PluginProbe ʕ •ᴥ•ʔ
WP STAGING – WordPress Backup, Restore, Migration & Clone / trunk
WP STAGING – WordPress Backup, Restore, Migration & Clone vtrunk
4.9.1 4.9.0 4.8.1 trunk 3.0.0 3.0.1 3.0.2 3.0.3 3.0.4 3.0.5 3.0.6 3.1.0 3.1.1 3.1.2 3.1.3 3.1.4 3.10.0 3.2.0 3.3.1 3.3.2 3.3.3 3.4.1 3.4.3 3.5.0 3.6.0 3.7.1 3.8.0 3.8.1 3.8.2 3.8.3 3.8.4 3.8.5 3.8.6 3.8.7 3.9.0 3.9.1 3.9.2 3.9.3 3.9.4 4.0.0 4.1.0 4.1.1 4.1.2 4.1.3 4.1.4 4.2.0 4.2.1 4.3.0 4.3.1 4.3.2 4.4.0 4.5.0 4.6.0 4.7.0 4.7.1 4.7.2 4.7.3 4.8.0
wp-staging / Framework / Security / EncryptionNoticeService.php
wp-staging / Framework / Security Last commit date
Otp 7 months ago AccessToken.php 11 months ago Auth.php 2 years ago Capabilities.php 1 year ago DataEncryption.php 1 month ago EncryptionNoticeService.php 1 month ago Nonce.php 3 years ago UniqueIdentifier.php 3 years ago
EncryptionNoticeService.php
82 lines
1 <?php
2
3 namespace WPStaging\Framework\Security;
4
5 /**
6 * Renders the stale-encryption admin notice.
7 *
8 * A credential is "stale" when it was encrypted with a key that is no longer
9 * available: it looks encrypted but decryption silently returns it unchanged.
10 */
11 class EncryptionNoticeService
12 {
13 /** @var DataEncryption */
14 private $dataEncryption;
15
16 public function __construct(DataEncryption $dataEncryption)
17 {
18 $this->dataEncryption = $dataEncryption;
19 }
20
21 /**
22 * Renders the notice if any credential field in the option is stale.
23 *
24 * @param string $optionName wp_options key to read
25 * @param string|string[] $credentialKeys Field(s) inside the option to check
26 * @param string $label Name displayed in the notice(e.g. "Amazon S3", used in the view; don't remove it)
27 * @return void
28 */
29 public function renderEncryptedNotice(string $optionName, $credentialKeys, string $label)
30 {
31 if ($this->hasStaleCredential($optionName, $credentialKeys)) {
32 require WPSTG_VIEWS_DIR . '_main/partials/encrypted-notice.php';
33 }
34 }
35
36 /**
37 * Returns true if any of the given credential fields in the option cannot be decrypted.
38 *
39 * @param string $optionName
40 * @param string|string[] $credentialKeys
41 * @return bool
42 */
43 private function hasStaleCredential(string $optionName, $credentialKeys): bool
44 {
45 $option = get_option($optionName, []);
46 if (empty($option) || !is_array($option)) {
47 return false;
48 }
49
50 foreach ((array)$credentialKeys as $key) {
51 if ($this->isStale($option[$key] ?? '')) {
52 return true;
53 }
54 }
55
56 return false;
57 }
58
59 /**
60 * Returns true if the value is encrypted but can no longer be decrypted.
61 *
62 * @param string $value
63 * @return bool
64 */
65 private function isStale(string $value): bool
66 {
67 // Nothing to check
68 if (empty($value)) {
69 return false;
70 }
71
72 // Plain-text values are never stale
73 if (!$this->dataEncryption->isEncrypted($value)) {
74 return false;
75 }
76
77 // Both sslDecrypt and base64Decrypt return the input unchanged on failure,
78 // so equality means the key is gone/changed and the credential can't be recovered
79 return $this->dataEncryption->decrypt($value) === $value;
80 }
81 }
82