PluginProbe ʕ •ᴥ•ʔ
JetFormBuilder — Dynamic Blocks Form Builder / 2.1.5
JetFormBuilder — Dynamic Blocks Form Builder v2.1.5
3.6.3.1 3.6.3 3.6.2.2 3.6.2.1 3.6.2 3.6.1.1 3.6.1 3.6.0.1 trunk 1.0.0 1.0.1 1.0.2 1.0.3 1.1.0 1.1.1 1.1.2 1.1.3 1.1.4 1.1.5 1.1.6 1.1.7 1.2.0 1.2.1 1.2.2 1.2.3 1.2.4 1.2.5 1.2.6 1.2.7 1.3.0 1.3.1 1.3.2 1.3.3 1.4.0 1.4.1 1.4.2 1.4.3 1.5.0 1.5.1 1.5.2 1.5.3 1.5.4 1.5.5 2.0.0 2.0.1 2.0.2 2.0.3 2.0.4 2.0.5 2.0.6 2.1.0 2.1.1 2.1.10 2.1.11 2.1.2 2.1.3 2.1.4 2.1.5 2.1.6 2.1.7 2.1.8 2.1.9 3.0.0 3.0.0.1 3.0.0.2 3.0.0.3 3.0.1 3.0.1.1 3.0.2 3.0.3 3.0.4 3.0.5 3.0.6 3.0.7 3.0.8 3.0.9 3.1.0 3.1.0.1 3.1.1 3.1.2 3.1.3 3.1.4 3.1.5 3.1.6 3.1.7 3.1.8 3.1.9 3.2.0 3.2.1 3.2.2 3.2.3 3.3.0 3.3.1 3.3.2 3.3.3 3.3.3.1 3.3.4 3.3.4.1 3.3.4.2 3.4.0 3.4.1 3.4.2 3.4.3 3.4.4 3.4.5 3.4.5.1 3.4.5.2 3.4.6 3.4.7 3.4.7.1 3.5.0 3.5.1 3.5.1.1 3.5.1.2 3.5.2 3.5.2.1 3.5.3 3.5.4 3.5.5 3.5.6 3.5.6.1 3.5.6.2 3.5.6.3 3.6.0
jetformbuilder / includes / classes / security / csrf-tools.php
jetformbuilder / includes / classes / security Last commit date
csrf-token-model.php 3 years ago csrf-token-view.php 3 years ago csrf-tools.php 3 years ago wp-nonce-tools.php 3 years ago
csrf-tools.php
153 lines
1 <?php
2
3
4 namespace Jet_Form_Builder\Classes\Security;
5
6 use Jet_Form_Builder\Classes\Http\Http_Tools;
7 use Jet_Form_Builder\Db_Queries\Exceptions\Sql_Exception;
8 use Jet_Form_Builder\Exceptions\Query_Builder_Exception;
9 use Jet_Form_Builder\Exceptions\Request_Exception;
10 use Jet_Form_Builder\Live_Form;
11
12 class Csrf_Tools {
13
14 const FIELD = '_jfb_csrf_token';
15
16 private $token;
17 private $client;
18
19 public function register() {
20 add_filter( 'jet-form-builder/request-handler/request', array( $this, 'handle_request' ) );
21 }
22
23 public static function get_field(): string {
24 if ( ! jet_fb_live_args()->is_use_csrf() ) {
25 return '';
26 }
27
28 // generate new unique token
29 $csrf = static::generate();
30
31 // get hashed string with user-agent, ip address & form-id
32 $client_id = static::client_id( jet_fb_live()->form_id );
33
34 try {
35 // insert new token if client_id is not exist in table
36 $token = static::add( $csrf, $client_id );
37 } catch ( Sql_Exception $exception ) {
38 return '';
39 }
40
41 return Live_Form::force_render_field(
42 'hidden-field',
43 array(
44 'field_value' => $token,
45 'name' => self::FIELD,
46 )
47 );
48 }
49
50 /**
51 * @param array $request
52 *
53 * @return array
54 * @throws Request_Exception
55 */
56 public function handle_request( array $request ): array {
57 if ( ! jet_fb_live_args()->is_use_csrf() ) {
58 return $request;
59 }
60
61 $this->token = $request[ self::FIELD ] ?? false;
62 $this->client = static::client_id( jet_fb_live()->form_id );
63
64 // delete all old tokens
65 Csrf_Token_Model::clear();
66
67 if ( ! static::verify( $this->token, $this->client ) ) {
68 throw ( new Request_Exception( 'Invalid token' ) )->dynamic_error();
69 }
70
71 // delete verified token only on success
72 add_action( 'jet-form-builder/form-handler/after-send', array( $this, 'handle_after_send' ) );
73
74 return $request;
75 }
76
77 public function handle_after_send() {
78 if ( ! jet_fb_handler()->is_success ) {
79 return;
80 }
81
82 static::delete( $this->token, $this->client );
83 }
84
85 /**
86 * @param string $token
87 * @param string $client_id
88 *
89 * New token or existed
90 * @return string
91 * @throws Sql_Exception
92 */
93 public static function add( string $token, string $client_id ): string {
94 try {
95 $row = Csrf_Token_View::by_client( $client_id );
96
97 $token = $row['token'];
98 } catch ( Query_Builder_Exception $exception ) {
99 ( new Csrf_Token_Model() )->insert(
100 array(
101 'token' => $token,
102 'client_id' => $client_id,
103 )
104 );
105 }
106
107 return $token;
108 }
109
110
111 public static function verify( string $token, string $client_id ): bool {
112 $where = array(
113 'token' => $token,
114 'client_id' => $client_id,
115 );
116 try {
117 Csrf_Token_View::findOne( $where )->query()->query_one();
118 } catch ( Query_Builder_Exception $exception ) {
119 return false;
120 }
121
122 return true;
123 }
124
125 public static function delete( string $token, string $client_id ): int {
126 $where = array(
127 'token' => $token,
128 'client_id' => $client_id,
129 );
130
131 try {
132 return Csrf_Token_View::delete( $where );
133 } catch ( Query_Builder_Exception $exception ) {
134 return 0;
135 }
136 }
137
138 public static function generate(): string {
139 try {
140 return \bin2hex( \random_bytes( 16 ) );
141 } catch ( \Exception $e ) {
142 return uniqid( wp_rand(), true );
143 }
144 }
145
146 public static function client_id( $suffix = '' ): string {
147 $user_agent = Http_Tools::get_user_agent();
148 $ip_address = Http_Tools::get_ip_address();
149
150 return md5( $user_agent . $ip_address . $suffix );
151 }
152 }
153