[security] data hardening

paulgoodchild · paulgoodchild · commit 02de3b290723 · 2026-01-12T11:50:47.000Z
diff --git a/src/lib/src/ActionRouter/Actions/MfaEmailAutoLogin.php b/src/lib/src/ActionRouter/Actions/MfaEmailAutoLogin.php
@@ -19,8 +19,9 @@ class MfaEmailAutoLogin extends BaseAction {
 	protected function exec() {
 		$con = self::con();
 		$mfaCon = $con->comps->mfa;
+		$userID = (int)$this->action_data[ 'user_id' ];
 
-		$user = Services::WpUsers()->getUserById( $this->action_data[ 'user_id' ] );
+		$user = Services::WpUsers()->getUserById( $userID );
 		if ( empty( $user ) ) {
 			throw new ActionException( 'No such user' );
 		}
@@ -43,19 +44,19 @@ protected function exec() {
 			if ( $emailProvider->validateLoginIntent( $mfaCon->findHashedNonce( $user, $this->action_data[ 'login_nonce' ] ) ) ) {
 				$success = true;
 				$emailProvider->postSuccessActions();
-				wp_set_auth_cookie( $this->action_data[ 'user_id' ], true );
-				$con->fireEvent( '2fa_success' );
+				wp_set_auth_cookie( $userID, true );
+				$con->comps->events->fireEvent( '2fa_success' );
 			}
 		}
 		catch ( \Exception $e ) {
 			error_log( 'failed auto login:'.$e->getMessage() );
 		}
 		finally {
-			$con->fireEvent(
+			$con->comps->events->fireEvent(
 				$success ? '2fa_verify_success' : '2fa_verify_fail',
 				[
 					'audit_params' => [
-						'user_login' => $this->action_data[ 'user_id' ],
+						'user_login' => $userID,
 						'method'     => $emailProvider->getProviderName(),
 					]
 				]
diff --git a/src/lib/src/ActionRouter/Actions/Render/Components/Email/MfaLoginCode.php b/src/lib/src/ActionRouter/Actions/Render/Components/Email/MfaLoginCode.php
@@ -21,15 +21,15 @@ protected function getBodyData() :array {
 			],
 			'hrefs'   => [
 				'login_link' => 'https://clk.shldscrty.com/96',
-				'auto_login' => $this->action_data[ 'url_auto_login' ],
+				'auto_login' => esc_url( $this->action_data[ 'url_auto_login' ] ), // Internally generated via noncedPluginAction(); template uses |raw
 			],
 			'strings' => [
 				'someone'          => __( 'Someone attempted to login into this WordPress site using your account.', 'wp-simple-firewall' ),
 				'requires'         => __( 'Login requires verification with the following code.', 'wp-simple-firewall' ),
 				'verification'     => __( 'Verification Code', 'wp-simple-firewall' ),
 				'auto_login'       => __( 'Autologin URL', 'wp-simple-firewall' ),
 				'details_heading'  => __( 'Login Details', 'wp-simple-firewall' ),
-				'details_url'      => sprintf( '%s: %s', __( 'URL', 'wp-simple-firewall' ), $this->action_data[ 'home_url' ] ),
+				'details_url'      => sprintf( '%s: %s', __( 'URL', 'wp-simple-firewall' ), $this->action_data[ 'home_url' ] ), // Internally generated via getHomeUrl()
 				'details_username' => sprintf( '%s: %s', __( 'Username', 'wp-simple-firewall' ),
 					Services::WpUsers()->getUserById( $this->action_data[ 'user_id' ] )->user_login ),
 				'details_ip'       => sprintf( '%s: %s', __( 'IP Address', 'wp-simple-firewall' ), $this->action_data[ 'ip' ] ),
diff --git a/src/lib/src/ActionRouter/Actions/Render/Components/Email/UnblockMagicLink.php b/src/lib/src/ActionRouter/Actions/Render/Components/Email/UnblockMagicLink.php
@@ -18,10 +18,11 @@ protected function getBodyData() :array {
 		$con = self::con();
 		$user = Services::WpUsers()->getUserById( $this->action_data[ 'user_id' ] )->user_login;
 		$ip = $this->action_data[ 'ip' ];
-		$homeURL = $this->action_data[ 'home_url' ];
+		$homeURL = $this->action_data[ 'home_url' ]; // Internally generated via getHomeUrl()
 
