kawaiipunk/laipower
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

updated plugin Jetpack Protect version 1.1.1

Browse Source
This commit is contained in:
KawaiiPunk
2022-11-24 13:40:35 +00:00
committed by Gitium
parent 9bf96ad952
commit 5284e32c67
126 changed files with 6115 additions and 1644 deletions
Download Patch File Download Diff File Expand all files Collapse all files

56
wp-content/plugins/jetpack-protect/src/class-credentials.php Normal file
View File

@ -0,0 +1,56 @@
<?php
/**
* Class to handle Rewind
*
* @package automattic/jetpack-protect-plugin
*/
namespace Automattic\Jetpack\Protect;
use Automattic\Jetpack\Connection\Client;
use Automattic\Jetpack\Connection\Manager as Connection_Manager;
use Jetpack_Options;
/**
* Class that handles the rewind api call.
*/
class Credentials {
/**
* Get the rewind state, if no creds are set the state will be 'awaiting_for_credentials'
*
* @return bool
*/
public static function get_credential_array() {
$blog_id = Jetpack_Options::get_option( 'id' );
$is_connected = ( new Connection_Manager() )->is_connected();
if ( ! $blog_id || ! $is_connected ) {
return false;
}
$api_url = sprintf( '/sites/%d/scan', $blog_id );
$response = Client::wpcom_json_api_request_as_blog(
$api_url,
'2',
array( 'method' => 'GET' ),
null,
'wpcom'
);
$response_code = wp_remote_retrieve_response_code( $response );
if ( is_wp_error( $response ) || 200 !== $response_code ) {
return false;
}
$parsed_response = json_decode( $response['body'] );
if ( ! $parsed_response ) {
return false;
}
return isset( $parsed_response->credentials ) ? $parsed_response->credentials : array();
}
}

291
wp-content/plugins/jetpack-protect/src/class-jetpack-protect.php
View File

@ -18,10 +18,16 @@ use Automattic\Jetpack\JITMS\JITM as JITM;
use Automattic\Jetpack\My_Jetpack\Initializer as My_Jetpack_Initializer;
use Automattic\Jetpack\My_Jetpack\Products as My_Jetpack_Products;
use Automattic\Jetpack\Plugins_Installer;
use Automattic\Jetpack\Protect\Credentials;
use Automattic\Jetpack\Protect\Plan;
use Automattic\Jetpack\Protect\Scan_Status;
use Automattic\Jetpack\Protect\Site_Health;
use Automattic\Jetpack\Protect\Status as Protect_Status;
use Automattic\Jetpack\Protect\Status;
use Automattic\Jetpack\Protect\Threats;
use Automattic\Jetpack\Status as Jetpack_Status;
use Automattic\Jetpack\Sync\Functions as Sync_Functions;
use Automattic\Jetpack\Sync\Sender;
/**
* Class Jetpack_Protect
*/
@ -32,8 +38,9 @@ class Jetpack_Protect {
*/
public function __construct() {
add_action( 'init', array( $this, 'init' ) );
add_action( '_admin_menu', array( $this, 'admin_page_init' ) );
// Init Jetpack packages and ConnectionUI.
// Init Jetpack packages
add_action(
'plugins_loaded',
function () {
@ -54,11 +61,13 @@ class Jetpack_Protect {
'jetpack_sync_modules' => array(
'Automattic\\Jetpack\\Sync\\Modules\\Options',
'Automattic\\Jetpack\\Sync\\Modules\\Callables',
'Automattic\\Jetpack\\Sync\\Modules\\Users',
),
'jetpack_sync_callable_whitelist' => array(
'get_plugins' => array( 'Automattic\\Jetpack\\Sync\\Functions', 'get_plugins' ),
'get_themes' => array( 'Automattic\\Jetpack\\Sync\\Functions', 'get_themes' ),
'wp_version' => array( 'Automattic\\Jetpack\\Sync\\Functions', 'wp_version' ),
'main_network_site' => array( 'Automattic\\Jetpack\\Connection\\Urls', 'main_network_site_url' ),
'get_plugins' => array( 'Automattic\\Jetpack\\Sync\\Functions', 'get_plugins' ),
'get_themes' => array( 'Automattic\\Jetpack\\Sync\\Functions', 'get_themes' ),
'wp_version' => array( 'Automattic\\Jetpack\\Sync\\Functions', 'wp_version' ),
),
'jetpack_sync_options_contentless' => array(),
'jetpack_sync_options_whitelist' => array(
@ -84,22 +93,6 @@ class Jetpack_Protect {
// Set up the REST authentication hooks.
Connection_Rest_Authentication::init();
$total_vuls = Protect_Status::get_total_vulnerabilities();
$menu_label = _x( 'Protect', 'The Jetpack Protect product name, without the Jetpack prefix', 'jetpack-protect' );
if ( $total_vuls ) {
$menu_label .= sprintf( ' <span class="update-plugins">%d</span>', $total_vuls );
}
$page_suffix = Admin_Menu::add_menu(
__( 'Jetpack Protect', 'jetpack-protect' ),
$menu_label,
'manage_options',
'jetpack-protect',
array( $this, 'plugin_settings_page' ),
99
);
add_action( 'load-' . $page_suffix, array( $this, 'admin_init' ) );
add_action( 'admin_bar_menu', array( $this, 'admin_bar' ), 65 );
add_action( 'admin_enqueue_scripts', array( $this, 'enqueue_admin_styles' ) );
// Add custom WP REST API endoints.
@ -113,10 +106,25 @@ class Jetpack_Protect {
}
/**
* Initialize the admin resources.
* Initialize the admin page resources.
*/
public function admin_init() {
add_action( 'admin_enqueue_scripts', array( $this, 'enqueue_admin_scripts' ) );
public function admin_page_init() {
$total_threats = Status::get_total_threats();
$menu_label = _x( 'Protect', 'The Jetpack Protect product name, without the Jetpack prefix', 'jetpack-protect' );
if ( $total_threats ) {
$menu_label .= sprintf( ' <span class="update-plugins">%d</span>', $total_threats );
}
$page_suffix = Admin_Menu::add_menu(
__( 'Jetpack Protect', 'jetpack-protect' ),
$menu_label,
'manage_options',
'jetpack-protect',
array( $this, 'plugin_settings_page' ),
99
);
add_action( 'load-' . $page_suffix, array( $this, 'enqueue_admin_scripts' ) );
}
/**
@ -165,18 +173,26 @@ class Jetpack_Protect {
*/
public function initial_state() {
global $wp_version;
return array(
// phpcs:disable WordPress.Security.NonceVerification.Recommended
$refresh_status_from_wpcom = isset( $_GET['checkPlan'] );
$initial_state = array(
'apiRoot' => esc_url_raw( rest_url() ),
'apiNonce' => wp_create_nonce( 'wp_rest' ),
'registrationNonce' => wp_create_nonce( 'jetpack-registration-nonce' ),
'status' => Protect_Status::get_status(),
'status' => Status::get_status( $refresh_status_from_wpcom ),
'installedPlugins' => Plugins_Installer::get_plugins(),
'installedThemes' => Sync_Functions::get_themes(),
'wpVersion' => $wp_version,
'adminUrl' => admin_url( 'admin.php?page=jetpack-protect' ),
'securityBundle' => My_Jetpack_Products::get_product( 'security' ),
'adminUrl' => 'admin.php?page=jetpack-protect',
'siteSuffix' => ( new Jetpack_Status() )->get_site_suffix(),
'jetpackScan' => My_Jetpack_Products::get_product( 'scan' ),
'productData' => My_Jetpack_Products::get_product( 'protect' ),
'hasRequiredPlan' => Plan::has_required_plan(),
);
$initial_state['jetpackScan']['pricingForUi'] = Plan::get_product( 'jetpack_scan' );
return $initial_state;
}
/**
* Main plugin settings page.
@ -202,11 +218,11 @@ class Jetpack_Protect {
$manager = new Connection_Manager( 'jetpack-protect' );
$manager->remove_connection();
Protect_Status::delete_option();
Status::delete_option();
}
/**
* Create a shortcut on Admin Bar to show the total of vulnerabilities found.
* Create a shortcut on Admin Bar to show the total of threats found.
*
* @param object $wp_admin_bar The Admin Bar object.
* @return void
@ -216,7 +232,7 @@ class Jetpack_Protect {
return;
}
$total = Protect_Status::get_total_vulnerabilities();
$total = Status::get_total_threats();
if ( $total > 0 ) {
$args = array(
@ -224,8 +240,8 @@ class Jetpack_Protect {
'title' => '<span class="ab-icon jp-protect-icon"></span><span class="ab-label">' . $total . '</span>',
'href' => admin_url( 'admin.php?page=jetpack-protect' ),
'meta' => array(
// translators: %d is the number of vulnerabilities found.
'title' => sprintf( _n( '%d vulnerability found by Jetpack Protect', '%d vulnerabilities found by Jetpack Protect', $total, 'jetpack-protect' ), $total ),
// translators: %d is the number of threats found.
'title' => sprintf( _n( '%d threat found by Jetpack Protect', '%d threats found by Jetpack Protect', $total, 'jetpack-protect' ), $total ),
),
);
@ -239,6 +255,18 @@ class Jetpack_Protect {
* @return void
*/
public static function register_rest_endpoints() {
register_rest_route(
'jetpack-protect/v1',
'check-plan',
array(
'methods' => \WP_REST_Server::READABLE,
'callback' => __CLASS__ . '::api_check_plan',
'permission_callback' => function () {
return current_user_can( 'manage_options' );
},
)
);
register_rest_route(
'jetpack-protect/v1',
'status',
@ -250,15 +278,208 @@ class Jetpack_Protect {
},
)
);
register_rest_route(
'jetpack-protect/v1',
'clear-scan-cache',
array(
'methods' => \WP_REST_SERVER::EDITABLE,
'callback' => __CLASS__ . '::api_clear_scan_cache',
'permission_callback' => function () {
return current_user_can( 'manage_options' );
},
)
);
register_rest_route(
'jetpack-protect/v1',
'ignore-threat',
array(
'methods' => \WP_REST_SERVER::EDITABLE,
'callback' => __CLASS__ . '::api_ignore_threat',
'permission_callback' => function () {
return current_user_can( 'manage_options' );
},
)
);
register_rest_route(
'jetpack-protect/v1',
'fix-threats',
array(
'methods' => \WP_REST_SERVER::EDITABLE,
'callback' => __CLASS__ . '::api_fix_threats',
'permission_callback' => function () {
return current_user_can( 'manage_options' );
},
)
);
register_rest_route(
'jetpack-protect/v1',
'fix-threats-status',
array(
'methods' => \WP_REST_SERVER::READABLE,
'callback' => __CLASS__ . '::api_fix_threats_status',
'permission_callback' => function () {
return current_user_can( 'manage_options' );
},
)
);
register_rest_route(
'jetpack-protect/v1',
'check-credentials',
array(
'methods' => \WP_REST_Server::EDITABLE,
'callback' => __CLASS__ . '::api_check_credentials',
'permission_callback' => function () {
return current_user_can( 'manage_options' );
},
)
);
register_rest_route(
'jetpack-protect/v1',
'scan',
array(
'methods' => \WP_REST_SERVER::EDITABLE,
'callback' => __CLASS__ . '::api_scan',
'permission_callback' => function () {
return current_user_can( 'manage_options' );
},
)
);
}
/**
* Return site plan data for the API endpoint
*
* @return WP_REST_Response
*/
public static function api_check_plan() {
$has_required_plan = Plan::has_required_plan();
return rest_ensure_response( $has_required_plan, 200 );
}
/**
* Return Protect Status for the API endpoint
*
* @param WP_REST_Request $request The request object.
*
* @return WP_REST_Response
*/
public static function api_get_status() {
$status = Protect_Status::get_status();
public static function api_get_status( $request ) {
$status = Status::get_status( $request['hard_refresh'] );
return rest_ensure_response( $status, 200 );
}
/**
* Clear the Scan_Status cache for the API endpoint
*
* @return WP_REST_Response
*/
public static function api_clear_scan_cache() {
$cache_cleared = Scan_Status::delete_option();
if ( ! $cache_cleared ) {
return new WP_REST_Response( 'An error occured while attempting to clear the Jetpack Scan cache.', 500 );
}
return new WP_REST_Response( 'Jetpack Scan cache cleared.' );
}
/**
* Ignores a threat for the API endpoint
*
* @param WP_REST_Request $request The request object.
*
* @return WP_REST_Response
*/
public static function api_ignore_threat( $request ) {
if ( ! $request['threat_id'] ) {
return new WP_REST_RESPONSE( 'Missing threat ID.', 400 );
}
$threat_ignored = Threats::ignore_threat( $request['threat_id'] );
if ( ! $threat_ignored ) {
return new WP_REST_Response( 'An error occured while attempting to ignore the threat.', 500 );
}
return new WP_REST_Response( 'Threat ignored.' );
}
/**
* Fixes threats for the API endpoint
*
* @param WP_REST_Request $request The request object.
*
* @return WP_REST_Response
*/
public static function api_fix_threats( $request ) {
if ( empty( $request['threat_ids'] ) ) {
return new WP_REST_RESPONSE( 'Missing threat IDs.', 400 );
}
$threats_fixed = Threats::fix_threats( $request['threat_ids'] );
if ( ! $threats_fixed ) {
return new WP_REST_Response( 'An error occured while attempting to fix the threat.', 500 );
}
return new WP_REST_Response( $threats_fixed );
}
/**
* Fixes threats for the API endpoint
*
* @param WP_REST_Request $request The request object.
*
* @return WP_REST_Response
*/
public static function api_fix_threats_status( $request ) {
if ( empty( $request['threat_ids'] ) ) {
return new WP_REST_RESPONSE( 'Missing threat IDs.', 400 );
}
$threats_fixed = Threats::fix_threats_status( $request['threat_ids'] );
if ( ! $threats_fixed ) {
return new WP_REST_Response( 'An error occured while attempting to get the fixer status of the threats.', 500 );
}
return new WP_REST_Response( $threats_fixed );
}
/**
* Checks if the site has credentials configured
*
* @return WP_REST_Response
*/
public static function api_check_credentials() {
$credential_array = Credentials::get_credential_array();
if ( ! isset( $credential_array ) ) {
return new WP_REST_Response( 'An error occured while attempting to fetch the credentials array', 500 );
}
return new WP_REST_Response( $credential_array );
}
/**
* Enqueues a scan for the API endpoint
*
* @return WP_REST_Response
*/
public static function api_scan() {
$scan_enqueued = Threats::scan();
if ( ! $scan_enqueued ) {
return new WP_REST_Response( 'An error occured while attempting to enqueue the scan.', 500 );
}
return new WP_REST_Response( 'Scan enqueued.' );
}
}

