Merge pull request #54 from motopress/fix/instagram-token-nonce

1.7.5

getwid.php

@@ -3,7 +3,7 @@
  * Plugin Name: Getwid
  * Plugin URI: https://motopress.com/products/getwid/
  * Description: Extra Gutenberg blocks for building seamless and aesthetic websites in the WordPress block editor.
- * Version: 1.7.4
+ * Version: 1.7.5
  * Author: MotoPress
  * Author URI: https://motopress.com/
  * License: GPLv2 or later

includes/blocks/instagram.php

@@ -53,8 +53,10 @@ public function getLabel() {
 	}
 
     public function get_instagram_token() {
+
+		check_ajax_referer( 'getwid_nonce_get_instagram_token', 'nonce' );
+
         $action = $_POST[ 'option' ];
-        $data   = $_POST[ 'data' ];
 
         $response = false;
         if ( $action == 'get' ) {

includes/scripts-manager.php

@@ -173,6 +173,10 @@ public function enqueueEditorAssets() {
 					],
 					'ajax_url' => admin_url( 'admin-ajax.php' ),
 					'options_general_url' => admin_url( 'options-general.php' ),
+					'get_instagram_token_url' => add_query_arg(
+						['nonce' => wp_create_nonce('getwid_nonce_save_instagram_token') ],
+						admin_url( 'options-general.php' )
+					),
 					'options_url' => [
 						'general' => getwid()->settingsPage()->getTabUrl('general'),
 						'appearance' => getwid()->settingsPage()->getTabUrl('appearance'),
@@ -181,7 +185,8 @@ public function enqueueEditorAssets() {
 					'nonces' => array(
 						'google_api_key' => wp_create_nonce( 'getwid_nonce_google_api_key' ),
 						'recaptcha_v2_contact_form' => wp_create_nonce( 'getwid_nonce_contact_form' ),
-						'mailchimp_api_key' => wp_create_nonce( 'getwid_nonce_mailchimp_api_key' )
+						'mailchimp_api_key' => wp_create_nonce( 'getwid_nonce_mailchimp_api_key' ),
+						'get_instagram_token' => wp_create_nonce( 'getwid_nonce_get_instagram_token' )
 					),
 					'acf_exist' => getwid_acf_is_active(),
 				]

includes/settings-page.php

@@ -120,22 +120,31 @@ public function checkInstagramQueryURL()
     {
         global $pagenow;
 
-        if ( $pagenow == 'options-general.php' && isset( $_GET['instagram-token'] ) ) {
-			if ( current_user_can( 'manage_options' ) ) {
+        if ( $pagenow == 'options-general.php' && isset( $_GET['instagram-token'] ) && isset( $_GET['nonce'] ) ) {
+
+			if ( wp_verify_nonce( $_GET['nonce'], 'getwid_nonce_save_instagram_token' ) && current_user_can( 'manage_options' ) ) {
+
 				// Update token
-				update_option( 'getwid_instagram_token', trim( $_GET['instagram-token'] ) );
+				update_option( 'getwid_instagram_token', sanitize_text_field( $_GET['instagram-token'] ) );
 				// Delete cache data
 				delete_transient( 'getwid_instagram_response_data' );
 				// Schedule token refresh
 				getwid()->instagramTokenManager()->schedule_token_refresh_event();
-			}
 
-			$redirect_url = add_query_arg(
-				[
-					'getwid-instagram-success' => true
-				],
-				$this->getTabUrl('general')
-			);
+				$redirect_url = add_query_arg(
+					[
+						'getwid-instagram-success' => true
+					],
+					$this->getTabUrl('general')
+				);
+			} else {
+				$redirect_url = add_query_arg(
+					[
+						'instagram-error' => true
+					],
+					$this->getTabUrl('general')
+				);
+			}
 
 			wp_redirect( $redirect_url );
         }
@@ -233,15 +242,27 @@ public function renderInstagramToken() {
 
         $field_val = get_option('getwid_instagram_token', '');
 
+		$connectURL = add_query_arg(
+			['nonce' => wp_create_nonce('getwid_nonce_save_instagram_token') ],
+			admin_url( 'options-general.php' )
+		);
+
+		$refreshURL = add_query_arg(
+			['nonce' => wp_create_nonce('getwid_nonce_save_instagram_token') ],
+			admin_url( 'options-general.php' )
+		);
+
         echo '<input type="text" id="getwid_instagram_token" name="getwid_instagram_token" class="regular-text" value="' . esc_attr( $field_val ) . '" />';
+
         echo '<p><a href="' . esc_url(
 			'https://api.instagram.com/oauth/authorize?client_id=910186402812397&redirect_uri=' .
 			'https://api.getmotopress.com/get_instagram_token.php&scope=user_profile,user_media&response_type=code&state=' .
-			admin_url( 'options-general.php' ) ) . '" class="button button-default">' . __( 'Connect Instagram Account', 'getwid' ) . '</a>';
+			$connectURL ) . '" class="button button-default">' . __( 'Connect Instagram Account', 'getwid' ) . '</a>';
+
 		if ( ! empty( $field_val) ) {
 			echo ' <a href="' . esc_url(
-				'https://api.getmotopress.com/refresh_instagram_token.php?access_token='.$field_val.'&state=' .
-				$this->getTabUrl('general') ) . '" class="button button-default">' . __( 'Refresh Access Token', 'getwid' ) . '</a>';
+				'https://api.getmotopress.com/refresh_instagram_token.php?access_token=' . $field_val . '&state=' .
+				$refreshURL ) . '" class="button button-default">' . __( 'Refresh Access Token', 'getwid' ) . '</a>';
 		}
 		echo '</p>';
     }

readme.txt

@@ -179,6 +179,9 @@ Getwid plugin is distributed under the terms of the GNU GPL.
 
 == Changelog ==
 
+= 1.7.5, Oct 1 2021 =
+* Security - added nonces to prevent CSRF.
+
 = 1.7.4, Jul 31 2021 =
 * Fixed an issue with YouTube video in the Section block.
 

src/blocks/instagram/edit.js

@@ -38,7 +38,7 @@ class Edit extends Component {
 
 		this.state = {
 			checkToken : false,
-			getTokenURL : 'https://api.instagram.com/oauth/authorize?client_id=910186402812397&redirect_uri=https://api.getmotopress.com/get_instagram_token.php&scope=user_profile,user_media&response_type=code&state='+Getwid.options_general_url
+			getTokenURL : 'https://api.instagram.com/oauth/authorize?client_id=910186402812397&redirect_uri=https://api.getmotopress.com/get_instagram_token.php&scope=user_profile,user_media&response_type=code&state='+Getwid.get_instagram_token_url
 		};
 	}
 
@@ -49,7 +49,8 @@ class Edit extends Component {
 		const data = {
 			'action': 'get_instagram_token',
 			'data': '',
-			'option': option
+			'option': option,
+			'nonce': Getwid.nonces.get_instagram_token
 		};
 
 		jQuery.post( Getwid.ajax_url, data, response => {