PluginProbe ʕ •ᴥ•ʔ
JetFormBuilder — Dynamic Blocks Form Builder / 3.5.6.3
JetFormBuilder — Dynamic Blocks Form Builder v3.5.6.3
3.6.3.1 3.6.3 3.6.2.2 3.6.2.1 3.6.2 3.6.1.1 3.6.1 3.6.0.1 trunk 1.0.0 1.0.1 1.0.2 1.0.3 1.1.0 1.1.1 1.1.2 1.1.3 1.1.4 1.1.5 1.1.6 1.1.7 1.2.0 1.2.1 1.2.2 1.2.3 1.2.4 1.2.5 1.2.6 1.2.7 1.3.0 1.3.1 1.3.2 1.3.3 1.4.0 1.4.1 1.4.2 1.4.3 1.5.0 1.5.1 1.5.2 1.5.3 1.5.4 1.5.5 2.0.0 2.0.1 2.0.2 2.0.3 2.0.4 2.0.5 2.0.6 2.1.0 2.1.1 2.1.10 2.1.11 2.1.2 2.1.3 2.1.4 2.1.5 2.1.6 2.1.7 2.1.8 2.1.9 3.0.0 3.0.0.1 3.0.0.2 3.0.0.3 3.0.1 3.0.1.1 3.0.2 3.0.3 3.0.4 3.0.5 3.0.6 3.0.7 3.0.8 3.0.9 3.1.0 3.1.0.1 3.1.1 3.1.2 3.1.3 3.1.4 3.1.5 3.1.6 3.1.7 3.1.8 3.1.9 3.2.0 3.2.1 3.2.2 3.2.3 3.3.0 3.3.1 3.3.2 3.3.3 3.3.3.1 3.3.4 3.3.4.1 3.3.4.2 3.4.0 3.4.1 3.4.2 3.4.3 3.4.4 3.4.5 3.4.5.1 3.4.5.2 3.4.6 3.4.7 3.4.7.1 3.5.0 3.5.1 3.5.1.1 3.5.1.2 3.5.2 3.5.2.1 3.5.3 3.5.4 3.5.5 3.5.6 3.5.6.1 3.5.6.2 3.5.6.3 3.6.0
jetformbuilder / modules / validation / advanced-rules / server-side-rule.php
jetformbuilder / modules / validation / advanced-rules Last commit date
interfaces 2 years ago traits 2 years ago match-not-regexp-rule.php 2 years ago match-regexp-rule.php 2 years ago must-contain-characters-rule.php 2 years ago must-equal-rule.php 2 years ago must-not-contain-characters-rule.php 2 years ago rule.php 2 years ago server-side-rule.php 4 months ago
server-side-rule.php
224 lines
1 <?php
2
3
4 namespace JFB_Modules\Validation\Advanced_Rules;
5
6 use JFB_Modules\Validation\Ssr;
7 use Jet_Form_Builder\Exceptions\Repository_Exception;
8 use JFB_Components\Repository\Repository_Pattern_Trait;
9 use JFB_Modules\Block_Parsers\Field_Data_Parser;
10
11 // If this file is called directly, abort.
12 if ( ! defined( 'WPINC' ) ) {
13 die;
14 }
15
16 class Server_Side_Rule extends Rule {
17
18 use Repository_Pattern_Trait;
19
20 /**
21 * Blacklist of dangerous functions that should never be allowed as callbacks.
22 * All values MUST be lowercase for case-insensitive comparison.
23 *
24 * @since 3.5.6.2 Security fix: expanded list and case-insensitive check
25 */
26 const NOT_ALLOWED = array(
27 // Debug/output functions
28 'var_dump',
29 'var_export',
30 'print_r',
31 'sprintf',
32 'printf',
33 // Command execution
34 'shell_exec',
35 'system',
36 'exec',
37 'passthru',
38 'proc_open',
39 'popen',
40 'pcntl_exec',
41 'proc_nice',
42 'proc_terminate',
43 'proc_close',
44 // Code execution
45 'eval',
46 'assert',
47 'create_function',
48 'call_user_func',
49 'call_user_func_array',
50 'preg_replace_callback',
51 'array_map',
52 'array_filter',
53 'array_reduce',
54 'usort',
55 'uasort',
56 'uksort',
57 'array_walk',
58 'array_walk_recursive',
59 // File inclusion
60 'include',
61 'include_once',
62 'require',
63 'require_once',
64 // Serialization (object injection)
65 'unserialize',
66 'maybe_unserialize',
67 // File operations
68 'file_get_contents',
69 'file_put_contents',
70 'fwrite',
71 'fputs',
72 'fopen',
73 'readfile',
74 'file',
75 'fread',
76 'fgets',
77 'fgetc',
78 'fgetcsv',
79 'fpassthru',
80 'move_uploaded_file',
81 'copy',
82 'rename',
83 'unlink',
84 'rmdir',
85 'mkdir',
86 'chmod',
87 'chown',
88 'chgrp',
89 // Network functions
90 'curl_exec',
91 'curl_multi_exec',
92 'fsockopen',
93 'pfsockopen',
94 'stream_socket_client',
95 'stream_socket_server',
96 // Dangerous PHP functions
97 'parse_str',
98 'extract',
99 'putenv',
100 'ini_set',
101 'ini_alter',
102 'dl',
103 'mail',
104 'header',
105 'setcookie',
106 'setrawcookie',
107 // POSIX functions
108 'posix_kill',
109 'posix_mkfifo',
110 'posix_setpgid',
111 'posix_setsid',
112 'posix_setuid',
113 'posix_setgid',
114 'posix_seteuid',
115 'posix_setegid',
116 // Apache functions
117 'apache_child_terminate',
118 'apache_setenv',
119 // Reflection/class manipulation
120 'get_defined_functions',
121 'get_defined_vars',
122 'get_defined_constants',
123 'phpinfo',
124 'highlight_file',
125 'show_source',
126 'php_strip_whitespace',
127 'get_cfg_var',
128 'get_current_user',
129 'getmyuid',
130 'getmypid',
131 'getenv',
132 );
133
134 public function __construct() {
135 $this->rep_install();
136 }
137
138 public function rep_instances(): array {
139 return apply_filters(
140 'jet-form-builder/validation-callbacks',
141 array(
142 new Ssr\Is_User_Login_Unique(),
143 new Ssr\Is_User_Email_Unique(),
144 new Ssr\Is_Field_Value_Unique(),
145 new Ssr\Is_User_Password_Valid(),
146 )
147 );
148 }
149
150 public function get_id(): string {
151 return 'ssr';
152 }
153
154 public function get_label(): string {
155 return __( 'Server-Side callback', 'jet-form-builder' );
156 }
157
158 public function validate_field( Field_Data_Parser $parser ) {
159 $function_name = $this->get_setting( 'value' );
160 $is_valid = $this->validate( $parser, $function_name );
161
162 if ( $is_valid ) {
163 return;
164 }
165
166 $parser->collect_error( 'rule:ssr:' . $function_name, $this->get_setting( 'message' ) );
167 }
168
169 /**
170 * @return Ssr\Base_Validation_Callback[]
171 */
172 public function get_callbacks(): array {
173 return $this->rep_get_items();
174 }
175
176 protected function validate( Field_Data_Parser $parser, string $function_name ): bool {
177 try {
178 /** @var Ssr\Base_Validation_Callback $callback */
179 $callback = $this->rep_get_item( $function_name );
180 } catch ( Repository_Exception $exception ) {
181 return $this->validate_custom( $parser, $function_name );
182 }
183
184 return $callback->is_valid( $parser->get_value(), $parser->get_context() );
185 }
186
187 protected function validate_custom( Field_Data_Parser $parser, string $function_name ): bool {
188 $name = $this->validate_callback( $function_name );
189
190 if ( ! $name ) {
191 return false;
192 }
193
194 return (bool) call_user_func( $name, $parser->get_value(), $parser->get_context() );
195 }
196
197 /**
198 * Validate callback function name for security.
199 *
200 * @since 3.5.6.2
201 *
202 * @param string $function_name The function name to validate.
203 *
204 * @return string Empty string if invalid, function name if valid.
205 */
206 protected function validate_callback( string $function_name ): string {
207 $name = preg_replace( '/[^\w]/i', '', $function_name );
208
209 if ( $name !== $function_name ) {
210 return '';
211 }
212
213 // Case-insensitive blacklist check (PHP function names are case-insensitive)
214 $name_lower = strtolower( $name );
215
216 if ( in_array( $name_lower, self::NOT_ALLOWED, true ) ) {
217 return '';
218 }
219
220 return function_exists( $name ) ? $name : '';
221 }
222
223 }
224