Skip to content

quality-debt: inc/managers/class-site-manager.php — PR #1371 review feedback (critical) #1458

Description

@superdav42

Unactioned Review Feedback

Source PR: #1371
File: inc/managers/class-site-manager.php
Reviewers: coderabbit
Findings: 1
Max severity: critical


CRITICAL: coderabbit (coderabbitai[bot])

File: inc/managers/class-site-manager.php:548
⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Locate screenshot AJAX callers and nonce wiring.
# Expectation: callers for wu_get_screenshot include a nonce matching the handler check.

rg -nP -C4 "wu_get_screenshot|Screenshot::take_screenshot|wp_create_nonce\\(|check_ajax_referer\\(" --type=php --type=js

Repository: Ultimate-Multisite/ultimate-multisite

Length of output: 50394


🏁 Script executed:

sed -n '535,575p' inc/managers/class-site-manager.php

Repository: Ultimate-Multisite/ultimate-multisite

Length of output: 1095


🏁 Script executed:

cat -n assets/js/screenshot-scraper.js | head -30

Repository: Ultimate-Multisite/ultimate-multisite

Length of output: 833


🏁 Script executed:

grep -n "check_ajax_referer\|wp_ajax_wu_get_screenshot" inc/managers/class-site-manager.php

Repository: Ultimate-Multisite/ultimate-multisite

Length of output: 159


🏁 Script executed:

grep -A 5 "get_site_screenshot\|async_get_site_screenshot" inc/managers/class-site-manager.php | head -50

Repository: Ultimate-Multisite/ultimate-multisite

Length of output: 702


Add nonce verification to prevent CSRF on screenshot generation.

The get_site_screenshot() AJAX handler currently relies only on capability checking (manage_network). Without check_ajax_referer(), a cross-site request can trick a logged-in network admin into calling Screenshot::take_screenshot() and creating/updating media attachments for an attacker-chosen site_id.

The JavaScript client (assets/js/screenshot-scraper.js:19-20) sends no nonce, and the server-side handler performs no nonce validation. Add nonce generation on the client and verification on the server:

🛡️ Suggested server-side guard
 if ( ! current_user_can('manage_network')) {
-	wp_send_json_error(new \WP_Error('unauthorized', __('You do not have permission to perform this action.', 'ultimate-multisite')));
+	wp_send_json_error(new \WP_Error('unauthorized', __('You do not have permission to perform this action.', 'ultimate-multisite')), 403);
+}
+
+if ( ! check_ajax_referer('wu_get_screenshot', false, false)) {
+	wp_send_json_error(new \WP_Error('invalid_nonce', __('Security check failed. Please try again.', 'ultimate-multisite')), 403);
 }

Update the client-side AJAX call to include the nonce via wp_create_nonce('wu_get_screenshot') passed in the data object.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

		if ( ! current_user_can('manage_network')) {
			wp_send_json_error(new \WP_Error('unauthorized', __('You do not have permission to perform this action.', 'ultimate-multisite')), 403);
		}

		if ( ! check_ajax_referer('wu_get_screenshot', false, false)) {
			wp_send_json_error(new \WP_Error('invalid_nonce', __('Security check failed. Please try again.', 'ultimate-multisite')), 403);
		}
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@inc/managers/class-site-manager.php` around lines 542 - 544, The
get_site_screenshot() AJAX handler lacks nonce verification, making it
vulnerable to CSRF attacks. Add a check_ajax_referer() call after the
current_user_can() capability check in the handler to verify the nonce with the
action 'wu_get_screenshot'. On the client-side in
assets/js/screenshot-scraper.js, update the AJAX request data object to include
the nonce by adding a field with the value generated from
wp_create_nonce('wu_get_screenshot') on the server. This ensures that only
legitimate requests from your application can trigger the screenshot
functionality.

✅ Addressed in commit 02a06ed

View comment



Auto-generated by quality-feedback-helper.sh scan-merged. Review each finding and either fix the code or dismiss with a reason.


To approve or decline, use one of:

  • sudo aidevops approve issue <number> Ultimate-Multisite/ultimate-multisite -- cryptographically signs approval for automated dispatch
  • Comment declined: <reason> -- closes this issue (include your reason after the colon)

aidevops.sh v3.20.88 automated scan.

Metadata

Metadata

Assignees

No one assigned

    Labels

    needs-maintainer-reviewRequires maintainer review before proceedingorigin:workerAuto-created by pulse labelless backfill (t2112)priority:criticalCritical severity — security or data loss riskquality-debtUnactioned review feedback from merged PRssecuritySecurity-sensitive issue or changesource:review-feedbackAuto-created by quality-feedback-helper.shstatus:availableTask is available for claiming

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions