Merge pull request #988 from cloudinary/feature/filterable-urls

pereirinha · web-flow · commit 2b2e773a92dd · 2024-10-21T17:22:37.000+01:00
Wrap `rest_url`, `site_url` and `home_url` so that we can filter these securely
diff --git a/php/cache/class-file-system.php b/php/cache/class-file-system.php
@@ -8,6 +8,7 @@
 namespace Cloudinary\Cache;
 
 use Cloudinary\Plugin;
+use Cloudinary\Utils;
 
 /**
  * Class File System.
@@ -62,7 +63,7 @@ protected function setup_paths() {
 			content_url()        => $this->wp_file_system->wp_content_dir(),
 			admin_url()          => $this->wp_file_system->abspath() . 'wp-admin/',
 			includes_url()       => $this->wp_file_system->abspath() . 'wp-includes/',
-			home_url()           => $this->wp_file_system->abspath(),
+			Utils::home_url()    => $this->wp_file_system->abspath(),
 		);
 		foreach ( $paths as $url => $path ) {
 			$this->paths[ trailingslashit( $url ) ] = trailingslashit( $path );
diff --git a/php/class-assets.php b/php/class-assets.php
@@ -433,19 +433,7 @@ public function activate_parent( $url ) {
 	 * @return string
 	 */
 	public function clean_path( $path ) {
-		/**
-		 * Filter the home url.
-		 *
-		 * @hook cloudinary_home_url
-		 * @since 3.2.0
-		 *
-		 * @param $home_url {string} The home url.
-		 *
-		 * @return {string}
-		 */
-		$home_url = apply_filters( 'cloudinary_home_url', home_url() );
-
-		$home = Utils::clean_url( trailingslashit( $home_url ) );
+		$home = Utils::clean_url( trailingslashit( Utils::home_url() ) );
 		$path = str_replace( $home, '', Utils::clean_url( $path ) );
 		if ( empty( Utils::pathinfo( $path, PATHINFO_EXTENSION ) ) ) {
 			$path = urldecode( trailingslashit( $path ) );
@@ -629,7 +617,7 @@ public function get_asset_storage_folder( $url_id ) {
 			$url_id = $this->media->local_url( $url_id );
 		}
 		$url    = $this->clean_path( $url_id );
-		$domain = wp_parse_url( home_url(), PHP_URL_HOST );
+		$domain = wp_parse_url( Utils::home_url(), PHP_URL_HOST );
 		$folder = wp_normalize_path( dirname( trim( $url, './' ) ) );
 		if ( ! empty( $domain ) ) {
 			$folder = path_join( $domain, $folder );
@@ -1101,8 +1089,8 @@ protected function create_asset( $url, $parent_id ) {
 		require_once ABSPATH . 'wp-admin/includes/image.php';
 		require_once ABSPATH . 'wp-admin/includes/media.php';
 
-		$full_url  = urldecode( home_url() . wp_parse_url( $url, PHP_URL_PATH ) );
-		$file_path = urldecode( str_replace( home_url(), untrailingslashit( ABSPATH ), $full_url ) );
+		$full_url  = urldecode( Utils::home_url() . wp_parse_url( $url, PHP_URL_PATH ) );
+		$file_path = urldecode( str_replace( Utils::home_url(), untrailingslashit( ABSPATH ), $full_url ) );
 		if ( ! file_exists( $file_path ) ) {
 			return false;
 		}
diff --git a/php/class-cache.php b/php/class-cache.php
@@ -102,7 +102,7 @@ public function __construct( Plugin $plugin ) {
 		parent::__construct( $plugin );
 		$this->file_system = new File_System( $plugin );
 		if ( $this->file_system->enabled() ) {
-			$this->cache_folder = wp_parse_url( get_site_url(), PHP_URL_HOST );
+			$this->cache_folder = wp_parse_url( Utils::site_url(), PHP_URL_HOST );
 			$this->media        = $this->plugin->get_component( 'media' );
 			$this->connect      = $this->plugin->get_component( 'connect' );
 			$this->api          = $this->plugin->get_component( 'api' );
@@ -239,7 +239,7 @@ protected function register_hooks() {
 	 * @return array
 	 */
 	public function prevent_caching_internal_requests( $args, $url ) {
-		$home    = strtolower( wp_parse_url( home_url(), PHP_URL_HOST ) );
+		$home    = strtolower( wp_parse_url( Utils::home_url(), PHP_URL_HOST ) );
 		$request = strtolower( wp_parse_url( $url, PHP_URL_HOST ) );
 		if ( $home === $request ) {
 			$args['headers']['x-cld-cache'] = time();
diff --git a/php/class-connect.php b/php/class-connect.php
@@ -215,7 +215,7 @@ public function rest_save_wizard( WP_REST_Request $request ) {
 		if ( ! empty( $url ) ) {
 			// Warm the last uploaded items in the media library.
 			wp_safe_remote_request(
-				rest_url( 'wp/v2/media' ),
+				Utils::rest_url( 'wp/v2/media' ),
 				array(
 					'timeout'  => 0.1,
 					'blocking' => false,
@@ -1023,7 +1023,7 @@ public static function test_rest_api_connectivity() {
 			),
 		);
 