111
wp-content/plugins/jetpack-protect/src/class-plan.php Normal file
View File

@ -0,0 +1,111 @@
<?php
/**
* Class to handle the Protect plan
*
* @package automattic/jetpack-protect-plugin
*/
namespace Automattic\Jetpack\Protect;
use Automattic\Jetpack\Current_Plan;
/**
* The Plan class.
*/
class Plan {
/**
* The meta name used to store the cache date
*
* @var string
*/
const CACHE_DATE_META_NAME = 'protect-cache-date';
/**
* Valid pediord for the cache: One week.
*/
const CACHE_VALIDITY_PERIOD = 7 * DAY_IN_SECONDS;
/**
* The meta name used to store the cache
*
* @var string
*/
const CACHE_META_NAME = 'protect-cache';
/**
* Checks if the cache is old, meaning we need to fetch new data from WPCOM
*/
private static function is_cache_old() {
if ( empty( self::get_product_from_cache() ) ) {
return true;
}
$cache_date = get_user_meta( get_current_user_id(), self::CACHE_DATE_META_NAME, true );
return time() - (int) $cache_date > ( self::CACHE_VALIDITY_PERIOD );
}
/**
* Gets the product list from the user cache
*/
private static function get_product_from_cache() {
return get_user_meta( get_current_user_id(), self::CACHE_META_NAME, true );
}
/**
* Gets the product data
*
* @param string $wpcom_product The product slug.
* @return array
*/
public static function get_product( $wpcom_product = 'jetpack_scan' ) {
if ( ! self::is_cache_old() ) {
return self::get_product_from_cache();
}
$request_url = 'https://public-api.wordpress.com/rest/v1.1/products?locale=' . get_user_locale() . '&type=jetpack';
$wpcom_request = wp_remote_get( esc_url_raw( $request_url ) );
$response_code = wp_remote_retrieve_response_code( $wpcom_request );
if ( 200 === $response_code ) {
$products = json_decode( wp_remote_retrieve_body( $wpcom_request ) );
// Pick the desired product...
$product = $products->{$wpcom_product};
// ... and store it into the cache.
update_user_meta( get_current_user_id(), self::CACHE_DATE_META_NAME, time() );
update_user_meta( get_current_user_id(), self::CACHE_META_NAME, $product );
return $product;
}
return new \WP_Error(
'failed_to_fetch_data',
esc_html__( 'Unable to fetch the requested data.', 'jetpack-protect' ),
array(
'status' => $response_code,
'request' => $wpcom_request,
)
);
}
/**
* Has Required Plan
*
* @param bool $force_refresh Refresh the local plan cache from wpcom.
* @return bool True when the site has a plan or product that supports the paid Protect tier.
*/
public static function has_required_plan( $force_refresh = false ) {
static $has_scan = null;
if ( null === $has_scan || $force_refresh ) {
$products = array_column( Current_Plan::get_products(), 'product_slug' );
// Check for a plan or product that enables scan.
$plan_supports_scan = Current_Plan::supports( 'scan', true );
$has_scan_product = count( array_intersect( array( 'jetpack_scan', 'jetpack_scan_monthly' ), $products ) ) > 0;
$has_scan = $plan_supports_scan || $has_scan_product;
}
return $has_scan;
}
}

259
wp-content/plugins/jetpack-protect/src/class-protect-status.php Normal file
View File

@ -0,0 +1,259 @@
<?php
/**
* Class to handle the Protect Status of Jetpack Protect
*
* @package automattic/jetpack-protect-plugin
*/
namespace Automattic\Jetpack\Protect;
use Automattic\Jetpack\Connection\Client;
use Automattic\Jetpack\Connection\Manager as Connection_Manager;
use Automattic\Jetpack\Plugins_Installer;
use Automattic\Jetpack\Redirect;
use Automattic\Jetpack\Sync\Functions as Sync_Functions;
use Jetpack_Options;
use WP_Error;
/**
* Class that handles fetching and caching the Status of vulnerabilities check from the WPCOM servers
*/
class Protect_Status extends Status {
/**
* WPCOM endpoint
*
* @var string
*/
const REST_API_BASE = '/sites/%d/jetpack-protect-status';
/**
* Name of the option where status is stored
*
* @var string
*/
const OPTION_NAME = 'jetpack_protect_status';
/**
* Name of the option where the timestamp of the status is stored
*
* @var string
*/
const OPTION_TIMESTAMP_NAME = 'jetpack_protect_status_time';
/**
* Gets the current status of the Jetpack Protect checks
*
* @param bool $refresh_from_wpcom Refresh the local plan and status cache from wpcom.
* @return Status_Model
*/
public static function get_status( $refresh_from_wpcom = false ) {
if ( self::$status !== null ) {
return self::$status;
}
if ( $refresh_from_wpcom || ! self::should_use_cache() || self::is_cache_expired() ) {
$status = self::fetch_from_server();
} else {
$status = self::get_from_options();
}
if ( is_wp_error( $status ) ) {
$status = new Status_Model(
array(
'error' => true,
'error_code' => $status->get_error_code(),
'error_message' => $status->get_error_message(),
)
);
} else {
$status = self::normalize_protect_report_data( $status );
}
self::$status = $status;
return $status;
}
/**
* Gets the WPCOM API endpoint
*
* @return WP_Error|string
*/
public static function get_api_url() {
$blog_id = Jetpack_Options::get_option( 'id' );
$is_connected = ( new Connection_Manager() )->is_connected();
if ( ! $blog_id || ! $is_connected ) {
return new WP_Error( 'site_not_connected' );
}
$api_url = sprintf( self::REST_API_BASE, $blog_id );
return $api_url;
}
/**
* Fetches the status from WPCOM servers
*
* @return WP_Error|array
*/
public static function fetch_from_server() {
$api_url = self::get_api_url();
if ( is_wp_error( $api_url ) ) {
return $api_url;
}
$response = Client::wpcom_json_api_request_as_blog(
self::get_api_url(),
'2',
array( 'method' => 'GET' ),
null,
'wpcom'
);
$response_code = wp_remote_retrieve_response_code( $response );
if ( is_wp_error( $response ) || 200 !== $response_code || empty( $response['body'] ) ) {
return new WP_Error( 'failed_fetching_status', 'Failed to fetch Protect Status data from server', array( 'status' => $response_code ) );
}
$body = json_decode( wp_remote_retrieve_body( $response ) );
self::update_option( maybe_serialize( $body ) );
return $body;
}
/**
* Normalize data from the Protect Report data source.
*
* @param object $report_data Data from the Protect Report.
* @return Status_Model
*/
protected static function normalize_protect_report_data( $report_data ) {
$status = new Status_Model();
$status->data_source = 'protect_report';
// map report data properties directly into the Status_Model
$status->status = isset( $report_data->status ) ? $report_data->status : null;
$status->last_checked = isset( $report_data->last_checked ) ? $report_data->last_checked : null;
$status->num_threats = isset( $report_data->num_vulnerabilities ) ? $report_data->num_vulnerabilities : null;
$status->num_themes_threats = isset( $report_data->num_themes_vulnerabilities ) ? $report_data->num_themes_vulnerabilities : null;
$status->num_plugins_threats = isset( $report_data->num_plugins_vulnerabilities ) ? $report_data->num_plugins_vulnerabilities : null;
// merge plugins from report with all installed plugins before mapping into the Status_Model
$installed_plugins = Plugins_Installer::get_plugins();
$last_report_plugins = isset( $report_data->plugins ) ? $report_data->plugins : new \stdClass();
$status->plugins = self::merge_installed_and_checked_lists( $installed_plugins, $last_report_plugins, array( 'type' => 'plugins' ) );
// merge themes from report with all installed plugins before mapping into the Status_Model
$installed_themes = Sync_Functions::get_themes();
$last_report_themes = isset( $report_data->themes ) ? $report_data->themes : new \stdClass();
$status->themes = self::merge_installed_and_checked_lists( $installed_themes, $last_report_themes, array( 'type' => 'themes' ) );
// normalize WordPress core report data and map into Status_Model
$status->core = self::normalize_core_information( isset( $report_data->core ) ? $report_data->core : new \stdClass() );
// check if any installed items (themes, plugins, or core) have not been checked in the report
$all_items = array_merge( $status->plugins, $status->themes, array( $status->core ) );
$unchecked_items = array_filter(
$all_items,
function ( $item ) {
return ! isset( $item->checked ) || ! $item->checked;
}
);
$status->has_unchecked_items = ! empty( $unchecked_items );
return $status;
}
/**
* Merges the list of installed extensions with the list of extensions that were checked for known vulnerabilities and return a normalized list to be used in the UI
*
* @param array $installed The list of installed extensions, where each attribute key is the extension slug.
* @param object $checked The list of checked extensions.
* @param array $append Additional data to append to each result in the list.
* @return array Normalized list of extensions.
*/
protected static function merge_installed_and_checked_lists( $installed, $checked, $append ) {
$new_list = array();
foreach ( array_keys( $installed ) as $slug ) {
$checked = (object) $checked;
$extension = new Extension_Model(
array_merge(
array(
'name' => $installed[ $slug ]['Name'],
'version' => $installed[ $slug ]['Version'],
'slug' => $slug,
'threats' => array(),
'checked' => false,
),
$append
)
);
if ( isset( $checked->{ $slug } ) && $checked->{ $slug }->version === $installed[ $slug ]['Version'] ) {
$extension->version = $checked->{ $slug }->version;
$extension->checked = true;
if ( is_array( $checked->{ $slug }->vulnerabilities ) ) {
foreach ( $checked->{ $slug }->vulnerabilities as $threat ) {
$extension->threats[] = new Threat_Model(
array(
'id' => $threat->id,
'title' => $threat->title,
'fixed_in' => $threat->fixed_in,
'description' => isset( $threat->description ) ? $threat->description : null,
'source' => isset( $threat->id ) ? Redirect::get_url( 'jetpack-protect-vul-info', array( 'path' => $threat->id ) ) : null,
)
);
}
}
}
$new_list[] = $extension;
}
$new_list = parent::sort_threats( $new_list );
return $new_list;
}
/**
* Check if the WordPress version that was checked matches the current installed version.
*
* @param object $core_check The object returned by Protect wpcom endpoint.
* @return object The object representing the current status of core checks.
*/
protected static function normalize_core_information( $core_check ) {
global $wp_version;
$core = new Extension_Model(
array(
'type' => 'core',
'name' => 'WordPress',
'version' => $wp_version,
'checked' => false,
)
);
if ( isset( $core_check->version ) && $core_check->version === $wp_version ) {
if ( is_array( $core_check->vulnerabilities ) ) {
$core->checked = true;
$core->set_threats(
array_map(
function ( $vulnerability ) {
$vulnerability->source = isset( $vulnerability->id ) ? Redirect::get_url( 'jetpack-protect-vul-info', array( 'path' => $vulnerability->id ) ) : null;
return $vulnerability;
},
$core_check->vulnerabilities
)
);
}
}
return $core;
}
}

