Merge pull request #7 from crowdsecurity/security-pass

security pass

Author: mobula9

inc/admin/advanced-settings.php

@@ -27,7 +27,7 @@ function adminAdvancedSettings()
     <p>With the stream mode, every decision is retrieved in an asynchronous way. 3 advantages: <br>&nbsp;1) Inivisible latency when loading pages<br>&nbsp;2) The IP verifications works even if your CrowdSec is not reachable.<br>&nbsp;3) The API can never be overloaded by the WordPress traffic</p>
     <p>Note: This method has one limit: all the decisions updates since the previous resync will not be taken in account until the next resync.</p>'.
         (get_option('crowdsec_stream_mode') ?
-            '<p><input id="crowdsec_refresh_cache" style="margin-right:10px" type="button" value="Refresh the cache now" class="button button-secondary button-small" onclick="document.getElementById(\'crowdsec_ation_refresh_cache\').submit();"></p>' :
+            '<p><input id="crowdsec_refresh_cache" style="margin-right:10px" type="button" value="Refresh the cache now" class="button button-secondary button-small" onclick="document.getElementById(\'crowdsec_action_refresh_cache\').submit();"></p>' :
             '<p><input id="crowdsec_refresh_cache" style="margin-right:10px" type="button" disabled="disabled" value="Refresh the cache now" class="button button-secondary button-small"></p>'));
 
     // Field "crowdsec_stream_mode_refresh_frequency"
@@ -61,7 +61,7 @@ function adminAdvancedSettings()
      ** Section "Cache" **
      ********************/
 
-    add_settings_section('crowdsec_admin_advanced_cache', 'Caching configuration <input id="crowdsec_clear_cache" style="margin-left: 7px;margin-top: -3px;" type="button" value="Clear now" class="button button-secondary button-small" onclick="if (confirm(\'Are you sure you want to completely clear the cache?\')) document.getElementById(\'crowdsec_ation_clear_cache\').submit();">', function () {
+    add_settings_section('crowdsec_admin_advanced_cache', 'Caching configuration <input id="crowdsec_clear_cache" style="margin-left: 7px;margin-top: -3px;" type="button" value="Clear now" class="button button-secondary button-small" onclick="if (confirm(\'Are you sure you want to completely clear the cache?\')) document.getElementById(\'crowdsec_action_clear_cache\').submit();">', function () {
         ?>
         <p>Polish the decisions cache settings by selecting the best technology or the cache durations best suited to your use.</p>
 <?php
@@ -141,7 +141,7 @@ function adminAdvancedSettings()
 
         return $input;
     }, ((CROWDSEC_CACHE_SYSTEM_PHPFS === get_option('crowdsec_cache_system')) ?
-        '<input style="margin-right:10px" type="button" id="crowdsec_prune_cache" value="Prune now" class="button button-secondary" onclick="document.getElementById(\'crowdsec_ation_prune_cache\').submit();">' : '').
+        '<input style="margin-right:10px" type="button" id="crowdsec_prune_cache" value="Prune now" class="button button-secondary" onclick="document.getElementById(\'crowdsec_action_prune_cache\').submit();">' : '').
         '<p>The File system cache is faster than calling LAPI. Redis or Memcached is faster than the File System cache.</p>', [
         CROWDSEC_CACHE_SYSTEM_PHPFS => 'File system',
         CROWDSEC_CACHE_SYSTEM_REDIS => 'Redis',

inc/admin/init.php

@@ -90,17 +90,29 @@ function pruneBouncerCacheInAdminPage()
     }
 
     // ACTIONS
-    add_action('admin_post_clear_cache', function () {
+    add_action('admin_post_crowdsec_clear_cache', function () {
+        if (
+            !isset($_POST['nonce']) || !wp_verify_nonce($_POST['nonce'], 'crowdsec_clear_cache')) {
+            die('This link expired.');
+        }
         clearBouncerCacheInAdminPage();
         header("Location: {$_SERVER['HTTP_REFERER']}");
         exit(0);
     });
-    add_action('admin_post_refresh_cache', function () {
+    add_action('admin_post_crowdsec_refresh_cache', function () {
+        if (
+            !isset($_POST['nonce']) || !wp_verify_nonce($_POST['nonce'], 'crowdsec_refresh_cache')) {
+            die('This link expired.');
+        }
         refreshBouncerCacheInAdminPage();
         header("Location: {$_SERVER['HTTP_REFERER']}");
         exit(0);
     });
-    add_action('admin_post_prune_cache', function () {
+    add_action('admin_post_crowdsec_prune_cache', function () {
+        if (
+            !isset($_POST['nonce']) || !wp_verify_nonce($_POST['nonce'], 'crowdsec_prune_cache')) {
+            die('This link expired.');
+        }
         pruneBouncerCacheInAdminPage();
         header("Location: {$_SERVER['HTTP_REFERER']}");
         exit(0);

inc/scheduling.php

@@ -34,7 +34,6 @@ function crowdSecRefreshBlocklist()
 
 // Create the hook that the schedule will call
 add_action(CROWDSEC_REFRESH_BLOCKLIST_CRON_HOOK, 'crowdSecRefreshBlocklist');
-//echo '<pre>'; print_r( _get_cron_array() ); echo '</pre>';die;
 
 function unscheduleBlocklistRefresh()
 {

inc/templates/advanced-settings.php

@@ -42,14 +42,17 @@ function updateDsnDisplay () {
 		</form>
 
 		<br/>
-		<form action="<?php echo admin_url('admin-post.php'); ?>" method="post" id="crowdsec_ation_clear_cache">
-			<input type="hidden" name="action" value="clear_cache">
+		<form action="<?php echo admin_url('admin-post.php'); ?>" method="post" id="crowdsec_action_clear_cache">
+			<input type="hidden" name="action" value="crowdsec_clear_cache">
+			<input type="hidden" name="nonce" value="<?php echo wp_create_nonce('crowdsec_clear_cache'); ?>">
 		</form>
-		<form action="<?php echo admin_url('admin-post.php'); ?>" method="post" id="crowdsec_ation_refresh_cache">
-			<input type="hidden" name="action" value="refresh_cache">
+		<form action="<?php echo admin_url('admin-post.php'); ?>" method="post" id="crowdsec_action_refresh_cache">
+			<input type="hidden" name="action" value="crowdsec_refresh_cache">
+			<input type="hidden" name="nonce" value="<?php echo wp_create_nonce('crowdsec_refresh_cache'); ?>">
 		</form>
-		<form action="<?php echo admin_url('admin-post.php'); ?>" method="post" id="crowdsec_ation_prune_cache">
-			<input type="hidden" name="action" value="prune_cache">
+		<form action="<?php echo admin_url('admin-post.php'); ?>" method="post" id="crowdsec_action_prune_cache">
+			<input type="hidden" name="action" value="crowdsec_prune_cache">
+			<input type="hidden" name="nonce" value="<?php echo wp_create_nonce('crowdsec_prune_cache'); ?>">
 		</form>
 		</div>
 	</div>

scripts/publish-release.sh

@@ -32,8 +32,8 @@ fi
 git add $git_base_dir/inc/constants.php
 git add $git_base_dir/crowdsec.php
 
-git tag v$NEW_GIT_VERSION_WITHOUT_V_PREFIX
 git commit -m "bump version to v$NEW_GIT_VERSION_WITHOUT_V_PREFIX"
+git tag v$NEW_GIT_VERSION_WITHOUT_V_PREFIX
 git push
 git push origin v$NEW_GIT_VERSION_WITHOUT_V_PREFIX
 gh release create --draft v$NEW_GIT_VERSION_WITHOUT_V_PREFIX --title v$NEW_GIT_VERSION_WITHOUT_V_PREFIX

tests-local.sh

@@ -20,6 +20,7 @@ done
 
 
 # Run tests
+rm -rf ./tests/functional/screenshots
 WORDPRESS_VERSION=$WORDPRESS_VERSION WATCHER_LOGIN=$WATCHER_LOGIN WATCHER_PASSWORD=$WATCHER_PASSWORD \
 LAPI_URL_FROM_CONTAINERS='http://crowdsec:8080' LAPI_URL_FROM_HOST='http://localhost:8080' \
 yarn --cwd ./tests/functional test \