-		$url      = rest_url( REST_API::BASE . '/test_rest_api' );
+		$url      = Utils::rest_url( REST_API::BASE . '/test_rest_api' );
 		$response = wp_safe_remote_get( $url, $args );
 
 		if ( is_wp_error( $response ) ) {
diff --git a/php/class-deactivation.php b/php/class-deactivation.php
@@ -334,7 +334,7 @@ public function enqueue_scripts() {
 			'cloudinary-deactivation',
 			'CLD_Deactivate',
 			array(
-				'endpoint' => rest_url( REST_API::BASE . '/' . self::$internal_endpoint ),
+				'endpoint' => Utils::rest_url( REST_API::BASE . '/' . self::$internal_endpoint ),
 				'nonce'    => wp_create_nonce( 'wp_rest' ),
 			)
 		);
diff --git a/php/class-delivery.php b/php/class-delivery.php
@@ -1589,7 +1589,7 @@ protected function is_allowed_type( $ext ) {
 	public function validate_url( $url ) {
 		static $home;
 		if ( ! $home ) {
-			$home = wp_parse_url( home_url( '/' ) );
+			$home = wp_parse_url( Utils::home_url( '/' ) );
 		}
 		$parts = wp_parse_url( $url );
 		if ( empty( $parts['host'] ) ) {
diff --git a/php/class-extensions.php b/php/class-extensions.php
@@ -249,7 +249,7 @@ public function register_extensions() {
 	 */
 	public function setup() {
 		$data = array(
-			'url'   => rest_url( REST_API::BASE . '/extension' ),
+			'url'   => Utils::rest_url( REST_API::BASE . '/extension' ),
 			'nonce' => wp_create_nonce( 'wp_rest' ),
 		);
 		foreach ( $this->settings->get_settings() as $setting ) {
diff --git a/php/class-media-library.php b/php/class-media-library.php
@@ -81,7 +81,7 @@ public function enqueue_assets() {
 		wp_enqueue_script( 'cloudinary' );
 
 		$params = array(
-			'fetch_url' => rest_url( REST_API::BASE . '/asset' ),
+			'fetch_url' => Utils::rest_url( REST_API::BASE . '/asset' ),
 			'nonce'     => wp_create_nonce( 'wp_rest' ),
 		);
 
diff --git a/php/class-media.php b/php/class-media.php
@@ -329,14 +329,14 @@ public function is_media( $attachment_id ) {
 	 * @return bool
 	 */
 	public function is_local_media( $attachment_id ) {
-		$local_host = wp_parse_url( get_site_url(), PHP_URL_HOST );
+		$local_host = wp_parse_url( Utils::site_url(), PHP_URL_HOST );
 		$guid       = get_the_guid( $attachment_id );
 
 		// Maybe GUID is a path.
 		if ( ! filter_var( $guid, FILTER_VALIDATE_URL ) ) {
-			$url = home_url( $guid );
+			$url = Utils::home_url( $guid );
 			if ( $this->maybe_file_exist_in_url( $url ) ) {
-				$guid = home_url( $guid );
+				$guid = Utils::home_url( $guid );
 			}
 		}
 