359
wp-content/plugins/jetpack-protect/src/class-scan-status.php Normal file
View File

@ -0,0 +1,359 @@
<?php
/**
* Class to handle the Scan Status of Jetpack Protect
*
* @package automattic/jetpack-protect-plugin
*/
namespace Automattic\Jetpack\Protect;
use Automattic\Jetpack\Connection\Client;
use Automattic\Jetpack\Connection\Manager as Connection_Manager;
use Automattic\Jetpack\Plugins_Installer;
use Automattic\Jetpack\Sync\Functions as Sync_Functions;
use Jetpack_Options;
use WP_Error;
/**
* Class that handles fetching of threats from the Scan API
*/
class Scan_Status extends Status {
/**
* Scan endpoint
*
* @var string
*/
const SCAN_API_BASE = '/sites/%d/scan';
/**
* Name of the option where status is stored
*
* @var string
*/
const OPTION_NAME = 'jetpack_scan_status';
/**
* Name of the option where the timestamp of the status is stored
*
* @var string
*/
const OPTION_TIMESTAMP_NAME = 'jetpack_scan_status_timestamp';
/**
* Time in seconds that the cache should last
*
* @var int
*/
const OPTION_EXPIRES_AFTER = 300; // 5 minutes.
/**
* Gets the current status of the Jetpack Protect checks
*
* @param bool $refresh_from_wpcom Refresh the local plan and status cache from wpcom.
* @return Status_Model
*/
public static function get_status( $refresh_from_wpcom = false ) {
if ( self::$status !== null ) {
return self::$status;
}
if ( $refresh_from_wpcom || ! self::should_use_cache() || self::is_cache_expired() ) {
$status = self::fetch_from_api();
} else {
$status = self::get_from_options();
}
if ( is_wp_error( $status ) ) {
$status = new Status_Model(
array(
'error' => true,
'error_code' => $status->get_error_code(),
'error_message' => $status->get_error_message(),
)
);
} else {
$status = self::normalize_api_data( $status );
}
self::$status = $status;
return $status;
}
/**
* Gets the Scan API endpoint
*
* @return WP_Error|string
*/
public static function get_api_url() {
$blog_id = Jetpack_Options::get_option( 'id' );
$is_connected = ( new Connection_Manager() )->is_connected();
if ( ! $blog_id || ! $is_connected ) {
return new WP_Error( 'site_not_connected' );
}
$api_url = sprintf( self::SCAN_API_BASE, $blog_id );
return $api_url;
}
/**
* Fetches the status data from the Scan API
*
* @return WP_Error|array
*/
public static function fetch_from_api() {
$api_url = self::get_api_url();
if ( is_wp_error( $api_url ) ) {
return $api_url;
}
$response = Client::wpcom_json_api_request_as_blog(
self::get_api_url(),
'2',
array( 'method' => 'GET' ),
null,
'wpcom'
);
$response_code = wp_remote_retrieve_response_code( $response );
if ( is_wp_error( $response ) || 200 !== $response_code || empty( $response['body'] ) ) {
return new WP_Error( 'failed_fetching_status', 'Failed to fetch Scan data from the server', array( 'status' => $response_code ) );
}
$body = json_decode( wp_remote_retrieve_body( $response ) );
self::update_option( maybe_serialize( $body ) );
return $body;
}
/**
* Normalize API Data
* Formats the payload from the Scan API into an instance of Status_Model.
*
* @param object $scan_data The data returned by the scan API.
*
* @return Status_Model
*/
private static function normalize_api_data( $scan_data ) {
global $wp_version;
$status = new Status_Model();
$status->data_source = 'scan_api';
$status->status = isset( $scan_data->state ) ? $scan_data->state : null;
$status->num_threats = 0;
$status->num_themes_threats = 0;
$status->num_plugins_threats = 0;
$status->has_unchecked_items = false;
if ( ! empty( $scan_data->most_recent->timestamp ) ) {
$date = new \DateTime( $scan_data->most_recent->timestamp );
if ( $date ) {
$status->last_checked = $date->format( 'Y-m-d H:i:s' );
}
}
$status->core = new Extension_Model(
array(
'type' => 'core',
'name' => 'WordPress',
'version' => $wp_version,
'checked' => true, // to do: default to false once Scan API has manifest
)
);
if ( isset( $scan_data->threats ) && is_array( $scan_data->threats ) ) {
foreach ( $scan_data->threats as $threat ) {
if ( isset( $threat->extension->type ) ) {
if ( 'plugin' === $threat->extension->type ) {
// add the extension if it does not yet exist in the status
if ( ! isset( $status->plugins[ $threat->extension->slug ] ) ) {
$status->plugins[ $threat->extension->slug ] = new Extension_Model(
array(
'name' => isset( $threat->extension->name ) ? $threat->extension->name : null,
'slug' => isset( $threat->extension->slug ) ? $threat->extension->slug : null,
'version' => isset( $threat->extension->version ) ? $threat->extension->version : null,
'type' => 'plugin',
'checked' => true,
'threats' => array(),
)
);
}
$status->plugins[ $threat->extension->slug ]->threats[] = new Threat_Model(
array(
'id' => isset( $threat->id ) ? $threat->id : null,
'signature' => isset( $threat->signature ) ? $threat->signature : null,
'title' => isset( $threat->title ) ? $threat->title : null,
'description' => isset( $threat->description ) ? $threat->description : null,
'vulnerability_description' => isset( $threat->vulnerability_description ) ? $threat->vulnerability_description : null,
'fix_description' => isset( $threat->fix_description ) ? $threat->fix_description : null,
'payload_subtitle' => isset( $threat->payload_subtitle ) ? $threat->payload_subtitle : null,
'payload_description' => isset( $threat->payload_description ) ? $threat->payload_description : null,
'first_detected' => isset( $threat->first_detected ) ? $threat->first_detected : null,
'fixed_in' => isset( $threat->fixer->fixer ) && 'update' === $threat->fixer->fixer ? $threat->fixer->target : null,
'severity' => isset( $threat->severity ) ? $threat->severity : null,
'fixable' => isset( $threat->fixer ) ? $threat->fixer : null,
'status' => isset( $threat->status ) ? $threat->status : null,
'filename' => isset( $threat->filename ) ? $threat->filename : null,
'context' => isset( $threat->context ) ? $threat->context : null,
'source' => isset( $threat->source ) ? $threat->source : null,
)
);
$status->num_threats++;
$status->num_plugins_threats++;
continue;
}
if ( 'theme' === $threat->extension->type ) {
// add the extension if it does not yet exist in the status
if ( ! isset( $status->themes[ $threat->extension->slug ] ) ) {
$status->themes[ $threat->extension->slug ] = new Extension_Model(
array(
'name' => isset( $threat->extension->name ) ? $threat->extension->name : null,
'slug' => isset( $threat->extension->slug ) ? $threat->extension->slug : null,
'version' => isset( $threat->extension->version ) ? $threat->extension->version : null,
'type' => 'theme',
'checked' => true,
'threats' => array(),
)
);
}
$status->themes[ $threat->extension->slug ]->threats[] = new Threat_Model(
array(
'id' => isset( $threat->id ) ? $threat->id : null,
'signature' => isset( $threat->signature ) ? $threat->signature : null,
'title' => isset( $threat->title ) ? $threat->title : null,
'description' => isset( $threat->description ) ? $threat->description : null,
'vulnerability_description' => isset( $threat->vulnerability_description ) ? $threat->vulnerability_description : null,
'fix_description' => isset( $threat->fix_description ) ? $threat->fix_description : null,
'payload_subtitle' => isset( $threat->payload_subtitle ) ? $threat->payload_subtitle : null,
'payload_description' => isset( $threat->payload_description ) ? $threat->payload_description : null,
'first_detected' => isset( $threat->first_detected ) ? $threat->first_detected : null,
'fixed_in' => isset( $threat->fixer->fixer ) && 'update' === $threat->fixer->fixer ? $threat->fixer->target : null,
'severity' => isset( $threat->severity ) ? $threat->severity : null,
'fixable' => isset( $threat->fixer ) ? $threat->fixer : null,
'status' => isset( $threat->status ) ? $threat->status : null,
'filename' => isset( $threat->filename ) ? $threat->filename : null,
'context' => isset( $threat->context ) ? $threat->context : null,
'source' => isset( $threat->source ) ? $threat->source : null,
)
);
$status->num_threats++;
$status->num_themes_threats++;
continue;
}
}
if ( isset( $threat->signature ) && 'Vulnerable.WP.Core' === $threat->signature ) {
if ( $threat->version !== $wp_version ) {
continue;
}
$status->core->threats[] = new Threat_Model(
array(
'id' => $threat->id,
'signature' => $threat->signature,
'title' => $threat->title,
'description' => $threat->description,
'first_detected' => $threat->first_detected,
'severity' => $threat->severity,
)
);
$status->num_threats++;
continue;
}
if ( ! empty( $threat->filename ) ) {
$status->files[] = new Threat_Model( $threat );
$status->num_threats++;
continue;
}
if ( ! empty( $threat->table ) ) {
$status->database[] = new Threat_Model( $threat );
$status->num_threats++;
continue;
}
}
}
$installed_plugins = Plugins_Installer::get_plugins();
$status->plugins = self::merge_installed_and_checked_lists( $installed_plugins, $status->plugins, array( 'type' => 'plugins' ), true );
$installed_themes = Sync_Functions::get_themes();
$status->themes = self::merge_installed_and_checked_lists( $installed_themes, $status->themes, array( 'type' => 'themes' ), true );
foreach ( array_merge( $status->themes, $status->plugins ) as $extension ) {
if ( ! $extension->checked ) {
$status->has_unchecked_items = true;
break;
}
}
return $status;
}
/**
* Merges the list of installed extensions with the list of extensions that were checked for known vulnerabilities and return a normalized list to be used in the UI
*
* @param array $installed The list of installed extensions, where each attribute key is the extension slug.
* @param object $checked The list of checked extensions.
* @param array $append Additional data to append to each result in the list.
* @return array Normalized list of extensions.
*/
protected static function merge_installed_and_checked_lists( $installed, $checked, $append ) {
$new_list = array();
$checked = (object) $checked;
foreach ( array_keys( $installed ) as $slug ) {
/**
* Extension Type Map
*
* @var array $extension_type_map Key value pairs of extension types and their corresponding
* identifier used by the Scan API data source.
*/
$extension_type_map = array(
'themes' => 'r1',
'plugins' => 'r2',
);
$version = $installed[ $slug ]['Version'];
$short_slug = str_replace( '.php', '', explode( '/', $slug )[0] );
$scanifest_slug = $extension_type_map[ $append['type'] ] . ":$short_slug@$version";
$extension = new Extension_Model(
array_merge(
array(
'name' => $installed[ $slug ]['Name'],
'version' => $version,
'slug' => $slug,
'threats' => array(),
'checked' => false,
),
$append
)
);
if ( ! isset( $checked->extensions ) // no extension data available from Scan API
|| is_array( $checked->extensions ) && in_array( $scanifest_slug, $checked->extensions, true ) // extension data matches Scan API
) {
$extension->checked = true;
if ( isset( $checked->{ $short_slug }->threats ) ) {
$extension->threats = $checked->{ $short_slug }->threats;
}
}
$new_list[] = $extension;
}
$new_list = parent::sort_threats( $new_list );
return $new_list;
}
}