 		return [
 			'hrefs'   => [
+				// Internally generated - don't escape here as template auto-escapes
 				'unblock' => $con->plugin_urls->noncedPluginAction(
 					IpAutoUnblockShieldUserLinkVerify::class,
 					$homeURL,
diff --git a/src/lib/src/ActionRouter/Actions/Render/Components/Email/UserLoginNotice.php b/src/lib/src/ActionRouter/Actions/Render/Components/Email/UserLoginNotice.php
@@ -9,6 +9,7 @@ class UserLoginNotice extends EmailBase {
 	public const SLUG = 'email_user_login_notice';
 	public const TEMPLATE = '/email/user_login_notice.twig';
 
+	// URLs are internally generated via getHomeUrl() - don't escape here as template auto-escapes
 	protected function getBodyData() :array {
 		return [
 			'hrefs'   => [
diff --git a/src/lib/src/ActionRouter/Actions/Render/Components/IpAnalyse/Activity.php b/src/lib/src/ActionRouter/Actions/Render/Components/IpAnalyse/Activity.php
@@ -12,7 +12,7 @@ class Activity extends Base {
 	public const TEMPLATE = '/wpadmin/components/ip_analyse/ip_audittrail.twig';
 
 	protected function getRenderData() :array {
-		$logLoader = ( new LoadLogs() )->setIP( $this->action_data[ 'ip' ] );
+		$logLoader = ( new LoadLogs() )->setIP( $this->getAnalyseIP() );
 		$logLoader->limit = 100;
 
 		$logs = [];
diff --git a/src/lib/src/ActionRouter/Actions/Render/Components/IpAnalyse/Base.php b/src/lib/src/ActionRouter/Actions/Render/Components/IpAnalyse/Base.php
@@ -3,6 +3,7 @@
 namespace FernleafSystems\Wordpress\Plugin\Shield\ActionRouter\Actions\Render\Components\IpAnalyse;
 
 use FernleafSystems\Wordpress\Plugin\Shield\ActionRouter\Actions\Render;
+use FernleafSystems\Wordpress\Plugin\Shield\ActionRouter\Exceptions\ActionException;
 use FernleafSystems\Wordpress\Services\Services;
 
 class Base extends Render\BaseRender {
@@ -19,4 +20,14 @@ protected function getTimeAgo( int $ts ) :string {
 					   ->setTimestamp( $ts )
 					   ->diffForHumans();
 	}
+
+	/**
+	 * @throws ActionException
+	 */
+	protected function getAnalyseIP() :string {
+		if ( !Services::IP()->isValidIp( $this->action_data[ 'ip' ] ) ) {
+			throw new ActionException( __( "A valid IP address wasn't provided.", 'wp-simple-firewall' ) );
+		}
+		return $this->action_data[ 'ip' ];
+	}
 }
diff --git a/src/lib/src/ActionRouter/Actions/Render/Components/IpAnalyse/BotSignals.php b/src/lib/src/ActionRouter/Actions/Render/Components/IpAnalyse/BotSignals.php
@@ -15,11 +15,11 @@ class BotSignals extends Base {
 	protected function getRenderData() :array {
 		$signals = [];
 		$scores = ( new CalculateVisitorBotScores() )
-			->setIP( $this->action_data[ 'ip' ] )
+			->setIP( $this->getAnalyseIP() )
 			->scores();
 		try {
 			$record = ( new BotSignalsRecord() )
-				->setIP( $this->action_data[ 'ip' ] )
+				->setIP( $this->getAnalyseIP() )
 				->retrieve();
 		}
 		catch ( \Exception $e ) {
diff --git a/src/lib/src/ActionRouter/Actions/Render/Components/IpAnalyse/Container.php b/src/lib/src/ActionRouter/Actions/Render/Components/IpAnalyse/Container.php
@@ -10,10 +10,7 @@ class Container extends Base {
 	public const TEMPLATE = '/wpadmin/components/ip_analyse/container.twig';
 
 	protected function getRenderData() :array {
-		$ip = $this->action_data[ 'ip' ];
-		if ( !Services::IP()->isValidIp( $ip ) ) {
-			throw new \Exception( "A valid IP address wasn't provided." );
-		}
+		$ip = $this->getAnalyseIP();
 		$actionRouter = self::con()->action_router;
 		return [
 			'content' => [
diff --git a/src/lib/src/ActionRouter/Actions/Render/Components/IpAnalyse/General.php b/src/lib/src/ActionRouter/Actions/Render/Components/IpAnalyse/General.php
@@ -20,7 +20,7 @@ class General extends Base {
 	public const TEMPLATE = '/wpadmin/components/ip_analyse/ip_general.twig';
 
 	protected function getRenderData() :array {
-		$ip = $this->action_data[ 'ip' ];
+		$ip = $this->getAnalyseIP();
 
 		$countryCode = ( new LookupMeta() )
 			->setIP( $ip )
diff --git a/src/lib/src/ActionRouter/Actions/Render/Components/IpAnalyse/Sessions.php b/src/lib/src/ActionRouter/Actions/Render/Components/IpAnalyse/Sessions.php
@@ -14,7 +14,7 @@ protected function getRenderData() :array {
 		$WP = Services::WpGeneral();
 
 		$allSessions = [];
-		foreach ( ( new FindSessions() )->byIP( $this->action_data[ 'ip' ] ) as /* $userID => */ $sessions ) {
+		foreach ( ( new FindSessions() )->byIP( $this->getAnalyseIP() ) as /* $userID => */ $sessions ) {
 			foreach ( $sessions as $session ) {
 				$loginAt = $session[ 'login' ];
 				$activityAt = $session[ 'shield' ][ 'last_activity_at' ] ?? $loginAt;
diff --git a/src/lib/src/ActionRouter/Actions/Render/Components/IpAnalyse/Traffic.php b/src/lib/src/ActionRouter/Actions/Render/Components/IpAnalyse/Traffic.php
@@ -17,7 +17,7 @@ protected function getRenderData() :array {
 		$WP = Services::WpGeneral();
 		$logLimit = (int)\max( 1, apply_filters( 'shield/ipanalyse_traffic_log_query_limit', 100 ) );
 		try {
-			$ip = ( new IPRecords() )->loadIP( $this->action_data[ 'ip' ], false );
+			$ip = ( new IPRecords() )->loadIP( $this->getAnalyseIP(), false );
 			/** @var ReqLogsDB\Select $selector */
 			$selector = self::con()->db_con->req_logs->getQuerySelector();
 			/** @var ReqLogsDB\Record[] $logs */
diff --git a/src/lib/src/ActionRouter/Actions/Render/Components/Reports/ReportsTable.php b/src/lib/src/ActionRouter/Actions/Render/Components/Reports/ReportsTable.php
@@ -18,7 +18,7 @@ class ReportsTable extends BaseRender {
 	protected function getRenderData() :array {
 		/** @var ReportDB\Select $selector */
 		$selector = self::con()->db_con->reports->getQuerySelector();
-		$limit = $this->action_data[ 'reports_limit' ] ?? 0;
+		$limit = (int)$this->action_data[ 'reports_limit' ] ?? 0;
 		if ( $limit > 0 ) {
 			$selector->setLimit( $limit );
 		}
diff --git a/src/lib/src/ActionRouter/Actions/Render/Components/Traffic/TrafficLiveLogs.php b/src/lib/src/ActionRouter/Actions/Render/Components/Traffic/TrafficLiveLogs.php
@@ -12,7 +12,7 @@ class TrafficLiveLogs extends \FernleafSystems\Wordpress\Plugin\Shield\ActionRou
 
 	protected function getRenderData() :array {
 		$logLoader = new LoadRequestLogs();
-		$logLoader->limit = $this->action_data[ 'limit' ] ?? 200;
+		$logLoader->limit = (int)$this->action_data[ 'limit' ] ?? 200;
 		$logLoader->offset = 0;
 		$logLoader->order_by = 'id';
 		$logLoader->order_dir = 'DESC';
diff --git a/src/lib/src/ActionRouter/Actions/Render/Components/UserMfa/ConfigEdit.php b/src/lib/src/ActionRouter/Actions/Render/Components/UserMfa/ConfigEdit.php
@@ -15,7 +15,7 @@ class ConfigEdit extends UserMfaBase {
 
 	protected function getRenderData() :array {
 		$con = self::con();
-		$user = Services::WpUsers()->getUserById( $this->action_data[ 'user_id' ] );
+		$user = Services::WpUsers()->getUserById( (int)$this->action_data[ 'user_id' ] );
 
 		$providers = \array_map(
 			fn( $provider ) => $provider->getProviderName(),
diff --git a/src/lib/src/ActionRouter/Actions/Render/Components/UserMfa/ConfigForm.php b/src/lib/src/ActionRouter/Actions/Render/Components/UserMfa/ConfigForm.php
@@ -22,7 +22,7 @@ protected function getDefaults() :array {
 
 	protected function getRenderData() :array {
 		$WPU = Services::WpUsers();
-		$user = $WPU->getUserById( $this->action_data[ 'user_id' ] ?? $WPU->getCurrentWpUserId() );
+		$user = $WPU->getUserById( (int)$this->action_data[ 'user_id' ] ?? $WPU->getCurrentWpUserId() );
 
 		$providerRenders = \array_map(
 			fn( $provider ) => $provider->renderUserProfileConfigFormField(),
diff --git a/src/lib/src/ActionRouter/Actions/Render/Components/Users/ProfileSuspend.php b/src/lib/src/ActionRouter/Actions/Render/Components/Users/ProfileSuspend.php
@@ -5,6 +5,9 @@
 use FernleafSystems\Wordpress\Plugin\Shield\ActionRouter\Actions\Traits\SecurityAdminNotRequired;
 use FernleafSystems\Wordpress\Services\Services;
 
+/**
+ * SecurityAdminNotRequired - This is so that admins that are not security admins may at least "view" current status.
+ */
 class ProfileSuspend extends \FernleafSystems\Wordpress\Plugin\Shield\ActionRouter\Actions\Render\BaseRender {
 
 	use SecurityAdminNotRequired;
diff --git a/src/lib/src/ActionRouter/Actions/Render/Components/Widgets/OverviewActivity.php b/src/lib/src/ActionRouter/Actions/Render/Components/Widgets/OverviewActivity.php
@@ -23,16 +23,14 @@ protected function getRenderData() :array {
 		$logLoader->order_by = 'created_at';
 		$logLoader->order_dir = 'DESC';
 		$logs = \array_map(
-			function ( LogRecord $log ) {
-				return [
-					'message' => $this->truncate( ActivityLogMessageBuilder::Build( $log->event_slug, $log->meta_data ?? [], ' ' ) ),
-					'ip'      => $log->ip,
-					'ago'     => Services::Request()
-										 ->carbon( true )
-										 ->setTimestamp( $log->created_at )
-										 ->diffForHumans()
-				];
-			},
+			fn( LogRecord $log ) => [
+				'message' => $this->truncate( ActivityLogMessageBuilder::Build( $log->event_slug, $log->meta_data ?? [], ' ' ) ),
+				'ip'      => $log->ip,
+				'ago'     => Services::Request()
+									 ->carbon( true )
+									 ->setTimestamp( $log->created_at )
+									 ->diffForHumans()
+			],
 			$logLoader->run()
 		);
 		return [
@@ -43,7 +41,7 @@ function ( LogRecord $log ) {
 				'no_logs' => __( 'There are no logs available yet.', 'wp-simple-firewall' ),
 			],
 			'vars'    => [
-				'logs' => array_slice( $logs, 0, $this->action_data[ 'limit' ] ?? 5 ),
+				'logs' => \array_slice( $logs, 0, \min( 100, \max( 1, $this->action_data[ 'limit' ] ?? 5 ) ) ),
 			],
 		];
 	}
diff --git a/src/lib/src/ActionRouter/Actions/Render/FullPage/Mfa/BaseLoginIntentPage.php b/src/lib/src/ActionRouter/Actions/Render/FullPage/Mfa/BaseLoginIntentPage.php
@@ -16,19 +16,20 @@ abstract class BaseLoginIntentPage extends Actions\Render\FullPage\BaseFullPageR
 	use Actions\Traits\AuthNotRequired;
 
 	public function getLoginIntentJavascript() :array {
+		$userID = (int)$this->action_data[ 'user_id' ];
 		$prov = self::con()->comps->mfa->getProvidersActiveForUser(
-			Services::WpUsers()->getUserById( $this->action_data[ 'user_id' ] )
+			Services::WpUsers()->getUserById( $userID )
 		);
 
 		return [
 			'ajax'  => [
 				'passkey_auth_start' => ActionData::Build( MfaPasskeyAuthenticationStart::class, true, [
-					'active_wp_user' => $this->action_data[ 'user_id' ],
+					'active_wp_user' => $userID,
 				] ),
 				'email_code_send'    => ActionData::Build( MfaEmailSendIntent::class, true, [
-					'wp_user_id'  => $this->action_data[ 'user_id' ],
+					'wp_user_id'  => $userID,
 					'login_nonce' => $this->action_data[ 'plain_login_nonce' ],
-					'redirect_to' => $this->action_data[ 'redirect_to' ],
+					'redirect_to' => esc_url_raw( $this->action_data[ 'redirect_to' ] ?? '' ),
 				] ),
 			],
 			'flags' => [
diff --git a/src/lib/src/ActionRouter/Actions/Render/FullPage/Mfa/Components/BaseForm.php b/src/lib/src/ActionRouter/Actions/Render/FullPage/Mfa/Components/BaseForm.php
@@ -26,7 +26,7 @@ protected function getCommonFormData() :array {
 				'login_fields' => \array_filter( \array_map(
 					fn( $p ) => $p->renderLoginIntentFormField( self::con()->opts->optGet( 'mfa_verify_page' ) ),
 					$mfaCon->getProvidersActiveForUser(
-						Services::WpUsers()->getUserById( $this->action_data[ 'user_id' ] )
+						Services::WpUsers()->getUserById( (int)$this->action_data[ 'user_id' ] )
 					)
 				) ),
 			],
@@ -106,14 +106,10 @@ protected function getHiddenFields() :array {
 			 */
 			'wp-submit'     => 'Complete Login',
 		] );
-		$fields[ 'wp_user_id' ] = $this->action_data[ 'user_id' ];
+		$fields[ 'wp_user_id' ] = (int)$this->action_data[ 'user_id' ];
 		return $fields;
 	}
 
-	protected function getWpUser() :\WP_User {
-		return Services::WpUsers()->getUserById( $this->action_data[ 'user_id' ] );
-	}
-
 	protected function getRequiredDataKeys() :array {
 		return [
 			'user_id',
diff --git a/src/lib/src/ActionRouter/Actions/Render/FullPage/Mfa/Components/WpLoginReplicaHeader.php b/src/lib/src/ActionRouter/Actions/Render/FullPage/Mfa/Components/WpLoginReplicaHeader.php
@@ -93,7 +93,7 @@ protected function getRenderData() :array {
 		 */
 		$login_header_text = apply_filters( 'login_headertext', $login_header_text );
 
-		$classes = [ 'login-action-'.( $this->action_data[ 'action' ] ?? 'login' ), 'wp-core-ui' ];
+		$classes = [ 'login-action-'.sanitize_html_class( $this->action_data[ 'action' ] ?? 'login' ), 'wp-core-ui' ];
 
 		if ( is_rtl() ) {
 			$classes[] = 'rtl';
diff --git a/src/lib/src/ActionRouter/Actions/Render/FullPage/Mfa/ShieldLoginIntentPage.php b/src/lib/src/ActionRouter/Actions/Render/FullPage/Mfa/ShieldLoginIntentPage.php
@@ -59,7 +59,7 @@ protected function getRenderData() :array {
 	protected function getLoginIntentExpiresAt() :int {
 		$mfaCon = self::con()->comps->mfa;
 
-		$user = Services::WpUsers()->getUserById( $this->action_data[ 'user_id' ] );
+		$user = Services::WpUsers()->getUserById( (int)$this->action_data[ 'user_id' ] );
 
 		$intentAt = $mfaCon->getActiveLoginIntents( $user )
 					[ $mfaCon->findHashedNonce( $user, $this->action_data[ 'plain_login_nonce' ] ) ][ 'start' ] ?? 0;
diff --git a/src/lib/src/ActionRouter/Actions/Traits/ActiveWpUserConsumer.php b/src/lib/src/ActionRouter/Actions/Traits/ActiveWpUserConsumer.php
@@ -7,7 +7,7 @@
 trait ActiveWpUserConsumer {
 
 	public function getActiveWPUser() :?\WP_User {
-		$user = Services::WpUsers()->getUserById( $this->action_data[ 'active_wp_user' ] ?? null );
+		$user = Services::WpUsers()->getUserById( (int)$this->action_data[ 'active_wp_user' ] ?? null );
 		return $user instanceof \WP_User ? $user : Services::WpUsers()->getCurrentWpUser();
 	}
 
diff --git a/src/lib/src/Modules/Plugin/Lib/SelectSearchData.php b/src/lib/src/Modules/Plugin/Lib/SelectSearchData.php
@@ -18,7 +18,7 @@ class SelectSearchData {
 	use PluginControllerConsumer;
 
 	public function build( string $terms ) :array {
-		$terms = \strtolower( \trim( $terms ) );
+		$terms = \strtolower( \trim( sanitize_text_field( $terms ) ) );
 		return $this->postProcessResults( \array_merge( $this->textSearch( $terms ), $this->ipSearch( $terms ) ) );
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -19,8 +19,9 @@ class MfaEmailAutoLogin extends BaseAction {`
`19`	`19`	`protected function exec() {`
`20`	`20`	`$con = self::con();`
`21`	`21`	`$mfaCon = $con->comps->mfa;`
	`22`	`+ $userID = (int)$this->action_data[ 'user_id' ];`
`22`	`23`
`23`		`- $user = Services::WpUsers()->getUserById( $this->action_data[ 'user_id' ] );`
	`24`	`+ $user = Services::WpUsers()->getUserById( $userID );`
`24`	`25`	`if ( empty( $user ) ) {`
`25`	`26`	`throw new ActionException( 'No such user' );`
`26`	`27`	`}`
`@@ -43,19 +44,19 @@ protected function exec() {`
`43`	`44`	`if ( $emailProvider->validateLoginIntent( $mfaCon->findHashedNonce( $user, $this->action_data[ 'login_nonce' ] ) ) ) {`
`44`	`45`	`$success = true;`
`45`	`46`	`$emailProvider->postSuccessActions();`
`46`		`- wp_set_auth_cookie( $this->action_data[ 'user_id' ], true );`
`47`		`- $con->fireEvent( '2fa_success' );`
	`47`	`+ wp_set_auth_cookie( $userID, true );`
	`48`	`+ $con->comps->events->fireEvent( '2fa_success' );`
`48`	`49`	`}`
`49`	`50`	`}`
`50`	`51`	`catch ( \Exception $e ) {`
`51`	`52`	`error_log( 'failed auto login:'.$e->getMessage() );`
`52`	`53`	`}`
`53`	`54`	`finally {`
`54`		`- $con->fireEvent(`
	`55`	`+ $con->comps->events->fireEvent(`
`55`	`56`	`$success ? '2fa_verify_success' : '2fa_verify_fail',`
`56`	`57`	`[`
`57`	`58`	`'audit_params' => [`
`58`		`- 'user_login' => $this->action_data[ 'user_id' ],`
	`59`	`+ 'user_login' => $userID,`
`59`	`60`	`'method' => $emailProvider->getProviderName(),`
`60`	`61`	`]`
`61`	`62`	`]`