@@ -2269,7 +2269,7 @@ public function down_sync_asset() {
 			$asset = $this->get_asset_payload();
 			// Set a base array for pulling an asset if needed.
 			$base_return = array(
-				'fetch'         => rest_url( REST_API::BASE . '/asset' ),
+				'fetch'         => Utils::rest_url( REST_API::BASE . '/asset' ),
 				'uploading'     => true,
 				'src'           => $asset['src'],
 				'url'           => $asset['url'],
diff --git a/php/class-rest-api.php b/php/class-rest-api.php
@@ -79,7 +79,7 @@ public static function rest_can_connect() {
 	 */
 	public function background_request( $endpoint, $params = array(), $method = 'POST' ) {
 
-		$url = rest_url( static::BASE . '/' . $endpoint );
+		$url = Utils::rest_url( static::BASE . '/' . $endpoint );
 		// Setup a call for a background sync.
 		$params['nonce'] = wp_create_nonce( 'wp_rest' );
 		$args            = array(
diff --git a/php/class-sync.php b/php/class-sync.php
@@ -144,7 +144,7 @@ public function __construct( Plugin $plugin ) {
 	public function enqueue_assets() {
 		if ( $this->plugin->settings->get_param( 'connected' ) ) {
 			$data = array(
-				'restUrl' => esc_url_raw( rest_url() ),
+				'restUrl' => esc_url_raw( Utils::rest_url() ),
 				'nonce'   => wp_create_nonce( 'wp_rest' ),
 			);
 			wp_add_inline_script( 'cloudinary', 'var cloudinaryApi = ' . wp_json_encode( $data ), 'before' );
diff --git a/php/class-utils.php b/php/class-utils.php
@@ -570,7 +570,7 @@ public static function is_rest_api() {
 		}
 		if ( ! $is ) {
 			// Fallback if rest engine is not setup yet.
-			$rest_base   = wp_parse_url( rest_url( '/' ), PHP_URL_PATH );
+			$rest_base   = wp_parse_url( static::rest_url( '/' ), PHP_URL_PATH );
 			$request_uri = filter_input( INPUT_SERVER, 'REQUEST_URI', FILTER_SANITIZE_URL );
 			$is          = strpos( $request_uri, $rest_base ) === 0;
 		}
@@ -1181,4 +1181,90 @@ public static function get_media_context( $attachment_id = null ) {
 
