling AJAX handlers in the file.
  • classes/Visualizer/Source/Json.php — switch connect() from wp_remote_request() to wp_safe_remote_request(), matching the SSRF-safe transport used by the CSV path.
  • tests/test-ajax.php — three regression tests: access-control guard on both handlers, and confirmation the JSON source fetches through the safe transport (reject_unsafe_urls).

Testing

  • New tests pass with the fix (OK (3 tests, 10 assertions)) and fail on the unpatched code (verified by reverting), so they genuinely detect the vulnerability.
  • phpcs passes clean on all changed files.

The `getJsonRoots()` and `getJsonData()` AJAX handlers verified only a
nonce before fetching a user-supplied URL server-side, and the fetch used
the unsafe `wp_remote_request()`. A Contributor (edit_posts) could read the
nonce from the chart editor and make WordPress fetch arbitrary internal
URLs, with the response reflected back (non-blind SSRF).

- Add a `current_user_can( 'edit_posts' )` guard to both handlers, matching
  the sibling AJAX handlers in the file.
- Switch `Visualizer_Source_Json::connect()` to `wp_safe_remote_request()`,
  matching the SSRF-safe transport already used by the CSV/remote path.
- Add regression tests covering the capability guard and safe transport.

Fixes Codeinwp/visualizer-pro#591

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@Alexia-Soare Alexia-Soare added the pr-checklist-skip Allow this Pull Request to skip checklist. label Jul 8, 2026
@pirate-bot pirate-bot added the pr-checklist-complete The Pull Request checklist is complete. (automatic label) label Jul 8, 2026
@pirate-bot

Copy link
Copy Markdown
Contributor

Plugin build for fa41530 is ready 🛎️!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

pr-checklist-complete The Pull Request checklist is complete. (automatic label) pr-checklist-skip Allow this Pull Request to skip checklist.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants