Merge branch 'hotfix/21.0.9' into develop

Author: paulgoodchild

src/lib/src/ActionRouter/ActionProcessor.php

@@ -29,13 +29,19 @@ public function processAction( string $classOrSlug, array $data = [] ) :ActionRe
 	}
 
 	/**
+	 * SECURITY FIX: Strip action_overrides from user input
+	 * Security controls should never be controllable by user input, even from "authenticated" sources.
+	 * This prevents CSRF bypass attacks where attackers send action_overrides[is_nonce_verify_required]=false
+	 * Integrations that legitimately need overrides (like MainWP) should set them programmatically
+	 * AFTER action creation using setActionOverride() method.
 	 * @throws ActionDoesNotExistException
 	 */
 	public function getAction( string $classOrSlug, array $data ) :Actions\BaseAction {
 		$action = ActionsMap::ActionFromSlug( $classOrSlug );
 		if ( empty( $action ) ) {
-			throw new ActionDoesNotExistException( 'There was no action handler available for '.$classOrSlug );
+			throw new ActionDoesNotExistException( 'There was no action handler available for '.esc_html( $classOrSlug ) );
 		}
+		unset( $data[ 'action_overrides' ] );
 		return new $action( $data );
 	}
 }

src/lib/src/ActionRouter/Actions/BaseAction.php

@@ -142,6 +142,33 @@ protected function getActionOverrides() :array {
 		return $this->action_data[ 'action_overrides' ] ?? [];
 	}
 
+	/**
+	 * Set action override programmatically (for trusted integrations like MainWP)
+	 *
+	 * This method allows trusted integrations to set action overrides AFTER action creation,
+	 * ensuring security controls never come from user input paths.
+	 *
+	 * SECURITY NOTE: This method should ONLY be called in trusted contexts where:
+	 * - The caller has verified authentication (e.g., MainWP authenticated requests)
+	 * - The override is set programmatically, not from user input
+	 * - The action object has already been created via ActionProcessor::getAction()
+	 *
+	 * @param string $overrideKey Override key constant (e.g., Constants::ACTION_OVERRIDE_IS_NONCE_VERIFY_REQUIRED)
+	 * @param mixed  $value       Override value (typically boolean for is_nonce_verify_required)
+	 * @return self For method chaining
+	 */
+	public function setActionOverride( string $overrideKey, $value ) :self {
+		// Initialize action_overrides array if it doesn't exist
+		if ( !isset( $this->action_data[ 'action_overrides' ] ) ) {
+			$this->action_data[ 'action_overrides' ] = [];
+		}
+
+		// Set the override value
+		$this->action_data[ 'action_overrides' ][ $overrideKey ] = $value;
+
+		return $this;
+	}
+
 	/**
 	 * @throws ActionException
 	 */

src/lib/src/ActionRouter/Actions/PluginAdmin/PluginAdminPageHandler.php

@@ -129,6 +129,12 @@ protected function addSubMenuItems() {
 	}
 
 	public function displayModuleAdminPage() {
-		echo self::con()->action_router->render( Actions\Render\PageAdminPlugin::class );
+		echo self::con()->action_router->render(
+			Actions\Render\PageAdminPlugin::class,
+			[
+				Constants::NAV_ID     => $this->action_data[ Constants::NAV_ID ] ?? '',
+				Constants::NAV_SUB_ID => $this->action_data[ Constants::NAV_SUB_ID ] ?? '',
+			]
+		);
 	}
 }

src/lib/src/ActionRouter/Actions/Render.php

@@ -21,13 +21,7 @@ protected function exec() {
 		$this->setResponse(
 			self::con()->action_router->action(
 				$this->action_data[ 'render_action_slug' ],
-				Services::DataManipulation()->mergeArraysRecursive(
-					Services::Request()->query,
-					Services::Request()->post,
-					\array_filter( $this->action_data[ 'render_action_data' ] ?? [], function ( $item ) {
-						return !\is_null( $item );
-					} )
-				)
+				\array_filter( $this->action_data[ 'render_action_data' ] ?? [], fn( $item ) => !\is_null( $item ) )
 			)
 		);
 	}

src/lib/src/ActionRouter/Actions/Render/FullPage/Mfa/Components/WpLoginReplicaHeader.php

@@ -34,7 +34,7 @@ protected function getRenderData() :array {
 		$login_title = get_bloginfo( 'name', 'display' );
 
 		/* translators: Login screen title. 1: Login screen name, 2: Network or site name. */
-		$login_title = sprintf( __( '%1$s ‹ %2$s — WordPress', 'wp-simple-firewall' ), $this->action_data[ 'title' ], $login_title );
+		$login_title = sprintf( __( '%1$s ‹ %2$s — WordPress', 'wp-simple-firewall' ), esc_html( $this->action_data[ 'title' ] ?? '' ), $login_title );
 
 		/**
 		 * Filters the title tag content for login page.
@@ -44,7 +44,7 @@ protected function getRenderData() :array {
 		 * @since 4.9.0
 		 *
 		 */
-		$login_title = apply_filters( 'login_title', $login_title, $this->action_data[ 'title' ] );
+		$login_title = apply_filters( 'login_title', $login_title, esc_html( $this->action_data[ 'title' ] ?? '' ) );
 
 		wp_enqueue_style( 'login' );
 
@@ -136,6 +136,8 @@ protected function getRenderData() :array {
 		 *
 		 */
 		$message = apply_filters( 'login_message', $this->action_data[ 'message' ] ?? '' );
+		// Sanitize output to prevent XSS from URL input or malicious filter callbacks
+		$message = esc_html( $message );
 		if ( !empty( $message ) ) {
 			echo $message."\n";
 		}
@@ -181,7 +183,7 @@ protected function getRenderData() :array {
 			}
 		}
 
-		$interimMessage = $this->action_data[ 'interim_message' ] ?? '';
+		$interimMessage = esc_html( $this->action_data[ 'interim_message' ] ?? '' );
 
 		return [
 			'content' => [

src/lib/src/DBs/ReqLogs/Ops/Handler.php

@@ -48,4 +48,11 @@ public static function GetTypeName( string $type ) :string {
 		}
 		return $type;
 	}
+
+	public static function AllTypes() :array {
+		return \array_filter(
+			( new \ReflectionClass( __CLASS__ ) )->getConstants(),
+			fn( $name ) => \str_starts_with( $name, 'TYPE_' ), \ARRAY_FILTER_USE_KEY
+		);
+	}
 }

src/lib/src/Modules/Integrations/Lib/MainWP/Client/Actions/Init.php

@@ -2,6 +2,7 @@
 
 namespace FernleafSystems\Wordpress\Plugin\Shield\Modules\Integrations\Lib\MainWP\Client\Actions;
 
+use FernleafSystems\Wordpress\Plugin\Shield\ActionRouter\ActionProcessor;
 use FernleafSystems\Wordpress\Plugin\Shield\ActionRouter\Exceptions\ActionException;
 use FernleafSystems\Wordpress\Plugin\Shield\Modules\Integrations\Lib\MainWP\{
 	Client\Auth\ReproduceClientAuthByKey,
@@ -40,19 +41,48 @@ public function run() {
 				return $information;
 			}, 10, 2 );
 
-			// Execute custom actions via MainWP API.
+			/**
+			 * Execute custom actions via MainWP API.
+			 *
+			 * SECURITY: Action Overrides Handling
+			 *
+			 * MainWP server sends action_overrides (e.g., is_nonce_verify_required=false) in POST data
+			 * to allow server-to-server communication without nonce verification. However, passing these
+			 * overrides directly through user input creates a CSRF bypass vulnerability where attackers
+			 * could send action_overrides[is_nonce_verify_required]=0 to skip CSRF protection.
+			 *
+			 * Solution: ActionProcessor::getAction() strips action_overrides from all input data. We
+			 * extract them here first, then set them programmatically via setActionOverride() only
+			 * after verifying MainWP authentication. This ensures security controls are never
+			 * controllable via user input, while preserving legitimate MainWP server-to-server
+			 * functionality.
+			 *
+			 * We instantiate ActionProcessor directly  because we need the action object to
+			 * call setActionOverride() before processing.
+			 *
+			 * @see ActionProcessor::getAction() - strips action_overrides from all input
+			 * @see BaseAction::setActionOverride() - programmatic override setter
+			 * @see SiteCustomAction.php - MainWP server sends overrides
+			 */
 			add_filter( 'mainwp_child_extra_execution', function ( $information, $post ) {
 				$con = self::con();
 
 				if ( !empty( $post[ $con->prefix( 'mwp-action' ) ] ) ) {
 					try {
-						$response = self::con()
-							->action_router
-							->action(
-								$post[ $con->prefix( 'mwp-action' ) ],
-								$post[ $con->prefix( 'mwp-params' ) ] ?? []
-							)
-							->action_response_data;
+						$params = $post[ $con->prefix( 'mwp-params' ) ] ?? [];
+						$actionOverrides = $params[ 'action_overrides' ] ?? [];
+
+						$actionSlug = $post[ $con->prefix( 'mwp-action' ) ];
+						$action = ( new ActionProcessor() )->getAction( $actionSlug, $params );
+
+						if ( !empty( $actionOverrides ) && ReproduceClientAuthByKey::Auth() ) {
+							foreach ( $actionOverrides as $overrideKey => $overrideValue ) {
+								$action->setActionOverride( $overrideKey, $overrideValue );
+							}
+						}
+
+						$action->process();
+						$response = $action->response()->action_response_data;
 					}
 					catch ( ActionException $ae ) {
 						$response = [

src/lib/src/Tables/DataTables/LoadData/ActivityLog/BuildActivityLogTableData.php

@@ -2,6 +2,7 @@
 
 namespace FernleafSystems\Wordpress\Plugin\Shield\Tables\DataTables\LoadData\ActivityLog;
 
+use FernleafSystems\Wordpress\Plugin\Shield\Tables\DataTables\Build\SearchPanes\BuildDataForDays;
 use FernleafSystems\Wordpress\Plugin\Shield\DBs\ActivityLogs\{
 	LoadLogs,
 	LogRecord
@@ -19,12 +20,16 @@ class BuildActivityLogTableData extends BaseBuildTableData {
 	 */
 	private $log;
 
+	protected function getSearchPanesDataBuilder() :BuildSearchPanesData {
+		return new BuildSearchPanesData();
+	}
+
 	protected function loadRecordsWithDirectQuery() :array {
 		return $this->loadRecordsWithSearch();
 	}
 
 	protected function getSearchPanesData() :array {
-		return ( new BuildSearchPanesData() )->build();
+		return $this->getSearchPanesDataBuilder()->build();
 	}
 
 	/**
@@ -55,6 +60,20 @@ function ( $log ) {
 		) );
 	}
 
+	protected function validateSearchPanes( array $searchPanes ) :array {
+		foreach ( $searchPanes as $column => &$values ) {
+			switch ( $column ) {
+				case 'event':
+					$values = \array_filter( $values, fn( $event ) => !empty( $event ) && self::con()->comps->events->eventExists( $event ) );
+					break;
+				default:
+					$values = $this->validateCommonColumn( $column, $values );
+					break;
+			}
+		}
+		return \array_filter( $searchPanes );
+	}
+
 	/**
 	 * The `Where`s need to align with the structure of the Query called from getRecords()
 	 */
@@ -77,11 +96,11 @@ protected function buildWheresFromSearchParams() :array {
 					case 'ip':
 						$wheres[] = sprintf( "`ips`.`ip`=INET6_ATON('%s')", \array_pop( $selected ) );
 						break;
-					case 'user':
-						if ( \count( $selected ) > 0 ) {
-							$wheres[] = sprintf( "`req`.`uid` IN (%s)", \implode( ',', \array_values( $selected ) ) );
-						}
-						break;
+				case 'user':
+					if ( \count( $selected ) > 0 ) {
+						$wheres[] = sprintf( "`req`.`uid` IN (%s)", \implode( ',', $selected ) );
+					}
+					break;
 					default:
 						break;
 				}

src/lib/src/Tables/DataTables/LoadData/ActivityLog/BuildSearchPanesData.php

@@ -5,9 +5,10 @@
 use FernleafSystems\Wordpress\Plugin\Shield\Modules\PluginControllerConsumer;
 use FernleafSystems\Wordpress\Plugin\Shield\Tables\DataTables\Build\SearchPanes\BuildDataForDays;
 use FernleafSystems\Wordpress\Plugin\Shield\Tables\DataTables\Build\SearchPanes\BuildDataForUsers;
+use FernleafSystems\Wordpress\Plugin\Shield\Tables\DataTables\LoadData\BaseBuildSearchPanesData;
 use FernleafSystems\Wordpress\Services\Services;
 
-class BuildSearchPanesData {
+class BuildSearchPanesData extends BaseBuildSearchPanesData {
 
 	use PluginControllerConsumer;
 

src/lib/src/Tables/DataTables/LoadData/BaseBuildSearchPanesData.php

@@ -0,0 +1,14 @@
+<?php declare( strict_types=1 );
+
+namespace FernleafSystems\Wordpress\Plugin\Shield\Tables\DataTables\LoadData;
+
+use FernleafSystems\Wordpress\Plugin\Shield\Modules\PluginControllerConsumer;
+
+class BaseBuildSearchPanesData {
+
+	use PluginControllerConsumer;
+
+	public function build() :array {
+		return [];
+	}
+}