#50075 closed defect (bug) (fixed)
Trigger _doing_it_wrong for dangerous REST API endpoint option
Reported by: | rmccue | Owned by: | TimothyBlynJacobs |
---|---|---|---|
Milestone: | 5.5 | Priority: | normal |
Severity: | normal | Version: | 4.4 |
Component: | REST API | Keywords: | has-patch has-unit-tests commit has-dev-note |
Focuses: | Cc: |
Description
REST API endpoints can be registered with a permission_callback
option. It's really easy to accidentally write permissions_callback
instead, and tough to catch during peer review, making this a potential footgun.
We should trigger a _doing_it_wrong()
for this.
Change History (20)
#2
in reply to:
↑ 1
@
4 years ago
Replying to TimothyBlynJacobs:
One of the things we discussed is whether we should allow
permission_callback => true
as a shortcut for__return_true
.
IMO no, as that's a potential footgun too; if you accidentally cast to true or something crazy. I think it also complicates the API surface for no real gain, given __return_true
already exists.
Note that I'm only suggesting the misspelling here, not the lack of permission_callback
; while that would be OK, it's a bit of an API breakage, and would cause a lot of warnings.
This ticket was mentioned in PR #265 on WordPress/wordpress-develop by sorenbronsted.
4 years ago
#4
Added a notice when permission_callback is misspelled
Trac ticket: https://core.trac.wordpress.org/ticket/50075
#6
@
4 years ago
IMO no, as that's a potential footgun too; if you accidentally cast to true or something crazy. I think it also complicates the API surface for no real gain, given
__return_true
already exists.
Works for me.
Note that I'm only suggesting the misspelling here, not the lack of permission_callback; while that would be OK, it's a bit of an API breakage, and would cause a lot of warnings.
Ah, I misunderstood. Yeah I'm conflicted about it, I kinda hoped that the issue last year would be a "one and done" type of deal, but it has cropped up again. I'm not sure if it is worth the noise.
TimothyBJacobs commented on PR #265:
4 years ago
#7
Thanks for working on a patch @sorenbronsted! Left a couple of comments.
This ticket was mentioned in Slack in #core-restapi by timothybjacobs. View the logs.
4 years ago
This ticket was mentioned in Slack in #core-restapi by timothybjacobs. View the logs.
4 years ago
#10
@
4 years ago
I think it makes the most sense to add the notice if the permission_callback
is missing at all. We've seen multiple examples of that issue in the wild and it can be a pretty bad vulnerability when it happens.
Looking for permissions_callback
specifically would work for one misspelling, but others are easy as well.
The notice would be annoying for people who are intentionally omitting a permission callback, but adding a __return_true
is a quite simple fix.
Chatted about this with @SergeyBiryukov, we also have precedent for this kind of thing in Core with the notices added in map_meta_cap
if the object's type isn't registered. That behavior isn't necessarily unsafe, but Core can't be sure, and so it is safer to add a notice.
#11
@
4 years ago
Sounds like a good idea, I think we should get a dev note ASAP as this will start triggering a lot of notices...
This ticket was mentioned in PR #420 on WordPress/wordpress-develop by TimothyBJacobs.
4 years ago
#12
Trac ticket: https://core.trac.wordpress.org/ticket/50075
#13
@
4 years ago
Thanks for taking a look @whyisjake! I've added a patch implementing this. The error message renders like so:
The REST API route definition for <code>my-ns/my-route</code> is missing the required <code>permission_callback</code> argument. For REST API routes that are intended to be public, use <code>__return_true</code> as the permission callback.
#14
@
4 years ago
- Keywords needs-dev-note commit added
Code looks good, if @SergeyBiryukov is good with the notices, works for me!
#15
@
4 years ago
Got sign off from @SergeyBiryukov. Going to commit and add it to the overall dev note for the REST API.
#16
@
4 years ago
- Owner set to TimothyBlynJacobs
- Resolution set to fixed
- Status changed from new to closed
In 48526:
#17
@
4 years ago
Wondering in the interest of saving energy from all the error log storage that will quickly fill up :) should core pull back from the _doing_it_wrong()
in WP 5.5 and instead do that in WP 5.6 with a strong dev note ahead of time to start updating code right away?
#18
@
4 years ago
Wondering in the interest of saving energy from all the error log storage that will quickly fill up :) should core pull back from the _doing_it_wrong() in WP 5.5 and instead do that in WP 5.6 with a strong dev note ahead of time to start updating code right away?
That's a possibility. For me, I think the developers who read the dev notes will quickly update their plugins before WordPress 5.5 releases. For the ones that aren't, they won't know about it coming in 5.6. So pushing the notice to the next release doesn't really change things.
Discussed in slack:
Examples in the wild:
One of the things we discussed is whether we should allow
permission_callback => true
as a shortcut for__return_true
.