WordPress.org

Make WordPress Core


Ignore:
Timestamp:
10/24/2017 09:04:50 PM (2 years ago)
Author:
joehoyle
Message:

REST API: Don’t remove unregistered properties from objects in schema.

In r41727 the ability to sanitise and validate objects from JSON schema was added, with a whitelist approach. It was decided we should pass through all non-registered properties to reflect the behaviour of the root object in register_rest_route. To prevent arbitrary extra data via setting objects, we force additionalProperties to false in the settings endpoint.

See #38583.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/tests/phpunit/tests/rest-api/rest-schema-sanitization.php

    r41727 r42000  
    158158        $this->assertEquals( array( 'a' => 1 ), rest_sanitize_value_from_schema( array( 'a' => 1 ), $schema ) );
    159159        $this->assertEquals( array( 'a' => 1 ), rest_sanitize_value_from_schema( array( 'a' => '1' ), $schema ) );
     160        $this->assertEquals( array( 'a' => 1, 'b' => 1 ), rest_sanitize_value_from_schema( array( 'a' => '1', 'b' => 1 ), $schema ) );
     161    }
     162
     163    public function test_type_object_strips_additional_properties() {
     164        $schema = array(
     165            'type'       => 'object',
     166            'properties' => array(
     167                'a' => array(
     168                    'type' => 'number',
     169                ),
     170            ),
     171            'additionalProperties' => false,
     172        );
     173        $this->assertEquals( array( 'a' => 1 ), rest_sanitize_value_from_schema( array( 'a' => 1 ), $schema ) );
     174        $this->assertEquals( array( 'a' => 1 ), rest_sanitize_value_from_schema( array( 'a' => '1' ), $schema ) );
     175        $this->assertEquals( array( 'a' => 1 ), rest_sanitize_value_from_schema( array( 'a' => '1', 'b' => 1 ), $schema ) );
    160176    }
    161177
     
    196212                    'b' => 1,
    197213                    'c' => 3,
    198                 ),
     214                    'd' => '1',
     215                ),
     216                'b' => 1,
    199217            ),
    200218            rest_sanitize_value_from_schema(
Note: See TracChangeset for help on using the changeset viewer.