Merge pull request #79 from pardot/nonce_patch

Add extra nonce check for ajax calls
pardot · Mar 20, 2024 · 3b106fa · 3b106fa
2 parents cc61834 + e9c8a16
commit 3b106fa
Show file tree

Hide file tree

Showing 6 changed files with 49 additions and 15 deletions.
diff --git a/README.md b/README.md
@@ -163,6 +163,9 @@ add_filter( 'pardot_https_regex', 'pardot_custom_filter_https_regex' );
 
 ## Changelog
 
+### 2.1.1
+* Maintenance - Security patch for ajax requests
+
 ### 2.1.0
 * Maintenance - Rebrand Pardot Plugin to Account Engagement Plugin
 

diff --git a/trunk/README.txt b/trunk/README.txt
@@ -2,8 +2,8 @@
 Contributors: salesforcepardot
 Tags: account engagement, salesforce, marketing automation, forms, dynamic content, tracking, web tracking, account engagement, marketing cloud
 Requires at least: 5.5
-Tested up to: 6.4
-Stable tag: 2.1.0
+Tested up to: 6.4.3
+Stable tag: 2.1.1
 Requires PHP: 7.2.0
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
@@ -155,6 +155,10 @@ Filter the regular expression used to find URLs to be converted to https://go.pa
 
 == Changelog ==
 
+= 2.1.1 =
+
+* Maintenance - Security patch for ajax requests
+
 = 2.1.0 =
 
 * Maintenance - Rebrand Pardot Plugin to Account Engagement Plugin
@@ -390,6 +394,10 @@ Filter the regular expression used to find URLs to be converted to https://go.pa
 
 == Upgrade Notice ==
 
+= 2.1.1 =
+
+* Maintenance - Security patch for ajax requests
+
 = 2.1.0 =
 
 * Maintenance - Rebrand Pardot Plugin to Account Engagement Plugin

diff --git a/trunk/includes/pardot-forms-shortcode-popup-class.php b/trunk/includes/pardot-forms-shortcode-popup-class.php
@@ -42,7 +42,8 @@ public function load_js() {
 		wp_enqueue_script( 'pardot-popup-js', plugins_url( 'js/popup.js', PARDOT_PLUGIN_FILE ), array( 'pardot-chosen-js', 'jquery' ) );
 		wp_localize_script( 'pardot-popup-js', 'PardotShortcodePopup', array(
 			'ajaxurl'            => admin_url( 'admin-ajax.php' ),
-			'tinymce_button_url' => plugins_url( 'images/salesforce-button.png', PARDOT_PLUGIN_FILE )
+			'tinymce_button_url' => plugins_url( 'images/salesforce-button.png', PARDOT_PLUGIN_FILE ),
+			'security' => wp_create_nonce('PardotShortcodePopup')
 		) );
 	}
 

diff --git a/trunk/includes/pardot-plugin-class.php b/trunk/includes/pardot-plugin-class.php
@@ -155,6 +155,10 @@ function init()
 	 */
 	function wp_ajax_get_pardot_forms_shortcode_select_html()
 	{
+		if (!check_ajax_referer('PardotShortcodePopup','nonce')) {
+		    wp_send_json_error();
+		}
+
 		/**
 		 * Use the API or the cache to retrieve an array of Account Engagement Forms
 		 */
@@ -169,7 +173,7 @@ function wp_ajax_get_pardot_forms_shortcode_select_html()
 			 * YES, we have Account Engagement forms! :-)
 			 *
 			 * Grab the HTML that contains a <select> which lets the user select an Account Engagement form
-			 * for which it insert a shortcode for that form into the TinyMCE editing space.
+			 * for which it inserts a shortcode for that form into the TinyMCE editing space.
 			 */
 			$html = $this->get_forms_shortcode_select_html('formshortcode', $forms);
 
@@ -222,6 +226,10 @@ function wp_ajax_get_pardot_forms_shortcode_select_html()
 	 */
 	function wp_ajax_get_pardot_dynamicContent_shortcode_select_html()
 	{
+		if (!check_ajax_referer('PardotShortcodePopup','nonce')) {
+		    wp_send_json_error();
+		}
+
 		/**
 		 * Use the API or the cache to retrieve an array of Account Engagement dynamicContent
 		 */
@@ -293,10 +301,14 @@ public function wp_ajax_delete_asset_html_transient()
 		$assetType = $_REQUEST['asset_type'];
 		$assetId = $_REQUEST['asset_id'];
 
+		if (!check_ajax_referer('PardotShortcodePopup','nonce')) {
+		    wp_send_json_error();
+		}
+
 		if ($assetType === 'form') {
-			self::delete_form_html_transient($assetId);
+		    self::delete_form_html_transient($assetId);
 		} elseif ($assetType === 'dc') {
-			self::delete_dc_html_transient($assetId);
+		    self::delete_dc_html_transient($assetId);
 		}
 
 		die();
@@ -320,6 +332,9 @@ public static function delete_dc_html_transient(int $assetId)
 
 	function wp_ajax_popup_reset_cache()
 	{
+		if (!check_ajax_referer('PardotShortcodePopup','nonce')) {
+		    wp_send_json_error();
+		}
 
 		delete_transient('pardot_forms');
 		delete_transient('pardot_dynamicContent');

diff --git a/trunk/js/popup.js b/trunk/js/popup.js
@@ -42,7 +42,8 @@
 			dataType : 'html',
 			url      : PardotShortcodePopup.ajaxurl,
 			data     : {
-				action : 'get_pardot_forms_shortcode_select_html'
+				action : 'get_pardot_forms_shortcode_select_html',
+				nonce : PardotShortcodePopup.security
 			},
 			success: function( response ) {
 			 	$( document.getElementById( 'pardot-forms-shortcode-select' ) ).html( response );
@@ -60,7 +61,8 @@
 			dataType : 'html',
 			url      : PardotShortcodePopup.ajaxurl,
 			data     : {
-				action : 'get_pardot_dynamicContent_shortcode_select_html'
+				action : 'get_pardot_dynamicContent_shortcode_select_html',
+				nonce : PardotShortcodePopup.security
 			},
 			success: function( response ) {
 			 	$( document.getElementById( 'pardot-dc-shortcode-select' ) ).html( response );
@@ -79,7 +81,8 @@
 				type : 'post',
 				url  : PardotShortcodePopup.ajaxurl,
 				data : {
-					action : 'popup_reset_cache'
+					action : 'popup_reset_cache',
+					nonce : PardotShortcodePopup.security
 				}
 			});
 
@@ -88,7 +91,8 @@
 				dataType : 'html',
 				url      : PardotShortcodePopup.ajaxurl,
 				data     : {
-					action : 'get_pardot_forms_shortcode_select_html'
+					action : 'get_pardot_forms_shortcode_select_html',
+					nonce : PardotShortcodePopup.security
 				},
 				success: function( response ) {
 				 	$( document.getElementById( 'pardot-forms-shortcode-select' ) ).html( response );
@@ -100,7 +104,8 @@
 				dataType : 'html',
 				url      : PardotShortcodePopup.ajaxurl,
 				data     : {
-					action : 'get_pardot_dynamicContent_shortcode_select_html'
+					action : 'get_pardot_dynamicContent_shortcode_select_html',
+					nonce : PardotShortcodePopup.security
 				},
 				success: function( response ) {
 				 	$( document.getElementById( 'pardot-dc-shortcode-select' ) ).html( response );
@@ -145,7 +150,8 @@
 					data     : {
 						action : 'delete_asset_html_transient',
 						asset_id : formval.match(/id="([0-9]*)"/)[1],
-						asset_type : 'form'
+						asset_type : 'form',
+						nonce : PardotShortcodePopup.security
 					}
 				});
 			}
@@ -179,7 +185,8 @@
 					data     : {
 						action : 'delete_asset_html_transient',
 						asset_id : dcval.match(/id="([0-9]*)"/)[1],
-						asset_type : 'dc'
+						asset_type : 'dc',
+						nonce : PardotShortcodePopup.security
 					}
 				});
 			}

diff --git a/trunk/pardot.php b/trunk/pardot.php
@@ -7,7 +7,7 @@
  * Plugin URI: http://wordpress.org/extend/plugins/pardot/
  * Developer: Salesforce
  * Developer URI: https://www.salesforce.com/products/marketing-cloud/marketing-automation/
- * Version: 2.1.0
+ * Version: 2.1.1
  * License: GPLv2
  *
  * Copyright 2023 Salesforce, Inc.
@@ -29,7 +29,7 @@
 
 define( 'PARDOT_PLUGIN_FILE', __FILE__ );
 define( 'PARDOT_PLUGIN_DIR', dirname( __FILE__ ) );
-define( 'PARDOT_PLUGIN_VER', '2.1.0' );
+define( 'PARDOT_PLUGIN_VER', '2.1.1' );
 
 if ( ! defined( 'PARDOT_FORM_INCLUDE_TYPE' ) ) {
 	define( 'PARDOT_FORM_INCLUDE_TYPE', 'iframe' );	// iframe or inline