Added: getShortcodeAtts mutation to extract shortcodes from a request.

Fixed: potential PHP error in the array_key_value matching type.

Author: dave83649

src/Processor.php

@@ -376,6 +376,10 @@ public function matchParameterValue($match, $value)
         // If a specific parameter key matches a sub-match condition.
         if ($matchType == 'array_key_value' && isset($match['key'], $match['match'])) {
             $values = $this->request->getParameterValues($match['key'], $value);
+            if (!is_array($values)) {
+                return false;
+            }
+
             foreach ($values as $value) {
                 if ($this->matchParameterValue($match['match'], $value)) {
                     return true;

src/Request.php

@@ -196,6 +196,10 @@ public function applyMutation($mutations, $value)
             'getArrayValues' => [
                 'args' => [],
                 'type' => 'is_array'
+            ],
+            'getShortcodeAtts' => [
+                'args' => [],
+                'type' => 'is_string'
             ]
         ];
 
@@ -217,6 +221,8 @@ public function applyMutation($mutations, $value)
                 // Call the function with given arguments.
                 if ($mutation == 'getArrayValues') {
                     $value = $this->getArrayValues($value);
+                } elseif ($mutation == 'getShortcodeAtts') {
+                    $value = $this->getShortcodeAtts($value);
                 } else {
                     $value = call_user_func_array($mutation, array_merge([$value], $allowed[$mutation]['args']));
                 }
@@ -323,4 +329,55 @@ public function getArrayValues($data, $glue = '&', $type = 'string')
 
         return $ret;
     }
+
+    /**
+     * Given a string, fetch all shortcodes and its attributes.
+     * 
+     * @param string $value
+     * @return array
+     */
+    public function getShortcodeAtts($value)
+    {
+        // For rare cases where this may not be defined.
+        if (!function_exists('shortcode_parse_atts')) {
+            return [];
+        }
+
+        // The regular expression used by WordPress core to fetch shortcodes and its attributes.
+        preg_match_all(
+            '/\[(\[?)(.*?)(?![\w-])([^\]\/]*(?:\/(?!\])[^\]\/]*)*?)(?:(\/)\]|\](?:([^\[]*+(?:\[(?!\/\2\])[^\[]*+)*+)\[\/\2\])?)(\]?)/',
+            $value,
+            $shortcodes,
+            PREG_SET_ORDER
+        );
+
+        // No matches.
+        if (count($shortcodes) == 0) {
+            return [];
+        }
+
+        // Iterate through all shortcodes and fetch their attributes.
+        $return = [];
+        foreach ($shortcodes as $shortcode) {
+            if (!isset($shortcode[2], $shortcode[3], $shortcode[5])) {
+                continue;
+            }
+
+            // Merge together if the shortcode occurs more than once.
+            if (isset($return[$shortcode[2]])) {
+                $atts = @shortcode_parse_atts($shortcode[3]);
+                foreach ($atts as $key => $value) {
+                    if (isset($return[$shortcode[2]][$key])) {
+                        $return[$shortcode[2]][$key] .= $value;
+                    } else {
+                        $return[$shortcode[2]][$key] = $value;
+                    }
+                }
+            } else {
+                $return[$shortcode[2]] = @shortcode_parse_atts($shortcode[3]);
+            }
+        }
+
+        return $return; 
+    }
 }

tests/FirewallTest.php

@@ -316,5 +316,65 @@ public function testRules()
         );
         $this->assertFalse($this->processor->launch(false));
         $this->alterPayload();
+
+        // Determine if a POST parameter contains a shortcode with a bad attribute.
+        // Import the WordPress functions.
+        function get_shortcode_atts_regex() {
+            return '/([\w-]+)\s*=\s*"([^"]*)"(?:\s|$)|([\w-]+)\s*=\s*\'([^\']*)\'(?:\s|$)|([\w-]+)\s*=\s*([^\s\'"]+)(?:\s|$)|"([^"]*)"(?:\s|$)|\'([^\']*)\'(?:\s|$)|(\S+)(?:\s|$)/';
+        }
+
+        function shortcode_parse_atts( $text ) {
+            $atts    = array();
+            $pattern = get_shortcode_atts_regex();
+            $text    = preg_replace( "/[\x{00a0}\x{200b}]+/u", ' ', $text );
+            if ( preg_match_all( $pattern, $text, $match, PREG_SET_ORDER ) ) {
+                foreach ( $match as $m ) {
+                    if ( ! empty( $m[1] ) ) {
+                        $atts[ strtolower( $m[1] ) ] = stripcslashes( $m[2] );
+                    } elseif ( ! empty( $m[3] ) ) {
+                        $atts[ strtolower( $m[3] ) ] = stripcslashes( $m[4] );
+                    } elseif ( ! empty( $m[5] ) ) {
+                        $atts[ strtolower( $m[5] ) ] = stripcslashes( $m[6] );
+                    } elseif ( isset( $m[7] ) && strlen( $m[7] ) ) {
+                        $atts[] = stripcslashes( $m[7] );
+                    } elseif ( isset( $m[8] ) && strlen( $m[8] ) ) {
+                        $atts[] = stripcslashes( $m[8] );
+                    } elseif ( isset( $m[9] ) ) {
+                        $atts[] = stripcslashes( $m[9] );
+                    }
+                }
+        
+                // Reject any unclosed HTML elements.
+                foreach ( $atts as &$value ) {
+                    if ( false !== strpos( $value, '<' ) ) {
+                        if ( 1 !== preg_match( '/^[^<]*+(?:<[^>]*+>[^<]*+)*+$/', $value ) ) {
+                            $value = '';
+                        }
+                    }
+                }
+            } else {
+                $atts = ltrim( $text );
+            }
+        
+            return $atts;
+        }
+
+        $this->setUpFirewallProcessor([$this->rules[20]]);
+        $this->alterPayload(
+            ['POST' => [
+            'content' => 'This is my post content and a shortcode with bad attribute value. [learn_press_featured_courses order_by="post_date" order="desc"]'
+            ]]
+        );
+        $this->assertTrue($this->processor->launch(false));
+        $this->alterPayload();
+
+        $this->setUpFirewallProcessor([$this->rules[20]]);
+        $this->alterPayload(
+            ['POST' => [
+            'content' => 'This is my post content with a legitimate shortcode. [learn_press_featured_courses order_by="post_date" order="\',(select sleep(10))"]'
+            ]]
+        );
+        $this->assertFalse($this->processor->launch(false));
+        $this->alterPayload();
     }
 }

tests/data/Rules.json

@@ -158,5 +158,13 @@
         "cat":"TEST",
         "type":"BLOCK",
         "type_params":null
+    },
+    {
+        "id":21,
+        "title":"Block a specific WordPress shortcode attribute from containing a bad value.",
+        "rules":[{"parameter":"post.content","mutations":["getShortcodeAtts"],"match":{"type":"array_key_value","key":"learn_press_featured_courses.order","match":{"type":"contains","value":")"}}}],
+        "cat":"TEST",
+        "type":"BLOCK",
+        "type_params":null
     }
 ]