 		return sanitize_key( $context );
 	}
+
+	/**
+	 * Get the home URL.
+	 *
+	 * @param string $path   The path to be appended to the home URL.
+	 * @param string $scheme The scheme to give the home URL context. Accepts 'http', 'https', or 'relative'.
+	 *
+	 * @return string
+	 */
+	public static function home_url( $path = '', $scheme = null ) {
+		$blog_id = null;
+		if ( is_multisite() ) {
+			$blog_id = get_current_blog_id();
+		}
+		$home_url = get_home_url( $blog_id, $path, $scheme );
+
+		/**
+		 * Filter the home url.
+		 *
+		 * @hook cloudinary_home_url
+		 * @since 3.2.0
+		 *
+		 * @param $home_url {string} The home url.
+		 * @param $path     {string} The path to be appended to the home URL.
+		 * @param $scheme   {string} The scheme to give the home URL context. Accepts 'http', 'https', or 'relative'.
+		 *
+		 * @return {string}
+		 */
+		return apply_filters( 'cloudinary_home_url', $home_url, $path, $scheme );
+	}
+
+	/**
+	 * Get the site URL.
+	 *
+	 * @param string $path   The path to be appended to the site URL.
+	 * @param string $scheme The scheme to give the site URL context. Accepts 'http', 'https', or 'relative'.
+	 *
+	 * @return string
+	 */
+	public static function site_url( $path = '', $scheme = null ) {
+		$blog_id = null;
+		if ( is_multisite() ) {
+			$blog_id = get_current_blog_id();
+		}
+		$site_url = get_site_url( $blog_id, $path, $scheme );
+
+		/**
+		 * Filter the site URL.
+		 *
+		 * @hook cloudinary_site_url
+		 * @since 3.2.2
+		 *
+		 * @param $site_url {string} The site URL.
+		 * @param $path     {string} The path to be appended to the site URL.
+		 * @param $scheme   {string} The scheme to give the site URL context. Accepts 'http', 'https', or 'relative'.
+		 *
+		 * @return {string}
+		 */
+		return apply_filters( 'cloudinary_site_url', $site_url, $path, $scheme );
+	}
+
+	/**
+	 * Get the rest URL.
+	 *
+	 * @param string $path   The path to be appended to the rest URL.
+	 * @param string $scheme The scheme to give the rest URL context. Accepts 'http', 'https', or 'relative'.
+	 *
+	 * @return string
+	 */
+	public static function rest_url( $path = '', $scheme = null ) {
+		$rest_url = rest_url( $path, $scheme );
+
+		/**
+		 * Filter the rest url.
+		 *
+		 * @hook cloudinary_rest_url
+		 * @since 3.2.2
+		 *
+		 * @param $rest_url {string} The rest url.
+		 * @param $path     {string} The path to be appended to the rest URL.
+		 * @param $scheme   {string} The scheme to give the rest URL context. Accepts 'http', 'https', or 'relative'.
+		 *
+		 * @return {string}
+		 */
+		return apply_filters( 'cloudinary_rest_url', $rest_url, $path, $scheme );
+	}
 }
diff --git a/php/connect/class-api.php b/php/connect/class-api.php
@@ -984,7 +984,7 @@ protected static function get_hostname( $upload_prefix ) {
 	private function call( $url, $args = array(), $method = 'get' ) {
 		$args['method']             = strtoupper( $method );
 		$args['user-agent']         = 'WordPress/' . get_bloginfo( 'version' ) . '; ' . get_bloginfo( 'url' ) . ' (' . $this->plugin_version . ')';
-		$args['headers']['referer'] = get_site_url();
+		$args['headers']['referer'] = Utils::site_url();
 		if ( 'GET' === $args['method'] ) {
 			$url = 'https://' . $this->credentials['api_key'] . ':' . $this->credentials['api_secret'] . '@' . $url;
 		} else {
diff --git a/php/delivery/class-lazy-load.php b/php/delivery/class-lazy-load.php
@@ -327,7 +327,7 @@ public function add_features( $tag_element ) {
 			$loader = 'null;';
 			if ( ! $has_loader && Utils::is_frontend_ajax() ) {
 				$has_loader = true;
-				$url        = add_query_arg( 'cloudinary_lazy_load_loader', true, trailingslashit( home_url() ) );
+				$url        = add_query_arg( 'cloudinary_lazy_load_loader', true, trailingslashit( Utils::home_url() ) );
 				$loader     = 'document.body.appendChild(document.createElement(\'script\')).src=\'' . $url . '\';this.onload=null;';
 			}
 			// Since we're appending to the onload, check it isn't already in, as it may run twice i.e full page caching.
diff --git a/php/ui/class-state.php b/php/ui/class-state.php
@@ -11,6 +11,7 @@
 use Cloudinary\REST_API;
 use Cloudinary\Settings;
 use Cloudinary\UI;
+use Cloudinary\Utils;
 use function Cloudinary\get_plugin_instance;
 
 /**
@@ -75,7 +76,7 @@ public function __construct( Plugin $plugin ) {
 	 * Setup the state.
 	 */
 	public function setup_state() {
-		$url = rest_url( REST_API::BASE . '/ui-state' );
+		$url = Utils::rest_url( REST_API::BASE . '/ui-state' );
 		$this->plugin->add_script_data( 'stateURL', $url );
 		$this->plugin->add_script_data( 'stateNonce', $this->nonce );
 		$this->state = get_user_meta( $this->user_id, self::STATE_KEY, true );
diff --git a/php/ui/component/class-asset.php b/php/ui/component/class-asset.php
@@ -10,6 +10,7 @@
 use Cloudinary\REST_API;
 use Cloudinary\Assets;
 use Cloudinary\UI\Component;
+use Cloudinary\Utils;
 use function Cloudinary\get_plugin_instance;
 use Cloudinary\Settings\Setting;
 
