Context Navigation

← Previous Changeset
Next Changeset →

Changeset 61795

Timestamp:

03/03/2026 02:00:40 PM (5 weeks ago)

Author:

gziolo

Message:

AI: Sync Ability_Function_Resolver API enhancement to harden security

Make WP_AI_Client_Ability_Function_Resolver non-static and require specifying the allowed abilities list in the constructor. This hardens security by ensuring that only explicitly specified abilities can be executed, preventing potential vulnerabilities such as prompt injection from triggering arbitrary abilities.

The constructor accepts either WP_Ability objects or ability name strings. If an ability is not in the allowed list, an error response with code ability_not_allowed is returned.

Developed in https://github.com/WordPress/wordpress-develop/pull/11103.
Upstream: https://github.com/WordPress/wp-ai-client/pull/61.

Props felixarntz, gziolo, JasonTheAdams, dkotter, johnbillion.
Fixes #64769.

Location:

trunk

Files:

: 2 edited

src/wp-includes/ai-client/class-wp-ai-client-ability-function-resolver.php (modified) (9 diffs)
tests/phpunit/tests/ai-client/wpAiClientAbilityFunctionResolver.php (modified) (49 diffs)

Legend:

: Unmodified
: Added
: Removed

trunk/src/wp-includes/ai-client/class-wp-ai-client-ability-function-resolver.php

-                      r61700
+                      r61795
  * Resolves and executes WordPress Abilities API function calls from AI models.
+ *
+ * This class must be instantiated with the specific abilities that the AI model
+ * is allowed to execute, ensuring that only explicitly specified abilities can
+ * be called. This prevents the model from executing arbitrary abilities.
+ *
  * @since 7.0.0
  */
 …
     /**
+     * Map of allowed ability names for this instance.
+     *
+     * Keys are ability name strings, values are `true` for O(1) lookup.
+     *
+     * @since 7.0.0
+     * @var array<string, true>
+     */
+    private array $allowed_abilities;
+    /**
+     * Constructor.
+     *
+     * @since 7.0.0
+     *
+     * @param WP_Ability|string ...$abilities The abilities that this resolver is allowed to execute.
+     */
+    public function __construct( ...$abilities ) {
+        $this->allowed_abilities = array();
+        foreach ( $abilities as $ability ) {
+            if ( $ability instanceof WP_Ability ) {
+                $this->allowed_abilities[ $ability->get_name() ] = true;
+            } elseif ( is_string( $ability ) ) {
+                $this->allowed_abilities[ $ability ] = true;
+            }
+        }
+    }
+    /**
      * Checks if a function call is an ability call.
+     *
 …
      * @return bool True if the function call is an ability call, false otherwise.
      */
     public static function is_ability_call( FunctionCall $call ): bool {
+    public function is_ability_call( FunctionCall $call ): bool {
         $name = $call->getName();
         if ( null === $name ) {
 …
      * Executes a WordPress ability from a function call.
+     *
+     * Only abilities that were specified in the constructor are allowed to be
+     * executed. If the ability is not in the allowed list, an error response
+     * with code `ability_not_allowed` is returned.
+     *
      * @since 7.0.0
+     *
 …
      * @return FunctionResponse The response from executing the ability.
      */
     public static function execute_ability( FunctionCall $call ): FunctionResponse {
+    public function execute_ability( FunctionCall $call ): FunctionResponse {
         $function_name = $call->getName() ?? 'unknown';
         $function_id   = $call->getId() ?? 'unknown';
         if ( ! self::is_ability_call( $call ) ) {
+        if ( ! $this->is_ability_call( $call ) ) {
             return new FunctionResponse(
                 $function_id,
 …
         $ability_name = self::function_name_to_ability_name( $function_name );
+        $ability      = wp_get_ability( $ability_name );
+        if ( ! isset( $this->allowed_abilities[ $ability_name ] ) ) {
+            return new FunctionResponse(
+                $function_id,
+                $function_name,
+                array(
+                    /* translators: %s: ability name */
+                    'error' => sprintf( __( 'Ability "%s" was not specified in the allowed abilities list.' ), $ability_name ),
+                    'code'  => 'ability_not_allowed',
+                )
+            );
+        }
+        $ability = wp_get_ability( $ability_name );
         if ( ! $ability instanceof WP_Ability ) {
 …
      * @return bool True if the message contains ability calls, false otherwise.
      */
     public static function has_ability_calls( Message $message ): bool {
         return null !== array_find(
             $message->getParts(),
             static function ( MessagePart $part ): bool {
                 return $part->getType()->isFunctionCall()
                     && $part->getFunctionCall() instanceof FunctionCall
                     && self::is_ability_call( $part->getFunctionCall() );
+    public function has_ability_calls( Message $message ): bool {
+        foreach ( $message->getParts() as $part ) {
+            if ( $part->getType()->isFunctionCall() ) {
+                $function_call = $part->getFunctionCall();
+                if ( $function_call instanceof FunctionCall && $this->is_ability_call( $function_call ) ) {
+                    return true;
+                }
+            }
+        );
+        }
+        return false;
+    }
 …
      * @return Message A new message with function responses.
      */
     public static function execute_abilities( Message $message ): Message {
+    public function execute_abilities( Message $message ): Message {
         $response_parts = array();
 …
                 $function_call = $part->getFunctionCall();
                 if ( $function_call instanceof FunctionCall ) {
                     $function_response = self::execute_ability( $function_call );
+                    $function_response = $this->execute_ability( $function_call );
                     $response_parts[]  = new MessagePart( $function_response );
+                }

