[1813] Fix errors when URL parameters like "filter[status]" aren't st…

…rings (#1814) * Fix errors when URL parameter "filter[status]" isn't a string * Fallback to empty string instead of the default statuses * Revert sanitization of $filters[status] * Sanitize gp_get() for new glossary translation_set_id string * Sanitize gp_get( 'parent_project_id' ) parameter type on new project * Sanitze URL get 'project_id' on new translation_set * Sanitize gp_get() parameters 'page', 'sort' and 'filters'. * Check int types * Check numeric IDs in gp_get with is_numeric()
GlotPress · Mar 27, 2024 · b100e73 · b100e73
1 parent 4a9aed0
commit b100e73
Show file tree

Hide file tree

Showing 4 changed files with 34 additions and 9 deletions.
diff --git a/gp-includes/routes/glossary.php b/gp-includes/routes/glossary.php
@@ -15,8 +15,19 @@
 class GP_Route_Glossary extends GP_Route_Main {
 
 	public function new_get() {
-		$glossary                     = new GP_Glossary();
-		$glossary->translation_set_id = gp_get( 'translation_set_id' );
+		$glossary = new GP_Glossary();
+
+		$translation_set_id = gp_get( 'translation_set_id' );
+
+		// Make sure 'translation_set_id' is a numeric string and convert to int ID. Defaults to null.
+		$translation_set_id = is_numeric( $translation_set_id ) ? intval( $translation_set_id ) : null;
+
+		if ( is_null( $translation_set_id ) ) {
+			$this->redirect_with_error( __( 'Couldn&#8217;t find translation set with this ID.', 'glotpress' ) );
+			return;
+		}
+
+		$glossary->translation_set_id = $translation_set_id;
 
 		$translation_set = $glossary->translation_set_id ? GP::$translation_set->get( $glossary->translation_set_id ) : null;
 

diff --git a/gp-includes/routes/project.php b/gp-includes/routes/project.php
@@ -288,9 +288,13 @@ public function delete_get( $project_path ) {
 
 
 	public function new_get() {
-		$project                    = new GP_Project();
-		$project->active            = 1;
-		$project->parent_project_id = gp_get( 'parent_project_id', null );
+		$project         = new GP_Project();
+		$project->active = 1;
+
+		$parent_project_id = gp_get( 'parent_project_id' );
+
+		// Make sure 'parent_project_id' is a numeric string and convert to int ID. Defaults to null.
+		$project->parent_project_id = is_numeric( $parent_project_id ) ? intval( $parent_project_id ) : null;
 
 		if ( $this->cannot_and_redirect( 'write', 'project', $project->parent_project_id ) ) {
 			return;

diff --git a/gp-includes/routes/translation-set.php b/gp-includes/routes/translation-set.php
@@ -14,9 +14,13 @@
  */
 class GP_Route_Translation_Set extends GP_Route_Main {
 	public function new_get() {
-		$set             = new GP_Translation_Set();
-		$set->project_id = gp_get( 'project_id' );
-		$project         = $set->project_id ? GP::$project->get( $set->project_id ) : null;
+		$set        = new GP_Translation_Set();
+		$project_id = gp_get( 'project_id' );
+
+		// Make sure 'project_id' is a numeric string and convert to int ID. Defaults to null.
+		$set->project_id = is_numeric( $project_id ) ? intval( $project_id ) : null;
+
+		$project = $set->project_id ? GP::$project->get( $set->project_id ) : null;
 		if ( $this->cannot_edit_set_and_redirect( $set ) ) {
 			return;
 		}

diff --git a/gp-includes/routes/translation.php b/gp-includes/routes/translation.php
@@ -161,7 +161,10 @@ public function export_translations_get( $project_path, $locale_slug, $translati
 		 */
 		$filename = apply_filters( 'gp_export_translations_filename', $filename, $format, $locale, $project, $translation_set );
 
-		$entries = GP::$translation->for_export( $project, $translation_set, gp_get( 'filters' ) );
+		$filters = gp_get( 'filters', array() );
+		$filters = array_filter( $filters, 'is_scalar' );
+
+		$entries = GP::$translation->for_export( $project, $translation_set, $filters );
 
 		if ( gp_has_translation_been_updated( $translation_set ) ) {
 			$last_modified = gmdate( 'D, d M Y H:i:s', gp_gmt_strtotime( GP::$translation->last_modified( $translation_set ) ) ) . ' GMT';
@@ -192,8 +195,11 @@ public function translations_get( $project_path, $locale_slug, $translation_set_
 		$glossary = $this->get_extended_glossary( $translation_set, $project );
 
 		$page    = gp_get( 'page', 1 );
+		$page    = is_numeric( $page ) ? intval( $page ) : 1;
 		$filters = gp_get( 'filters', array() );
+		$filters = array_filter( $filters, 'is_scalar' );
 		$sort    = gp_get( 'sort', array() );
+		$sort    = array_filter( $sort, 'is_scalar' );
 
 		if ( is_array( $sort ) && 'random' === gp_array_get( $sort, 'by' ) ) {
 			add_filter( 'gp_pagination', '__return_null' );