30
wp-content/plugins/jetpack-protect/src/class-site-health.php
View File

@ -10,7 +10,7 @@ namespace Automattic\Jetpack\Protect;
/**
* Site_Health.
*
* Displays vulnerabilities in WordPress site health page.
* Displays threats in WordPress site health page.
*/
class Site_Health {
@ -50,20 +50,20 @@ class Site_Health {
* @return array
*/
public static function do_checks() {
$total_vuls = Status::get_total_vulnerabilities();
$vulns = Status::get_all_vulnerabilities();
$vulns = array_map(
$total_threats = Status::get_total_threats();
$threats = Status::get_all_threats();
$threats = array_map(
function ( $v ) {
return $v->title;
},
$vulns
$threats
);
/**
* Default, no vulnerabilities found
* Default, no threats found
*/
$result = array(
'label' => __( 'No known vulnerabilities found', 'jetpack-protect' ),
'label' => __( 'No known threats found', 'jetpack-protect' ),
'status' => 'good',
'badge' => array(
'label' => __( 'Security', 'jetpack-protect' ),
@ -71,25 +71,25 @@ class Site_Health {
),
'description' => sprintf(
'<p>%s</p>',
__( 'Jetpack Protect did not find any known vulnerabilities in your site. Vulnerabilities can be exploited by hackers and cause harm to your website.', 'jetpack-protect' )
__( 'Jetpack Protect did not find any known threats in your site. Threats can be exploited by hackers and cause harm to your website.', 'jetpack-protect' )
),
'actions' => '',
'test' => 'jetpack_protect_checks',
);
/**
* If vulnerabilities found.
* If threats found.
*/
if ( $total_vuls ) {
if ( $total_threats ) {
$result['status'] = 'critical';
/* translators: $d is the number of vulnerabilities found. */
$result['label'] = sprintf( _n( 'Your site is affected by %d security vulnerability', 'Your site is affected by %d security vulnerabilities', $total_vuls, 'jetpack-protect' ), $total_vuls );
$result['description'] = __( 'Jetpack Protect detected the following security vulnerabilities in your site:', 'jetpack-protect' );
/* translators: $d is the number of threats found. */
$result['label'] = sprintf( _n( 'Your site is affected by %d security threat', 'Your site is affected by %d security threats', $total_threats, 'jetpack-protect' ), $total_threats );
$result['description'] = __( 'Jetpack Protect detected the following security threats in your site:', 'jetpack-protect' );
foreach ( $vulns as $vuln ) {
foreach ( $threats as $threat ) {
$result['description'] .= '<p>';
$result['description'] .= "<span class='dashicons dashicons-warning' style='color: crimson;'></span> &nbsp";
$result['description'] .= wp_kses( $vuln, array( 'a' => array( 'href' => array() ) ) ); // Only allow a href HTML tags.
$result['description'] .= wp_kses( $threat, array( 'a' => array( 'href' => array() ) ) ); // Only allow a href HTML tags.
$result['description'] .= '</p>';
}
$result['description'] .= '<p>';

421
wp-content/plugins/jetpack-protect/src/class-status.php
View File

@ -7,38 +7,23 @@
namespace Automattic\Jetpack\Protect;
use Automattic\Jetpack\Connection\Client;
use Automattic\Jetpack\Connection\Manager as Connection_Manager;
use Automattic\Jetpack\Plugins_Installer;
use Automattic\Jetpack\Sync\Functions as Sync_Functions;
use Jetpack_Options;
use WP_Error;
/**
* Class that handles fetching and caching the Status of vulnerabilities check from the WPCOM servers
*/
class Status {
/**
* WPCOM endpoint
*
* @var string
*/
const REST_API_BASE = '/sites/%d/jetpack-protect-status';
/**
* Name of the option where status is stored
*
* @var string
*/
const OPTION_NAME = 'jetpack_protect_status';
const OPTION_NAME = '';
/**
* Name of the option where the timestamp of the status is stored
*
* @var string
*/
const OPTION_TIMESTAMP_NAME = 'jetpack_protect_status_time';
const OPTION_TIMESTAMP_NAME = '';
/**
* Time in seconds that the cache should last
@ -57,121 +42,31 @@ class Status {
/**
* Memoization for the current status
*
* @var null|array
* @var null|Status_Model
*/
public static $status = null;
/**
* Gets the current status of the Jetpack Protect checks
*
* @return array
* @param bool $refresh_from_wpcom Refresh the local plan and status cache from wpcom.
* @return Status_Model
*/
public static function get_status() {
if ( self::$status !== null ) {
return self::$status;
}
public static function get_status( $refresh_from_wpcom = false ) {
$use_scan_status = Plan::has_required_plan();
if ( ! self::should_use_cache() || self::is_cache_expired() ) {
$status = self::fetch_from_server();
} else {
$status = self::get_from_options();
}
if ( defined( 'JETPACK_PROTECT_DEV__DATA_SOURCE' ) ) {
if ( 'scan_api' === JETPACK_PROTECT_DEV__DATA_SOURCE ) {
$use_scan_status = true;
}
if ( is_wp_error( $status ) ) {
$status = array(
'error' => true,
'error_code' => $status->get_error_code(),
'error_message' => $status->get_error_message(),
);
} else {
$status = self::normalize_report_data( $status );
}
self::$status = $status;
return $status;
}
/**
* Checks the current status to see if there are any vulnerabilities found
*
* @return boolean
*/
public static function has_vulnerabilities() {
return 0 < self::get_total_vulnerabilities();
}
/**
* Gets the total number of vulnerabilities found
*
* @return integer
*/
public static function get_total_vulnerabilities() {
$status = self::get_status();
return isset( $status->num_vulnerabilities ) && is_int( $status->num_vulnerabilities ) ? $status->num_vulnerabilities : 0;
}
/**
* Get all vulnerabilities combined
*
* @return array
*/
public static function get_all_vulnerabilities() {
return array_merge(
self::get_wordpress_vulnerabilities(),
self::get_themes_vulnerabilities(),
self::get_plugins_vulnerabilities()
);
}
/**
* Get vulnerabilities found for WordPress core
*
* @return array
*/
public static function get_wordpress_vulnerabilities() {
return self::get_vulnerabilities( 'core' );
}
/**
* Get vulnerabilities found for themes
*
* @return array
*/
public static function get_themes_vulnerabilities() {
return self::get_vulnerabilities( 'themes' );
}
/**
* Get vulnerabilities found for plugins
*
* @return array
*/
public static function get_plugins_vulnerabilities() {
return self::get_vulnerabilities( 'plugins' );
}
/**
* Get the vulnerabilities for one type of extension or core
*
* @param string $type What vulnerabilities you want to get. Possible values are 'core', 'themes' and 'plugins'.
*
* @return array
*/
public static function get_vulnerabilities( $type ) {
$status = self::get_status();
if ( 'core' === $type ) {
return isset( $status->$type ) && ! empty( $status->$type->vulnerabilities ) ? $status->$type->vulnerabilities : array();
}
$vuls = array();
if ( isset( $status->$type ) ) {
foreach ( (array) $status->$type as $item ) {
if ( ! empty( $item->vulnerabilities ) ) {
$vuls = array_merge( $vuls, $item->vulnerabilities );
}
if ( 'protect_report' === JETPACK_PROTECT_DEV__DATA_SOURCE ) {
$use_scan_status = false;
}
}
return $vuls;
self::$status = $use_scan_status ? Scan_Status::get_status( $refresh_from_wpcom ) : Protect_Status::get_status( $refresh_from_wpcom );
return self::$status;
}
/**
@ -180,7 +75,7 @@ class Status {
* @return boolean
*/
public static function is_cache_expired() {
$option_timestamp = get_option( self::OPTION_TIMESTAMP_NAME );
$option_timestamp = get_option( static::OPTION_TIMESTAMP_NAME );
if ( ! $option_timestamp ) {
return true;
@ -198,61 +93,13 @@ class Status {
return defined( 'JETPACK_PROTECT_DEV__BYPASS_CACHE' ) && JETPACK_PROTECT_DEV__BYPASS_CACHE ? false : true;
}
/**
* Gets the WPCOM API endpoint
*
* @return WP_Error|string
*/
public static function get_api_url() {
$blog_id = Jetpack_Options::get_option( 'id' );
$is_connected = ( new Connection_Manager() )->is_connected();
if ( ! $blog_id || ! $is_connected ) {
return new WP_Error( 'site_not_connected' );
}
$api_url = sprintf( self::REST_API_BASE, $blog_id );
return $api_url;
}
/**
* Fetches the status from WPCOM servers
*
* @return WP_Error|array
*/
public static function fetch_from_server() {
$api_url = self::get_api_url();
if ( is_wp_error( $api_url ) ) {
return $api_url;
}
$response = Client::wpcom_json_api_request_as_blog(
self::get_api_url(),
'2',
array( 'method' => 'GET' ),
null,
'wpcom'
);
$response_code = wp_remote_retrieve_response_code( $response );
if ( is_wp_error( $response ) || 200 !== $response_code || empty( $response['body'] ) ) {
return new WP_Error( 'failed_fetching_status', 'Failed to fetch Protect Status data from server', array( 'status' => $response_code ) );
}
$body = json_decode( wp_remote_retrieve_body( $response ) );
self::update_option( $body );
return $body;
}
/**
* Gets the current cached status
*
* @return bool|array False if value is not found. Array with values if cache is found.
*/
public static function get_from_options() {
return get_option( self::OPTION_NAME );
return maybe_unserialize( get_option( static::OPTION_NAME ) );
}
/**
@ -263,9 +110,9 @@ class Status {
*/
public static function update_option( $status ) {
// TODO: Sanitize $status.
update_option( self::OPTION_NAME, $status );
update_option( static::OPTION_NAME, $status );
$end_date = self::get_cache_end_date_by_status( $status );
update_option( self::OPTION_TIMESTAMP_NAME, $end_date );
update_option( static::OPTION_TIMESTAMP_NAME, $end_date );
}
/**
@ -278,94 +125,175 @@ class Status {
*/
public static function get_cache_end_date_by_status( $status ) {
if ( ! is_object( $status ) || empty( $status->last_checked ) ) {
return time() + self::INITIAL_OPTION_EXPIRES_AFTER;
return time() + static::INITIAL_OPTION_EXPIRES_AFTER;
}
return time() + self::OPTION_EXPIRES_AFTER;
return time() + static::OPTION_EXPIRES_AFTER;
}
/**
* Delete the cached status and its timestamp
*
* @return void
* @return bool Whether all related status options were successfully deleted.
*/
public static function delete_option() {
delete_option( self::OPTION_NAME );
