PluginProbe ʕ •ᴥ•ʔ
JetFormBuilder — Dynamic Blocks Form Builder / 3.0.8
JetFormBuilder — Dynamic Blocks Form Builder v3.0.8
3.6.3.1 3.6.3 3.6.2.2 3.6.2.1 3.6.2 3.6.1.1 3.6.1 3.6.0.1 trunk 1.0.0 1.0.1 1.0.2 1.0.3 1.1.0 1.1.1 1.1.2 1.1.3 1.1.4 1.1.5 1.1.6 1.1.7 1.2.0 1.2.1 1.2.2 1.2.3 1.2.4 1.2.5 1.2.6 1.2.7 1.3.0 1.3.1 1.3.2 1.3.3 1.4.0 1.4.1 1.4.2 1.4.3 1.5.0 1.5.1 1.5.2 1.5.3 1.5.4 1.5.5 2.0.0 2.0.1 2.0.2 2.0.3 2.0.4 2.0.5 2.0.6 2.1.0 2.1.1 2.1.10 2.1.11 2.1.2 2.1.3 2.1.4 2.1.5 2.1.6 2.1.7 2.1.8 2.1.9 3.0.0 3.0.0.1 3.0.0.2 3.0.0.3 3.0.1 3.0.1.1 3.0.2 3.0.3 3.0.4 3.0.5 3.0.6 3.0.7 3.0.8 3.0.9 3.1.0 3.1.0.1 3.1.1 3.1.2 3.1.3 3.1.4 3.1.5 3.1.6 3.1.7 3.1.8 3.1.9 3.2.0 3.2.1 3.2.2 3.2.3 3.3.0 3.3.1 3.3.2 3.3.3 3.3.3.1 3.3.4 3.3.4.1 3.3.4.2 3.4.0 3.4.1 3.4.2 3.4.3 3.4.4 3.4.5 3.4.5.1 3.4.5.2 3.4.6 3.4.7 3.4.7.1 3.5.0 3.5.1 3.5.1.1 3.5.1.2 3.5.2 3.5.2.1 3.5.3 3.5.4 3.5.5 3.5.6 3.5.6.1 3.5.6.2 3.5.6.3 3.6.0
jetformbuilder / includes / classes / security / csrf-tools.php
jetformbuilder / includes / classes / security Last commit date
csrf-token-model.php 3 years ago csrf-token-view.php 3 years ago csrf-tools.php 3 years ago wp-nonce-tools.php 3 years ago
csrf-tools.php
164 lines
1 <?php
2
3
4 namespace Jet_Form_Builder\Classes\Security;
5
6 use Jet_Form_Builder\Classes\Http\Http_Tools;
7 use Jet_Form_Builder\Db_Queries\Exceptions\Sql_Exception;
8 use Jet_Form_Builder\Exceptions\Query_Builder_Exception;
9 use Jet_Form_Builder\Exceptions\Request_Exception;
10 use Jet_Form_Builder\Live_Form;
11
12 class Csrf_Tools {
13
14 const FIELD = '_jfb_csrf_token';
15
16 private $token;
17 private $client;
18
19 public function register() {
20 add_filter( 'jet-form-builder/request-handler/request', array( $this, 'handle_request' ) );
21 add_filter( 'jet-form-builder/message-types', array( $this, 'handle_messages' ) );
22 }
23
24 public static function get_field(): string {
25 if ( ! jet_fb_live_args()->is_use_csrf() ) {
26 return '';
27 }
28
29 // generate new unique token
30 $csrf = static::generate();
31
32 // get hashed string with user-agent, ip address & form-id
33 $client_id = static::client_id( jet_fb_live()->form_id );
34
35 try {
36 // insert new token if client_id is not exist in table
37 $token = static::add( $csrf, $client_id );
38 } catch ( Sql_Exception $exception ) {
39 return '';
40 }
41
42 return Live_Form::force_render_field(
43 'hidden-field',
44 array(
45 'field_value' => $token,
46 'name' => self::FIELD,
47 )
48 );
49 }
50
51 /**
52 * @param array $request
53 *
54 * @return array
55 * @throws Request_Exception
56 */
57 public function handle_request( array $request ): array {
58 if ( ! jet_fb_live_args()->is_use_csrf() ) {
59 return $request;
60 }
61
62 $this->token = $request[ self::FIELD ] ?? false;
63 $this->client = static::client_id( jet_fb_live()->form_id );
64
65 // delete all old tokens
66 Csrf_Token_Model::clear();
67
68 if ( ! static::verify( $this->token, $this->client ) ) {
69 throw new Request_Exception( 'csrf_failed' );
70 }
71
72 // delete verified token only on success
73 add_action( 'jet-form-builder/form-handler/after-send', array( $this, 'handle_after_send' ) );
74
75 return $request;
76 }
77
78 public function handle_after_send() {
79 if ( ! jet_fb_handler()->is_success ) {
80 return;
81 }
82
83 static::delete( $this->token, $this->client );
84 }
85
86 public function handle_messages( array $messages ): array {
87 $messages['csrf_failed'] = array(
88 'label' => __( 'CSRF token validation failed', 'jet-form-builder' ),
89 'value' => __( 'Invalid token', 'jet-form-builder' ),
90 );
91
92 return $messages;
93 }
94
95 /**
96 * @param string $token
97 * @param string $client_id
98 *
99 * New token or existed
100 *
101 * @return string
102 * @throws Sql_Exception
103 */
104 public static function add( string $token, string $client_id ): string {
105 try {
106 $row = Csrf_Token_View::by_client( $client_id );
107
108 $token = $row['token'];
109 } catch ( Query_Builder_Exception $exception ) {
110 ( new Csrf_Token_Model() )->insert(
111 array(
112 'token' => $token,
113 'client_id' => $client_id,
114 )
115 );
116 }
117
118 return $token;
119 }
120
121
122 public static function verify( string $token, string $client_id ): bool {
123 $where = array(
124 'token' => $token,
125 'client_id' => $client_id,
126 );
127 try {
128 Csrf_Token_View::findOne( $where )->query()->query_one();
129 } catch ( Query_Builder_Exception $exception ) {
130 return false;
131 }
132
133 return true;
134 }
135
136 public static function delete( string $token, string $client_id ): int {
137 $where = array(
138 'token' => $token,
139 'client_id' => $client_id,
140 );
141
142 try {
143 return Csrf_Token_View::delete( $where );
144 } catch ( Query_Builder_Exception $exception ) {
145 return 0;
146 }
147 }
148
149 public static function generate(): string {
150 try {
151 return \bin2hex( \random_bytes( 16 ) );
152 } catch ( \Exception $e ) {
153 return uniqid( wp_rand(), true );
154 }
155 }
156
157 public static function client_id( $suffix = '' ): string {
158 $user_agent = Http_Tools::get_user_agent();
159 $ip_address = Http_Tools::get_ip_address();
160
161 return md5( $user_agent . $ip_address . $suffix );
162 }
163 }
164