trunk/tests/phpunit/tests/ai-client/wpAiClientAbilityFunctionResolver.php

-                      r61777
+                      r61795
      */
     public function test_is_ability_call_returns_true_for_valid_ability() {
+        $call = new FunctionCall(
+        $resolver = new WP_AI_Client_Ability_Function_Resolver( 'tec/create_event' );
+        $call     = new FunctionCall(
             'test-id',
             'wpab__tec__create_event',
 …
         );
         $result = WP_AI_Client_Ability_Function_Resolver::is_ability_call( $call );
+        $result = $resolver->is_ability_call( $call );
         $this->assertTrue( $result );
 …
      */
     public function test_is_ability_call_returns_true_for_nested_namespace() {
+        $call = new FunctionCall(
+        $resolver = new WP_AI_Client_Ability_Function_Resolver( 'tec/v1/create_event' );
+        $call     = new FunctionCall(
             'test-id',
             'wpab__tec__v1__create_event',
 …
         );
         $result = WP_AI_Client_Ability_Function_Resolver::is_ability_call( $call );
+        $result = $resolver->is_ability_call( $call );
         $this->assertTrue( $result );
 …
      */
     public function test_is_ability_call_returns_false_for_non_ability() {
+        $call = new FunctionCall(
+        $resolver = new WP_AI_Client_Ability_Function_Resolver();
+        $call     = new FunctionCall(
             'test-id',
             'regular_function',
 …
         );
         $result = WP_AI_Client_Ability_Function_Resolver::is_ability_call( $call );
+        $result = $resolver->is_ability_call( $call );
         $this->assertFalse( $result );
 …
      */
     public function test_is_ability_call_returns_false_when_name_is_null() {
+        $call = new FunctionCall(
+        $resolver = new WP_AI_Client_Ability_Function_Resolver();
+        $call     = new FunctionCall(
             'test-id',
             null,
 …
         );
         $result = WP_AI_Client_Ability_Function_Resolver::is_ability_call( $call );
+        $result = $resolver->is_ability_call( $call );
         $this->assertFalse( $result );
 …
      */
     public function test_is_ability_call_returns_false_for_partial_prefix() {
+        $call = new FunctionCall(
+        $resolver = new WP_AI_Client_Ability_Function_Resolver();
+        $call     = new FunctionCall(
             'test-id',
             'wpab_single_underscore',
 …
         );
         $result = WP_AI_Client_Ability_Function_Resolver::is_ability_call( $call );
+        $result = $resolver->is_ability_call( $call );
         $this->assertFalse( $result );
 …
      */
     public function test_execute_ability_returns_error_for_non_ability_call() {
+        $call = new FunctionCall(
+        $resolver = new WP_AI_Client_Ability_Function_Resolver();
+        $call     = new FunctionCall(
             'test-id',
             'regular_function',
 …
         );
         $response = WP_AI_Client_Ability_Function_Resolver::execute_ability( $call );
+        $response = $resolver->execute_ability( $call );
         $this->assertInstanceOf( FunctionResponse::class, $response );
 …
         $this->setExpectedIncorrectUsage( 'WP_Abilities_Registry::get_registered' );
+        $call = new FunctionCall(
+        $resolver = new WP_AI_Client_Ability_Function_Resolver( 'nonexistent/ability' );
+        $call     = new FunctionCall(
             'test-id',
             'wpab__nonexistent__ability',
 …
         );
         $response = WP_AI_Client_Ability_Function_Resolver::execute_ability( $call );
+        $response = $resolver->execute_ability( $call );
         $this->assertInstanceOf( FunctionResponse::class, $response );
 …
         $this->setExpectedIncorrectUsage( 'WP_Abilities_Registry::get_registered' );
+        $call = new FunctionCall(
+        $resolver = new WP_AI_Client_Ability_Function_Resolver( 'nonexistent/ability' );
+        $call     = new FunctionCall(
             null,
             'wpab__nonexistent__ability',
 …
         );
         $response = WP_AI_Client_Ability_Function_Resolver::execute_ability( $call );
+        $response = $resolver->execute_ability( $call );
         $this->assertInstanceOf( FunctionResponse::class, $response );
 …
      */
     public function test_has_ability_calls_returns_true_when_present() {
+        $call = new FunctionCall(
+        $resolver = new WP_AI_Client_Ability_Function_Resolver( 'tec/create_event' );
+        $call     = new FunctionCall(
             'test-id',
             'wpab__tec__create_event',
 …
         );
         $result = WP_AI_Client_Ability_Function_Resolver::has_ability_calls( $message );
+        $result = $resolver->has_ability_calls( $message );
         $this->assertTrue( $result );
 …
      */
     public function test_has_ability_calls_returns_false_when_not_present() {
+        $call = new FunctionCall(
+        $resolver = new WP_AI_Client_Ability_Function_Resolver();
+        $call     = new FunctionCall(
             'test-id',
             'regular_function',
 …
         );
         $result = WP_AI_Client_Ability_Function_Resolver::has_ability_calls( $message );
+        $result = $resolver->has_ability_calls( $message );
         $this->assertFalse( $result );
 …
      */
     public function test_has_ability_calls_returns_false_for_text_only() {
+        $message = new UserMessage(
+        $resolver = new WP_AI_Client_Ability_Function_Resolver();
+        $message  = new UserMessage(
             array(
                 new MessagePart( 'Just some text' ),
 …
         );
         $result = WP_AI_Client_Ability_Function_Resolver::has_ability_calls( $message );
+        $result = $resolver->has_ability_calls( $message );
         $this->assertFalse( $result );
 …
      */
     public function test_has_ability_calls_returns_true_with_mixed_content() {
+        $resolver = new WP_AI_Client_Ability_Function_Resolver( 'tec/create_event' );
         $regular_call = new FunctionCall(
             'regular-id',
 …
         );
         $result = WP_AI_Client_Ability_Function_Resolver::has_ability_calls( $message );
+        $result = $resolver->has_ability_calls( $message );
         $this->assertTrue( $result );
 …
      */
     public function test_has_ability_calls_with_empty_message() {
+        $message = new ModelMessage( array() );
+        $result = WP_AI_Client_Ability_Function_Resolver::has_ability_calls( $message );
+        $resolver = new WP_AI_Client_Ability_Function_Resolver();
+        $message  = new ModelMessage( array() );
+        $result = $resolver->has_ability_calls( $message );
         $this->assertFalse( $result );
 …
      */
     public function test_execute_abilities_with_empty_message() {
+        $message = new ModelMessage( array() );
+        $result = WP_AI_Client_Ability_Function_Resolver::execute_abilities( $message );
+        $resolver = new WP_AI_Client_Ability_Function_Resolver();
+        $message  = new ModelMessage( array() );
+        $result = $resolver->execute_abilities( $message );
         $this->assertInstanceOf( UserMessage::class, $result );
 …
         $this->setExpectedIncorrectUsage( 'WP_Abilities_Registry::get_registered' );
+        $call = new FunctionCall(