delete_option( self::OPTION_TIMESTAMP_NAME );
$option_deleted = delete_option( static::OPTION_NAME );
$option_timestamp_deleted = delete_option( static::OPTION_TIMESTAMP_NAME );
return $option_deleted && $option_timestamp_deleted;
}
/**
* Prepare the report data for the UI
* Checks the current status to see if there are any threats found
*
* @param string $report_data The report status report response.
* @return object The normalized report data.
* @return boolean
*/
private static function normalize_report_data( $report_data ) {
$installed_plugins = Plugins_Installer::get_plugins();
$last_report_plugins = isset( $report_data->plugins ) ? $report_data->plugins : new \stdClass();
$report_data->plugins = self::merge_installed_and_checked_lists( $installed_plugins, $last_report_plugins, array( 'type' => 'plugin' ) );
public static function has_threats() {
return 0 < self::get_total_threats();
}
$installed_themes = Sync_Functions::get_themes();
$last_report_themes = isset( $report_data->themes ) ? $report_data->themes : new \stdClass();
$report_data->themes = self::merge_installed_and_checked_lists( $installed_themes, $last_report_themes, array( 'type' => 'theme' ) );
/**
* Gets the total number of threats found
*
* @return integer
*/
public static function get_total_threats() {
$status = static::get_status();
return isset( $status->num_threats ) && is_int( $status->num_threats ) ? $status->num_threats : 0;
}
$report_data->core = self::normalize_core_information( isset( $report_data->core ) ? $report_data->core : new \stdClass() );
$all_items = array_merge( $report_data->plugins, $report_data->themes, array( $report_data->core ) );
$unchecked_items = array_filter(
$all_items,
function ( $item ) {
return ! isset( $item->checked ) || ! $item->checked;
}
/**
* Get all threats combined
*
* @return array
*/
public static function get_all_threats() {
return array_merge(
self::get_wordpress_threats(),
self::get_themes_threats(),
self::get_plugins_threats(),
self::get_files_threats(),
self::get_database_threats()
);
// phpcs:ignore WordPress.NamingConventions.ValidVariableName.UsedPropertyNotSnakeCase
$report_data->hasUncheckedItems = ! empty( $unchecked_items );
return $report_data;
}
/**
* Merges the list of installed extensions with the list of extensions that were checked for known vulnerabilities and return a normalized list to be used in the UI
* Get threats found for WordPress core
*
* @param array $installed The list of installed extensions, where each attribute key is the extension slug.
* @param array $checked The list of checked extensions.
* @param array $append Additional data to append to each result in the list.
* @return array Normalized list of extensions.
* @return array
*/
private static function merge_installed_and_checked_lists( $installed, $checked, $append ) {
$new_list = array();
foreach ( $installed as $slug => $item ) {
if ( isset( $checked->{ $slug } ) && $checked->{ $slug }->version === $installed[ $slug ]['Version'] ) {
$new_list[] = (object) array_merge(
array(
'name' => $installed[ $slug ]['Name'],
'version' => $checked->{ $slug }->version,
'slug' => $slug,
'vulnerabilities' => $checked->{ $slug }->vulnerabilities,
'checked' => true,
),
$append
);
} else {
$new_list[] = (object) array_merge(
array(
'name' => $installed[ $slug ]['Name'],
'version' => $installed[ $slug ]['Version'],
'slug' => $slug,
'vulnerabilities' => array(),
'checked' => false,
),
$append
);
public static function get_wordpress_threats() {
return self::get_threats( 'core' );
}
/**
* Get threats found for themes
*
* @return array
*/
public static function get_themes_threats() {
return self::get_threats( 'themes' );
}
/**
* Get threats found for plugins
*
* @return array
*/
public static function get_plugins_threats() {
return self::get_threats( 'plugins' );
}
/**
* Get threats found for files
*
* @return array
*/
public static function get_files_threats() {
return self::get_threats( 'files' );
}
/**
* Get threats found for plugins
*
* @return array
*/
public static function get_database_threats() {
return self::get_threats( 'database' );
}
/**
* Get the threats for one type of extension or core
*
* @param string $type What threats you want to get. Possible values are 'core', 'themes' and 'plugins'.
*
* @return array
*/
public static function get_threats( $type ) {
$status = static::get_status();
if ( 'core' === $type ) {
return isset( $status->$type ) && ! empty( $status->$type->threats ) ? $status->$type->threats : array();
}
if ( 'files' === $type || 'database' === $type ) {
return isset( $status->$type ) && ! empty( $status->$type ) ? $status->$type : array();
}
$threats = array();
if ( isset( $status->$type ) ) {
foreach ( (array) $status->$type as $item ) {
if ( ! empty( $item->threats ) ) {
$threats = array_merge( $threats, $item->threats );
}
}
}
return $threats;
}
/**
* Check if the WordPress version that was checked matches the current installed version.
*
* @param object $core_check The object returned by Protect wpcom endpoint.
* @return object The object representing the current status of core checks.
*/
protected static function normalize_core_information( $core_check ) {
global $wp_version;
$core = new Extension_Model(
array(
'type' => 'core',
'name' => 'WordPress',
'version' => $wp_version,
'checked' => false,
)
);
if ( isset( $core_check->version ) && $core_check->version === $wp_version ) {
if ( is_array( $core_check->vulnerabilities ) ) {
$core->checked = true;
$core->set_threats( $core_check->vulnerabilities );
}
}
return $core;
}
/**
* Sort By Threats
*
* @param array<object> $threats Array of threats to sort.
*
* @return array<object> The sorted $threats array.
*/
protected static function sort_threats( $threats ) {
usort(
$new_list,
$threats,
function ( $a, $b ) {
// sort primarily based on the presence of vulnerabilities
if ( ! empty( $a->vulnerabilities ) && empty( $b->vulnerabilities ) ) {
// sort primarily based on the presence of threats
if ( ! empty( $a->threats ) && empty( $b->threats ) ) {
return -1;
}
if ( empty( $a->vulnerabilities ) && ! empty( $b->vulnerabilities ) ) {
if ( empty( $a->threats ) && ! empty( $b->threats ) ) {
return 1;
}
// sort secondarily on whether the item has been checked
@ -379,31 +307,8 @@ class Status {
return 0;
}
);
return $new_list;
}
/**
* Check if the WordPress version that was checked matches the current installed version.
*
* @param object $core_check The object returned by Protect wpcom endpoint.
* @return object The object representing the current status of core checks.
*/
private static function normalize_core_information( $core_check ) {
global $wp_version;
$core = new \stdClass();
if ( isset( $core_check->version ) && $core_check->version === $wp_version ) {
$core = $core_check;
$core->name = 'WordPress';
$core->type = 'core';
} else {
$core->version = $wp_version;
$core->vulnerabilities = array();
$core->checked = false;
$core->name = 'WordPress';
$core->type = 'core';
}
return $core;
return $threats;
}
}

203
wp-content/plugins/jetpack-protect/src/class-threats.php Normal file
View File

@ -0,0 +1,203 @@
<?php
/**
* Class to handle Threats
*
* @package automattic/jetpack-protect-plugin
*/
namespace Automattic\Jetpack\Protect;
use Automattic\Jetpack\Connection\Client;
use Automattic\Jetpack\Connection\Manager as Connection_Manager;
use Jetpack_Options;
use WP_Error;
/**
* Class that handles management of individual threats.
*/
class Threats {
/**
* Gets the base "Alerts" (Threats) endpoint.
*
* @return WP_Error|string
*/
private static function get_api_base() {
$blog_id = Jetpack_Options::get_option( 'id' );
$is_connected = ( new Connection_Manager() )->is_connected();
if ( ! $blog_id || ! $is_connected ) {
return new WP_Error( 'site_not_connected' );
}
$api_url = sprintf( '/sites/%d/alerts', $blog_id );
return $api_url;
}
/**
* Update Threat
*
* @param string $threat_id The threat ID.
* @param array $updates The keys/values to update.
*
* @return bool
*/
public static function update_threat( $threat_id, $updates ) {
$api_base = self::get_api_base( $threat_id );
if ( is_wp_error( $api_base ) ) {
return false;
}
$response = Client::wpcom_json_api_request_as_user(
"$api_base/$threat_id",
'2',
array( 'method' => 'POST' ),
wp_json_encode( $updates ),
'wpcom'
);
$response_code = wp_remote_retrieve_response_code( $response );
if ( is_wp_error( $response ) || 200 !== $response_code ) {
return false;
}
// clear the now out-of-date cache
Scan_Status::delete_option();
return true;
}
/**
* Ignore Threat
*
* @param string $threat_id The threat ID.
*
* @return bool
*/
public static function ignore_threat( $threat_id ) {
return self::update_threat( $threat_id, array( 'ignore' => true ) );
}
/**
* Fix Threats
*
* @param array<string> $threat_ids Threat IDs.
*
* @return bool|array
*/
public static function fix_threats( $threat_ids ) {
$api_base = self::get_api_base();
if ( is_wp_error( $api_base ) ) {
return false;
}
$response = Client::wpcom_json_api_request_as_user(
"$api_base/fix",
'2',
array( 'method' => 'POST' ),
wp_json_encode(
array(
'threat_ids' => $threat_ids,
)
),
'wpcom'
);
$response_code = wp_remote_retrieve_response_code( $response );
if ( is_wp_error( $response ) || 200 !== $response_code ) {
return false;
}
// clear the now out-of-date cache
Scan_Status::delete_option();
$parsed_response = json_decode( $response['body'] );
if ( ! $parsed_response ) {
return false;
}
return $parsed_response;
}
/**
* Fix Threats Status
*
* @param array<string> $threat_ids Threat IDs.
*
* @return bool|array
*/
public static function fix_threats_status( $threat_ids ) {
$api_base = self::get_api_base();
if ( is_wp_error( $api_base ) ) {
return false;
}
$response = Client::wpcom_json_api_request_as_user(
add_query_arg( 'threat_ids', $threat_ids, "$api_base/fix" ),
'2',
array( 'method' => 'GET' ),
null,
'wpcom'
);
$response_code = wp_remote_retrieve_response_code( $response );
if ( is_wp_error( $response ) || 200 !== $response_code ) {
return false;
}
$parsed_response = json_decode( $response['body'] );
if ( ! $parsed_response ) {
return false;
}
// clear the potentially out-of-date cache
Scan_Status::delete_option();
return $parsed_response;
}
/**
* Scan enqueue
*
* @return bool
*/
public static function scan() {
$blog_id = Jetpack_Options::get_option( 'id' );
$is_connected = ( new Connection_Manager() )->is_connected();
if ( ! $blog_id || ! $is_connected ) {
return false;
}
$api_base = sprintf( '/sites/%d/scan', $blog_id );
if ( is_wp_error( $api_base ) ) {
return false;
}
$response = Client::wpcom_json_api_request_as_blog(
"$api_base/enqueue",
'2',
array( 'method' => 'POST' ),
null,
'wpcom'
);
$response_code = wp_remote_retrieve_response_code( $response );
if ( is_wp_error( $response ) || 200 !== $response_code ) {
return false;
}
// clear the now out-of-date cache
Scan_Status::delete_option();
return true;
}
}

111
wp-content/plugins/jetpack-protect/src/models/class-extension-model.php Normal file
View File

@ -0,0 +1,111 @@
<?php
/**
* Model class for extensions.
*
* @package automattic/jetpack-protect-plugin
*/
namespace Automattic\Jetpack\Protect;
/**
* Model class for extension data.
*/
class Extension_Model {
/**
* The extension name.
*
* @var null|string
*/
public $name;
/**
* The extension slug.
*
* @var null|string
*/
public $slug;
/**
* The extension version.
*
* @var null|string
*/
public $version;
/**
* A collection of threats related to this version of the extension.
*
* @var array<Threat_Model>
*/
public $threats = array();
/**
* Whether the extension has been checked for threats.
*
* @var null|bool
*/
public $checked;
/**
* The type of extension ("plugins", "themes", or "core").
*
* @var null|string
*/
public $type;
/**
* Extension Model Constructor
*
* @param array|object $extension Extension data to load into the model instance.
*/
public function __construct( $extension = array() ) {
if ( is_object( $extension ) ) {
$extension = (array) $extension;
}
foreach ( $extension as $property => $value ) {
if ( property_exists( $this, $property ) ) {
// use the property's setter method when possible
if ( method_exists( $this, "set_$property" ) ) {
$this->{ "set_$property" }( $value );
continue;
}
// otherwise, map the value directly into the class property
$this->$property = $value;
}
}
}
/**
* Set Threats
*
* @param array<Threat_Model|array|object> $threats An array of threat data to add to the extension.
*/
public function set_threats( $threats ) {
if ( ! is_array( $threats ) ) {
$this->threats = array();
return;
}
// convert each provided threat item into an instance of Threat_Model
$threats = array_map(
function ( $threat ) {
if ( is_a( $threat, 'Threat_Model' ) ) {
return $threat;
}
if ( is_object( $threat ) ) {
$threat = (array) $threat;
}
return new Threat_Model( $threat );
},
$threats
);
$this->threats = $threats;
}
}

135
wp-content/plugins/jetpack-protect/src/models/class-status-model.php Normal file
View File

@ -0,0 +1,135 @@
<?php
/**
* Model class for Protect status report data.
*
* @package automattic/jetpack-protect-plugin
*/
namespace Automattic\Jetpack\Protect;
/**
* Model class for the Protect status report data.
*/
class Status_Model {
/**
* Data source.
*
* @var string protect_report|scan_api
*/
public $data_source;
/**
* The date and time when the status was generated.
*
* @var string
*/
public $last_checked;
/**
* The number of threats.
*
* @var int
*/
public $num_threats;
/**
* The number of plugin threats.
*
* @var int
*/
public $num_plugins_threats;
/**
* The number of theme threats.
*
* @var int
*/
public $num_themes_threats;
/**
* The current report status.
*
* @var string in_progress|scheduled|idle|scanning|provisioning|unavailable
*/
public $status;
/**
* WordPress core status.
*
* @var object
*/
public $core;
/**
* Status themes.
*
* @var array<Extension_Model>
*/
public $themes = array();
/**
* Status plugins.
*
* @var array<Extension_Model>
*/
public $plugins = array();
/**
* File threats.
*
* @var array<Extension_Model>
*/
public $files = array();
/**
* Database threats.
*
* @var array<Extension_Model>
*/
public $database = array();
/**
* Whether the site includes items that have not been checked.
*
* @var boolean
*/
public $has_unchecked_items;
/**
* Whether there was an error loading the status.
*
* @var bool
*/
public $error = false;
/**
* The error code thrown when loading the status.
*
* @var string
*/
public $error_code;
/**
* The error message thrown when loading the status.
*
* @var string
*/
public $error_message;
/**
* Status constructor.
*
* @param array $status The status data to load into the class instance.
*/
public function __construct( $status = array() ) {
// set status defaults
$this->core = new \stdClass();
foreach ( $status as $property => $value ) {
if ( property_exists( $this, $property ) ) {
$this->$property = $value;
}
}
}
}

116
wp-content/plugins/jetpack-protect/src/models/class-threat-model.php Normal file
View File

@ -0,0 +1,116 @@
<?php
/**
* Model class for threat data.
*
* @package automattic/jetpack-protect-plugin
*/
namespace Automattic\Jetpack\Protect;
/**
* Model class for threat data.
*/
class Threat_Model {
/**
* Threat ID.
*
* @var null|string
*/
public $id;
/**
* Threat Signature.
*
* @var null|string
*/
public $signature;
/**
* Threat Title.
*
* @var null|string
*/
public $title;
/**
* Threat Description.
*
* @var null|string
*/
public $description;
/**
* The data the threat was first detected.
*
* @var null|string
*/
public $first_detected;
/**
* The version the threat is fixed in.
*
* @var null|string
*/
public $fixed_in;
/**
* The severity of the threat between 1-5.
*
* @var null|int
*/
public $severity;
/**
* Information about the auto-fix available for this threat. False when not auto-fixable.
*
* @var null|bool|object
*/
public $fixable;
/**
* The current status of the threat.
*
* @var null|string
*/
public $status;
/**
* The filename of the threat.
*
* @var null|string
*/
public $filename;
/**
* The context of the threat.
*
* @var null|object
*/
public $context;
/**
* The source URL of the threat.
*
* @var null|string
*/
public $source;
/**
* Threat Constructor
*
* @param array|object $threat Threat data to load into the class instance.
*/
public function __construct( $threat ) {
if ( is_object( $threat ) ) {
$threat = (array) $threat;
}
foreach ( $threat as $property => $value ) {
if ( property_exists( $this, $property ) ) {
$this->$property = $value;
}
}
}
}