updated plugin Jetpack Protect version 2.2.0

2024-06-27 12:10:57 +00:00
parent ec9d8a5834
commit 938cef2946
218 changed files with 7469 additions and 1864 deletions
--- a/wp-content/plugins/jetpack-protect/jetpack_vendor/automattic/jetpack-waf/CHANGELOG.md
+++ b/wp-content/plugins/jetpack-protect/jetpack_vendor/automattic/jetpack-waf/CHANGELOG.md
@ -5,14 +5,46 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

-## [0.16.0.1] - 2024-04-10
+## [0.16.8] - 2024-05-20
+### Changed
+- Internal updates.
+
+## [0.16.7] - 2024-05-06
+### Changed
+- Internal updates.
+
+## [0.16.6] - 2024-04-29
+### Changed
+- Internal updates.
+
+## [0.16.5] - 2024-04-25
+### Changed
+- Internal updates.
+
+## [0.16.4] - 2024-04-22
+### Changed
+- Internal updates.
+
+## [0.16.3] - 2024-04-15
 ### Security
- Improves handling of REQUEST_URI [#36833]
+- Improves handling of REQUEST_URI. [#36833]
+
+## [0.16.2] - 2024-04-08
+### Changed
+- Internal updates.
+
+## [0.16.1] - 2024-03-25
+### Changed
+- Internal updates.

 ## [0.16.0] - 2024-03-22
 ### Added
 - Add data to WAF logs and add toggle for users to opt-in to share more data with us if needed. [#36377]

+## [0.15.2] - 2024-03-18
+### Changed
+- Internal updates.
+
 ## [0.15.1] - 2024-03-14
 ### Changed
 - Internal updates.
@ -289,8 +321,16 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Changed
 - Core: do not ship .phpcs.dir.xml in production builds.

-[0.16.0.1]: https://github.com/Automattic/jetpack-waf/compare/v0.16.0...v0.16.0.1
+[0.16.8]: https://github.com/Automattic/jetpack-waf/compare/v0.16.7...v0.16.8
+[0.16.7]: https://github.com/Automattic/jetpack-waf/compare/v0.16.6...v0.16.7
+[0.16.6]: https://github.com/Automattic/jetpack-waf/compare/v0.16.5...v0.16.6
+[0.16.5]: https://github.com/Automattic/jetpack-waf/compare/v0.16.4...v0.16.5
+[0.16.4]: https://github.com/Automattic/jetpack-waf/compare/v0.16.3...v0.16.4
+[0.16.3]: https://github.com/Automattic/jetpack-waf/compare/v0.16.2...v0.16.3
+[0.16.2]: https://github.com/Automattic/jetpack-waf/compare/v0.16.1...v0.16.2
+[0.16.1]: https://github.com/Automattic/jetpack-waf/compare/v0.16.0...v0.16.1
 [0.16.0]: https://github.com/Automattic/jetpack-waf/compare/v0.15.1...v0.16.0
+[0.15.2]: https://github.com/Automattic/jetpack-waf/compare/v0.15.1...v0.15.2
 [0.15.1]: https://github.com/Automattic/jetpack-waf/compare/v0.15.0...v0.15.1
 [0.15.0]: https://github.com/Automattic/jetpack-waf/compare/v0.14.2...v0.15.0
 [0.14.2]: https://github.com/Automattic/jetpack-waf/compare/v0.14.1...v0.14.2
--- a/wp-content/plugins/jetpack-protect/jetpack_vendor/automattic/jetpack-waf/cli.php
+++ b/wp-content/plugins/jetpack-protect/jetpack_vendor/automattic/jetpack-waf/cli.php
@ -8,5 +8,6 @@
 namespace Automattic\Jetpack\Waf;

 if ( defined( 'WP_CLI' ) && \WP_CLI ) {
+	// @phan-suppress-next-line PhanUndeclaredFunctionInCallable -- https://github.com/phan/phan/issues/4763
 	\WP_CLI::add_command( 'jetpack-waf', CLI::class );
 }
--- a/wp-content/plugins/jetpack-protect/jetpack_vendor/automattic/jetpack-waf/composer.json
+++ b/wp-content/plugins/jetpack-protect/jetpack_vendor/automattic/jetpack-waf/composer.json
@ -5,15 +5,15 @@
 	"license": "GPL-2.0-or-later",
 	"require": {
 		"php": ">=7.0",
-		"automattic/jetpack-connection": "^2.4.1",
-		"automattic/jetpack-constants": "^2.0.1",
+		"automattic/jetpack-connection": "^2.8.3",
+		"automattic/jetpack-constants": "^2.0.2",
 		"automattic/jetpack-ip": "^0.2.2",
-		"automattic/jetpack-status": "^2.1.2",
+		"automattic/jetpack-status": "^3.1.0",
 		"wikimedia/aho-corasick": "^1.0"
 	},
 	"require-dev": {
 		"yoast/phpunit-polyfills": "1.1.0",
-		"automattic/jetpack-changelogger": "^4.1.1",
+		"automattic/jetpack-changelogger": "^4.2.4",
 		"automattic/wordbless": "@dev"
 	},
 	"suggest": {
--- a/wp-content/plugins/jetpack-protect/jetpack_vendor/automattic/jetpack-waf/src/brute-force-protection/class-blocked-login-page.php
+++ b/wp-content/plugins/jetpack-protect/jetpack_vendor/automattic/jetpack-waf/src/brute-force-protection/class-blocked-login-page.php
@ -460,6 +460,7 @@ class Brute_Force_Protection_Blocked_Login_Page {
 	 * @param string $message - the message we're sending.
 	 * @param string $back_button - the back button.
 	 * @param string $recovery_form - the recovery form.
+	 * @return never
 	 */
 	public function display_page( $title, $message, $back_button = false, $recovery_form = false ) {

--- a/wp-content/plugins/jetpack-protect/jetpack_vendor/automattic/jetpack-waf/src/brute-force-protection/class-math-fallback.php
+++ b/wp-content/plugins/jetpack-protect/jetpack_vendor/automattic/jetpack-waf/src/brute-force-protection/class-math-fallback.php
@ -44,9 +44,7 @@ if ( ! class_exists( 'Brute_Force_Protection_Math_Authenticate' ) ) {
 		/**
 		 * Verifies that a user answered the math problem correctly while logging in.
 		 *
-		 * @return bool Returns true if the math is correct
-		 * @throws Error If insuffient $_POST variables are present.
-		 * @throws Error Message if the math is wrong.
+		 * @return bool Returns true if the math is correct. Exits if not.
 		 */
 		public static function math_authenticate() {
 			if ( isset( $_COOKIE['jpp_math_pass'] ) ) {
@ -90,6 +88,7 @@ if ( ! class_exists( 'Brute_Force_Protection_Math_Authenticate' ) ) {
 		 * Creates an interim page to collect answers to a math captcha
 		 *
 		 * @param string $error - the error message.
+		 * @return never
 		 */
 		public static function generate_math_page( $error = false ) {
 			ob_start();
--- a/wp-content/plugins/jetpack-protect/jetpack_vendor/automattic/jetpack-waf/src/brute-force-protection/class-shared-functions.php
+++ b/wp-content/plugins/jetpack-protect/jetpack_vendor/automattic/jetpack-waf/src/brute-force-protection/class-shared-functions.php
@ -174,7 +174,7 @@ class Brute_Force_Protection_Shared_Functions {
 	 * @access public
 	 * @param mixed $allow_list IP allow list.
 	 * @param bool  $global (default: false) Global.
-	 * @return Bool.
+	 * @return bool
 	 */
 	public static function save_allow_list( $allow_list, $global = false ) {
 		$allow_list_error = false;
--- a/wp-content/plugins/jetpack-protect/jetpack_vendor/automattic/jetpack-waf/src/class-brute-force-protection.php
+++ b/wp-content/plugins/jetpack-protect/jetpack_vendor/automattic/jetpack-waf/src/class-brute-force-protection.php
@ -26,7 +26,7 @@ class Brute_Force_Protection {
 	/**
 	 * Instance of the class.
 	 *
-	 * @var Brute_Force_Protection()
+	 * @var Brute_Force_Protection
 	 */
 	private static $instance = null;

--- a/wp-content/plugins/jetpack-protect/jetpack_vendor/automattic/jetpack-waf/src/class-rest-controller.php
+++ b/wp-content/plugins/jetpack-protect/jetpack_vendor/automattic/jetpack-waf/src/class-rest-controller.php
@ -10,6 +10,8 @@ namespace Automattic\Jetpack\Waf;
 use Automattic\Jetpack\Connection\REST_Connector;
 use Automattic\Jetpack\Waf\Brute_Force_Protection\Brute_Force_Protection;
 use WP_Error;
+use WP_REST_Request;
+use WP_REST_Response;
 use WP_REST_Server;

 /**
--- a/wp-content/plugins/jetpack-protect/jetpack_vendor/automattic/jetpack-waf/src/class-waf-initializer.php
+++ b/wp-content/plugins/jetpack-protect/jetpack_vendor/automattic/jetpack-waf/src/class-waf-initializer.php
@ -9,6 +9,7 @@ namespace Automattic\Jetpack\Waf;

 use Automattic\Jetpack\Waf\Brute_Force_Protection\Brute_Force_Protection;
 use WP_Error;
+use WP_Upgrader;

 /**
 * Initializes the module
--- a/wp-content/plugins/jetpack-protect/jetpack_vendor/automattic/jetpack-waf/src/class-waf-request.php
+++ b/wp-content/plugins/jetpack-protect/jetpack_vendor/automattic/jetpack-waf/src/class-waf-request.php
@ -9,10 +9,12 @@ namespace Automattic\Jetpack\Waf;

 require_once __DIR__ . '/functions.php';

+<<<PHAN
+@phan-type RequestFile = array{ name: string, filename: string }
+PHAN;
+
 /**
 * Request representation.
- *
- * @template RequestFile as array{ name: string, filename: string }
 */
 class Waf_Request {
 	/**
@ -20,7 +22,7 @@ class Waf_Request {
 	 *
 	 * @example for `https://wordpress.com/index.php?myvar=red`
 	 *          $this->url = [ 'https://wordpress.com', '/index.php', '?myvar=red' ]
-	 * @var array{ 0: string, 1: string, 2: string }|null
+	 * @var array{0: string, 1: string, 2: string}|null
 	 */
 	protected $url = null;

@ -117,7 +119,7 @@ class Waf_Request {
 	/**
 	 * Returns the headers that were sent with this request
 	 *
-	 * @return array{ 0: string, 1: scalar }[]
+	 * @return array{0: string, 1: scalar}[]
 	 */
 	public function get_headers() {
 		$value              = array();
@ -198,7 +200,7 @@ class Waf_Request {
 	 * Returns the URL parts for this request.
 	 *
 	 * @see $this->url
-	 * @return array{ 0: string, 1: string, 2: string }
+	 * @return array{0: string, 1: string, 2: string}
 	 */
 	protected function get_url() {
 		if ( null !== $this->url ) {
@ -311,7 +313,7 @@ class Waf_Request {
 	/**
 	 * Returns the cookies
 	 *
-	 * @return array<string, string>
+	 * @return array{string, scalar}[]
 	 */
 	public function get_cookies() {
 		return flatten_array( $_COOKIE );
@ -320,7 +322,7 @@ class Waf_Request {
 	/**
 	 * Returns the GET variables
 	 *
-	 * @return array<string, mixed|array>
+	 * @return array{string, scalar}[]
 	 */
 	public function get_get_vars() {
 		return flatten_array( $_GET );
@ -329,7 +331,7 @@ class Waf_Request {
 	/**
 	 * Returns the POST variables
 	 *
-	 * @return array<string, mixed|array>
+	 * @return array{string, scalar}[]
 	 */
 	public function get_post_vars() {
 		// Attempt to decode JSON requests.
--- a/wp-content/plugins/jetpack-protect/jetpack_vendor/automattic/jetpack-waf/src/class-waf-runtime.php
+++ b/wp-content/plugins/jetpack-protect/jetpack_vendor/automattic/jetpack-waf/src/class-waf-runtime.php
@ -19,11 +19,14 @@ require_once __DIR__ . '/functions.php';
 * @var string JETPACK_WAF_MODE
 */

+// Type aliases for this file.
+<<<PHAN
+@phan-type Target = array{ only?: string[], except?: string[], count?: boolean }
+@phan-type TargetBag = array<string, Target>
+PHAN;
+
 /**
 * Waf_Runtime class
- *
- * @template Target as array{ only?: string[], except?: string[], count?: boolean }
- * @template TargetBag as array<string, Target>
 */
 class Waf_Runtime {
 	/**
@ -124,7 +127,7 @@ class Waf_Runtime {
 	 *
 	 * @param Waf_Transforms $transforms Transforms.
 	 * @param Waf_Operators  $operators  Operators.
-	 * @param Waf_Request?   $request    Information about the request.
+	 * @param ?Waf_Request   $request    Information about the request.
 	 */
 	public function __construct( $transforms, $operators, $request = null ) {
 		$this->transforms = $transforms;
@ -383,6 +386,7 @@ class Waf_Runtime {
 	 *
 	 * @param string $rule_id Rule id.
 	 * @param string $url Url.
+	 * @return never
 	 */
 	public function redirect( $rule_id, $url ) {
 		error_log( "Jetpack WAF Redirected Request.\tRule:$rule_id\t$url" );
@ -613,7 +617,7 @@ class Waf_Runtime {
 	 *   value:  The value that was found in the associated target.
 	 *
 	 * @param TargetBag $targets An assoc. array with keys that are target name(s) and values are options for how to process that target (include/exclude rules, whether to return values or counts).
-	 * @return array{ name: string, source: string, value: mixed }
+	 * @return array{name: string, source: string, value: mixed}[]
 	 */
 	public function normalize_targets( $targets ) {
 		$return = array();
@ -720,12 +724,12 @@ class Waf_Runtime {
 	/**
 	 * Extract values from an associative array, potentially applying filters and/or counting results.
 	 *
-	 * @param array{ 0: string, 1: scalar }|scalar[] $source      The source assoc. array of values (i.e. $_GET, $_SERVER, etc.).
-	 * @param string[]                               $only        Only include the values for these keys in the output.
-	 * @param string[]                               $excl        Never include the values for these keys in the output.
-	 * @param string                                 $name        The name of this target (see https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v3.x)#Variables).
-	 * @param array                                  $results     Array to add output values to, will be modified by this method.
-	 * @param int                                    $flags       Any of the NORMALIZE_ARRAY_* constants defined at the top of the class.
+	 * @param array{0: string, 1: scalar}|scalar[] $source      The source assoc. array of values (i.e. $_GET, $_SERVER, etc.).
+	 * @param string[]                             $only        Only include the values for these keys in the output.
+	 * @param string[]                             $excl        Never include the values for these keys in the output.
+	 * @param string                               $name        The name of this target (see https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v3.x)#Variables).
+	 * @param array                                $results     Array to add output values to, will be modified by this method.
+	 * @param int                                  $flags       Any of the NORMALIZE_ARRAY_* constants defined at the top of the class.
 	 */
 	private function normalize_array_target( $source, $only, $excl, $name, &$results, $flags = 0 ) {
 		$output   = array();
--- a/wp-content/plugins/jetpack-protect/jetpack_vendor/automattic/jetpack-waf/src/functions.php
+++ b/wp-content/plugins/jetpack-protect/jetpack_vendor/automattic/jetpack-waf/src/functions.php
@ -52,7 +52,7 @@ function wp_unslash( $value ) {
 *                                 Usually only used internally as part of recursion when flattening a nested array.
 * @param bool|null $dot_notation  Whether to use dot notation instead of bracket notation.
 *
- * @return array{ 0: string, 1: scalar }[]  $key_prefix  An array of key/value tuples, one for each distinct value in the input array.
+ * @return array{0: string, 1: scalar}[]  $key_prefix  An array of key/value tuples, one for each distinct value in the input array.
 */
 function flatten_array( $array, $key_prefix = '', $dot_notation = null ) {
 	$return = array();