+        $resolver = new WP_AI_Client_Ability_Function_Resolver( 'nonexistent/ability' );
+        $call     = new FunctionCall(
             'test-id',
             'wpab__nonexistent__ability',
 …
         );
         $result = WP_AI_Client_Ability_Function_Resolver::execute_abilities( $message );
+        $result = $resolver->execute_abilities( $message );
         $this->assertInstanceOf( UserMessage::class, $result );
 …
         $this->setExpectedIncorrectUsage( 'WP_Abilities_Registry::get_registered' );
+        $call = new FunctionCall(
+        $resolver = new WP_AI_Client_Ability_Function_Resolver( 'nonexistent/ability' );
+        $call     = new FunctionCall(
             'test-id',
             'wpab__nonexistent__ability',
 …
         );
         $result = WP_AI_Client_Ability_Function_Resolver::execute_abilities( $message );
+        $result = $resolver->execute_abilities( $message );
         $this->assertInstanceOf( UserMessage::class, $result );
 …
     public function test_execute_abilities_processes_multiple_calls() {
         $this->setExpectedIncorrectUsage( 'WP_Abilities_Registry::get_registered' );
+        $resolver = new WP_AI_Client_Ability_Function_Resolver( 'nonexistent/ability1', 'nonexistent/ability2' );
         $call1 = new FunctionCall(
 …
         );
         $result = WP_AI_Client_Ability_Function_Resolver::execute_abilities( $message );
+        $result = $resolver->execute_abilities( $message );
         $this->assertInstanceOf( UserMessage::class, $result );
 …
         $this->setExpectedIncorrectUsage( 'WP_Abilities_Registry::get_registered' );
+        $call = new FunctionCall(
+        $resolver = new WP_AI_Client_Ability_Function_Resolver( 'nonexistent/ability' );
+        $call     = new FunctionCall(
             'test-id',
             'wpab__nonexistent__ability',
 …
         );
         $result = WP_AI_Client_Ability_Function_Resolver::execute_abilities( $message );
+        $result = $resolver->execute_abilities( $message );
         $this->assertInstanceOf( UserMessage::class, $result );
 …
      */
     public function test_execute_ability_success() {
+        $call = new FunctionCall(
+        $resolver = new WP_AI_Client_Ability_Function_Resolver( 'wpaiclienttests/simple' );
+        $call     = new FunctionCall(
             'test-id',
             'wpab__wpaiclienttests__simple',
 …
         );
         $response = WP_AI_Client_Ability_Function_Resolver::execute_ability( $call );
+        $response = $resolver->execute_ability( $call );
         $this->assertInstanceOf( FunctionResponse::class, $response );
 …
      */
     public function test_execute_ability_with_parameters() {
+        $call = new FunctionCall(
+        $resolver = new WP_AI_Client_Ability_Function_Resolver( 'wpaiclienttests/with-params' );
+        $call     = new FunctionCall(
             'test-id',
             'wpab__wpaiclienttests__with-params',
 …
         );
         $response = WP_AI_Client_Ability_Function_Resolver::execute_ability( $call );
+        $response = $resolver->execute_ability( $call );
         $this->assertInstanceOf( FunctionResponse::class, $response );
 …
      */
     public function test_execute_ability_handles_wp_error() {
+        $call = new FunctionCall(
+        $resolver = new WP_AI_Client_Ability_Function_Resolver( 'wpaiclienttests/returns-error' );
+        $call     = new FunctionCall(
             'test-id',
             'wpab__wpaiclienttests__returns-error',
 …
         );
         $response = WP_AI_Client_Ability_Function_Resolver::execute_ability( $call );
+        $response = $resolver->execute_ability( $call );