@@ -262,11 +263,11 @@ public function enqueue_scripts() {
 	protected function pre_render() {
 		$plugin = get_plugin_instance();
 		$export = array(
-			'update_url' => rest_url( REST_API::BASE . '/disable_cache_items' ),
-			'fetch_url'  => rest_url( REST_API::BASE . '/show_cache' ),
-			'purge_url'  => rest_url( REST_API::BASE . '/purge_cache' ),
-			'purge_all'  => rest_url( REST_API::BASE . '/purge_all' ),
-			'save_url'   => rest_url( REST_API::BASE . '/save_asset' ),
+			'update_url' => Utils::rest_url( REST_API::BASE . '/disable_cache_items' ),
+			'fetch_url'  => Utils::rest_url( REST_API::BASE . '/show_cache' ),
+			'purge_url'  => Utils::rest_url( REST_API::BASE . '/purge_cache' ),
+			'purge_all'  => Utils::rest_url( REST_API::BASE . '/purge_all' ),
+			'save_url'   => Utils::rest_url( REST_API::BASE . '/save_asset' ),
 			'nonce'      => wp_create_nonce( 'wp_rest' ),
 		);
 		wp_add_inline_script( 'cloudinary', 'var CLDASSETS = ' . wp_json_encode( $export ), 'before' );
diff --git a/php/ui/component/class-notice.php b/php/ui/component/class-notice.php
@@ -115,7 +115,7 @@ public function render( $echo = false ) {
 		// Output notice endpoint data only if a dismissible notice has been shown.
 		if ( $this->setting->get_option_parent()->has_param( 'dismissible_notice' ) && ! $this->setting->get_option_parent()->has_param( 'notice_scripts' ) ) {
 			$args = array(
-				'url'   => rest_url( REST_API::BASE . '/dismiss_notice' ),
+				'url'   => Utils::rest_url( REST_API::BASE . '/dismiss_notice' ),
 				'nonce' => wp_create_nonce( 'wp_rest' ),
 			);
 			wp_add_inline_script( 'cloudinary', 'var CLDIS = ' . wp_json_encode( $args ), 'before' );
diff --git a/php/ui/component/class-progress-sync.php b/php/ui/component/class-progress-sync.php
@@ -8,6 +8,7 @@
 namespace Cloudinary\UI\Component;
 
 use Cloudinary\REST_API;
+use Cloudinary\Utils;
 
 /**
  * Ring Component to render components only.
@@ -33,7 +34,7 @@ class Progress_Sync extends Progress_Ring {
 	protected function wrap( $struct ) {
 		$struct = parent::wrap( $struct );
 		if ( true === $this->setting->get_param( 'poll' ) ) {
-			$struct['attributes']['data-url']  = rest_url( REST_API::BASE . '/stats' );
+			$struct['attributes']['data-url']  = Utils::rest_url( REST_API::BASE . '/stats' );
 			$struct['attributes']['data-poll'] = true;
 		}
 
diff --git a/ui-definitions/components/wizard.php b/ui-definitions/components/wizard.php
@@ -26,8 +26,8 @@
 
 // Export settings.
 $export_data = array(
-	'testURL'   => rest_url( REST_API::BASE . '/test_connection' ),
-	'saveURL'   => rest_url( REST_API::BASE . '/save_wizard' ),
+	'testURL'   => Utils::rest_url( REST_API::BASE . '/test_connection' ),
+	'saveURL'   => Utils::rest_url( REST_API::BASE . '/save_wizard' ),
 	'saveNonce' => wp_create_nonce( 'wp_rest' ),
 	'config'    => array(
 		'tab'          => $current_tab,

Original file line number	Diff line number	Diff line change
`@@ -334,7 +334,7 @@ public function enqueue_scripts() {`
`334`	`334`	`'cloudinary-deactivation',`
`335`	`335`	`'CLD_Deactivate',`
`336`	`336`	`array(`
`337`		`- 'endpoint' => rest_url( REST_API::BASE . '/' . self::$internal_endpoint ),`
	`337`	`+ 'endpoint' => Utils::rest_url( REST_API::BASE . '/' . self::$internal_endpoint ),`
`338`	`338`	`'nonce' => wp_create_nonce( 'wp_rest' ),`
`339`	`339`	`)`
`340`	`340`	`);`
Original file line number	Diff line number	Diff line change
`@@ -1589,7 +1589,7 @@ protected function is_allowed_type( $ext ) {`
`1589`	`1589`	`public function validate_url( $url ) {`
`1590`	`1590`	`static $home;`
`1591`	`1591`	`if ( ! $home ) {`
`1592`		`- $home = wp_parse_url( home_url( '/' ) );`
	`1592`	`+ $home = wp_parse_url( Utils::home_url( '/' ) );`
`1593`	`1593`	`}`
`1594`	`1594`	`$parts = wp_parse_url( $url );`
`1595`	`1595`	`if ( empty( $parts['host'] ) ) {`