FP /wp-json/paypal/v1/incoming

[theMiddleBlue]

on woocommerce plugin, CRS blocks API /wp-json/paypal/v1/incoming because of 931130 at PL2 during a payment

example

Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link

Matched "Operator `EndsWith' with parameter `.personal-tour.it' against variable `TX:rfi_parameter_ARGS:json.links.array_1.href' (Value: `.api.paypal.com' )

Matched Data: https://api.paypal.com/v1/notifications/webhooks-events/WH-12345-12345/resend found within TX:rfi_parameter_ARGS:json.links.array_1.href: .api.paypal.com

is it worth creating an exclusion for this?

[azurit]

I think it's worth it as Woocommerce is widely used.

[lifeforms]

I agree it's worth it. We haven't talked about a policy what plugins to write exclusions for. You can see the number of installs on the WP plugin page: https://wordpress.org/plugins/woocommerce/ (5+ million installs). Maybe we should accept exclusions for plugins with minimum 100k installs?

[theMiddleBlue]

that's a great idea! Another question: should we have a separate file for wp plugin exclusion or should we use the same for the wp core?

[azurit]

I would keep it all in one file for easier development.

[theMiddleBlue]

thinking about this, I think it would be better to have all exclusion rules for WP plugins in separate files. Because in the near future it could be a lot of rules and maybe integrators would like to include only the rules related to their needs and not all

[lifeforms]

That could blow up the number of plugins immensely, but it does make sense. It will make life for admins harder as they have to keep all the plugins up to date, but for contributors it may become easier as the files are smaller and easier. Maybe we could do a compromise and research the most essential/most used plugins (WooCommerce, WPML, WP Super Cache) and put those in the default plugin? And the less popular plugins could become an itch to scratch for the people who use them.