         $this->assertInstanceOf( FunctionResponse::class, $response );
 …
      */
     public function test_execute_abilities_success() {
+        $call = new FunctionCall(
+        $resolver = new WP_AI_Client_Ability_Function_Resolver( 'wpaiclienttests/simple' );
+        $call     = new FunctionCall(
             'test-id',
             'wpab__wpaiclienttests__simple',
 …
         );
         $result = WP_AI_Client_Ability_Function_Resolver::execute_abilities( $message );
+        $result = $resolver->execute_abilities( $message );
         $this->assertInstanceOf( UserMessage::class, $result );
 …
      */
     public function test_execute_abilities_multiple_success() {
+        $resolver = new WP_AI_Client_Ability_Function_Resolver( 'wpaiclienttests/simple', 'wpaiclienttests/hyphen-test' );
         $call1 = new FunctionCall(
             'call-1',
 …
         );
         $result = WP_AI_Client_Ability_Function_Resolver::execute_abilities( $message );
+        $result = $resolver->execute_abilities( $message );
         $this->assertInstanceOf( UserMessage::class, $result );
 …
      */
     public function test_execute_abilities_with_mixed_content() {
+        $call = new FunctionCall(
+        $resolver = new WP_AI_Client_Ability_Function_Resolver( 'wpaiclienttests/simple' );
+        $call     = new FunctionCall(
             'test-id',
             'wpab__wpaiclienttests__simple',
 …
         );
         $result = WP_AI_Client_Ability_Function_Resolver::execute_abilities( $message );
+        $result = $resolver->execute_abilities( $message );
         $this->assertInstanceOf( UserMessage::class, $result );
 …
      */
     public function test_execute_abilities_with_parameters() {
+        $call = new FunctionCall(
+        $resolver = new WP_AI_Client_Ability_Function_Resolver( 'wpaiclienttests/with-params' );
+        $call     = new FunctionCall(
             'test-id',
             'wpab__wpaiclienttests__with-params',
 …
         );
         $result = WP_AI_Client_Ability_Function_Resolver::execute_abilities( $message );
+        $result = $resolver->execute_abilities( $message );
         $this->assertInstanceOf( UserMessage::class, $result );
 …
         $this->assertSame( 'Integration Test', $data['title'] );
+    }
+    /**
+     * Test execute_ability rejects ability not in allowed list.
+     *
+     * @ticket 64769
+     */
+    public function test_execute_ability_rejects_ability_not_in_allowed_list() {
+        $resolver = new WP_AI_Client_Ability_Function_Resolver( 'wpaiclienttests/simple' );
+        $call     = new FunctionCall(
+            'test-id',
+            'wpab__wpaiclienttests__with-params',
+            array( 'title' => 'Test' )
+        );
+        $response = $resolver->execute_ability( $call );
+        $this->assertInstanceOf( FunctionResponse::class, $response );
+        $data = $response->getResponse();
+        $this->assertIsArray( $data );
+        $this->assertArrayHasKey( 'error', $data );
+        $this->assertStringContainsString( 'not specified in the allowed abilities list', $data['error'] );
+        $this->assertArrayHasKey( 'code', $data );
+        $this->assertSame( 'ability_not_allowed', $data['code'] );
+    }
+    /**
+     * Test execute_ability rejects all abilities when constructed with no abilities.
+     *
+     * @ticket 64769
+     */
+    public function test_execute_ability_rejects_all_when_no_abilities_specified() {
+        $resolver = new WP_AI_Client_Ability_Function_Resolver();
+        $call     = new FunctionCall(
+            'test-id',
+            'wpab__wpaiclienttests__simple',
+            array()
+        );
+        $response = $resolver->execute_ability( $call );
+        $this->assertInstanceOf( FunctionResponse::class, $response );
+        $data = $response->getResponse();
+        $this->assertIsArray( $data );
+        $this->assertArrayHasKey( 'code', $data );
+        $this->assertSame( 'ability_not_allowed', $data['code'] );
+    }
+    /**
+     * Test execute_abilities filters by allowed list.
+     *
+     * @ticket 64769
+     */
+    public function test_execute_abilities_filters_by_allowed_list() {
+        $resolver = new WP_AI_Client_Ability_Function_Resolver( 'wpaiclienttests/simple' );
+        $call1 = new FunctionCall(
+            'call-1',
+            'wpab__wpaiclienttests__simple',
+            array()
+        );
+        $call2 = new FunctionCall(
+            'call-2',
+            'wpab__wpaiclienttests__with-params',
+            array( 'title' => 'Test' )
+        );
+        $message = new ModelMessage(
+            array(
+                new MessagePart( $call1 ),
+                new MessagePart( $call2 ),
+            )
+        );
+        $result = $resolver->execute_abilities( $message );
+        $parts = $result->getParts();
+        $this->assertCount( 2, $parts );
+        $response1_data = $parts[0]->getFunctionResponse()->getResponse();
+        $this->assertArrayHasKey( 'success', $response1_data );
+        $this->assertTrue( $response1_data['success'] );
+        $response2_data = $parts[1]->getFunctionResponse()->getResponse();
+        $this->assertSame( 'ability_not_allowed', $response2_data['code'] );
+    }
+    /**
+     * Test constructor accepts WP_Ability objects.
+     *
+     * @ticket 64769
+     */
+    public function test_constructor_accepts_wp_ability_objects() {
+        $ability  = wp_get_ability( 'wpaiclienttests/simple' );
+        $resolver = new WP_AI_Client_Ability_Function_Resolver( $ability );
+        $call     = new FunctionCall(
+            'test-id',
+            'wpab__wpaiclienttests__simple',
+            array()
+        );
+        $response = $resolver->execute_ability( $call );
+        $data = $response->getResponse();
+        $this->assertArrayHasKey( 'success', $data );
+        $this->assertTrue( $data['success'] );
+    }
+    /**
+     * Test constructor accepts mixed WP_Ability objects and strings.
+     *
+     * @ticket 64769
+     */
+    public function test_constructor_accepts_mixed_ability_types() {
+        $ability  = wp_get_ability( 'wpaiclienttests/simple' );
+        $resolver = new WP_AI_Client_Ability_Function_Resolver( $ability, 'wpaiclienttests/with-params' );
+        $call1     = new FunctionCall(
+            'call-1',
+            'wpab__wpaiclienttests__simple',
+            array()
+        );
+        $response1 = $resolver->execute_ability( $call1 );
+        $this->assertArrayHasKey( 'success', $response1->getResponse() );
+        $call2     = new FunctionCall(
+            'call-2',
+            'wpab__wpaiclienttests__with-params',
+            array( 'title' => 'Test' )
+        );
+        $response2 = $resolver->execute_ability( $call2 );
+        $this->assertArrayHasKey( 'success', $response2->getResponse() );
+    }
+}

Note: See TracChangeset for help on using the changeset viewer.

Trac UI Preferences

Make WordPress Core

Context Navigation

Changeset 61795

Legend:

trunk/src/wp-includes/ai-client/class-wp-ai-client-ability-function-resolver.php

trunk/tests/phpunit/tests/ai-client/wpAiClientAbilityFunctionResolver.php

Download in other formats: