validate the input of the IP addresses and the user agents (#526)

matomo-org · Oct 19, 2021 · cd8a8cf · cd8a8cf
1 parent ad52ddf
commit cd8a8cf
Show file tree

Hide file tree

Showing 4 changed files with 111 additions and 6 deletions.
diff --git a/classes/WpMatomo/Admin/ExclusionSettings.php b/classes/WpMatomo/Admin/ExclusionSettings.php
@@ -36,10 +36,18 @@ public function get_title() {
 		return esc_html__( 'Exclusions', 'matomo' );
 	}
 
-	public function show_settings() {
+	public function show_settings( $throw_exception = false ) {
 		global $wp_roles;
-
-		$was_updated = $this->update_if_submitted();
+		$settings_errors = [];
+		$was_updated     = false;
+		try {
+			$was_updated = $this->update_if_submitted();
+		} catch ( InvalidIpException $e ) {
+			$settings_errors[] = $e->getMessage();
+			if ( $throw_exception ) {
+				throw $e;
+			}
+		}
 
 		Bootstrap::do_bootstrap();
 
@@ -68,7 +76,11 @@ private function update_if_submitted() {
 			if ( isset( $post['excluded_ips'] ) ) {
 				$ips = $this->to_comma_list( $post['excluded_ips'] );
 				if ( $ips !== $api->getExcludedIpsGlobal() ) {
-					$api->setGlobalExcludedIps( $ips );
+					try {
+						$api->setGlobalExcludedIps( $ips );
+					} catch ( \Exception $e ) {
+						throw new InvalidIpException( $e->getMessage() );
+					}
 				}
 			}
 

diff --git a/classes/WpMatomo/Admin/InvalidIpException.php b/classes/WpMatomo/Admin/InvalidIpException.php
@@ -0,0 +1,7 @@
+<?php
+
+namespace WpMatomo\Admin;
+
+class InvalidIpException extends \Exception {
+
+}
diff --git a/classes/WpMatomo/Admin/views/exclusion_settings.php b/classes/WpMatomo/Admin/views/exclusion_settings.php
@@ -26,13 +26,16 @@
 /** @var string $excluded_query_params */
 /** @var bool|string|int $keep_url_fragments */
 /** @var Settings $settings */
-
+/** @var string[] $settings_errors */
 ?>
 
 <?php
 if ( $was_updated ) {
 	include 'update_notice_clear_cache.php';
 }
+if ( count( $settings_errors ) ) {
+	include 'settings_errors.php';
+}
 ?>
 <?php if ( $settings->is_network_enabled() && is_network_admin() ) { ?>
 	<h2>Exclusion settings</h2>
@@ -119,7 +122,7 @@
 					<br/>
 					<?php echo esc_html( Piwik::translate( 'SitesManager_GlobalListExcludedUserAgents_Desc' ) ); ?>
 					<?php echo esc_html( Piwik::translate( 'SitesManager_GlobalExcludedUserAgentHelp2' ) ); ?>
-
+					<?php echo esc_html( Piwik::translate( 'SitesManager_GlobalExcludedUserAgentHelp3', '/bot|spider|crawl|scanner/i' ) ); ?>
 				</td>
 			</tr>
 			<tr>

diff --git a/tests/phpunit/wpmatomo/admin/test-exclusionsettings.php b/tests/phpunit/wpmatomo/admin/test-exclusionsettings.php
@@ -6,6 +6,7 @@
 use Piwik\Plugins\SitesManager\API;
 use WpMatomo\Admin\ExclusionSettings;
 use WpMatomo\Capabilities;
+use WpMatomo\Admin\InvalidIpException;
 
 class AdminExclusionSettingsTest extends MatomoAnalytics_TestCase {
 
@@ -52,5 +53,87 @@ public function test_show_settings_does_change_any_values_if_nonce() {
 		$this->assertNotEmpty( API::getInstance()->getKeepURLFragmentsGlobal() );
 	}
 
+	public function test_validate_ip() {
+		$_POST[ ExclusionSettings::FORM_NAME ] = array(
+			'excluded_ips' => '127.0.0.1',
+		);
+		$_REQUEST['_wpnonce']                  = wp_create_nonce( ExclusionSettings::NONCE_NAME );
+		$_SERVER['REQUEST_URI']                = home_url();
+
+		try {
+			ob_start();
+			$this->exclusion_settings->show_settings( true );
+			ob_get_clean();
+			$this->assertTrue( true );
+		} catch ( InvalidIpException $e ) {
+			$this->assertFalse( true );
+		}
 
+		$_POST[ ExclusionSettings::FORM_NAME ] = array(
+			'excluded_ips' => '1.2.3.4/24',
+		);
+		try {
+			ob_start();
+			$this->exclusion_settings->show_settings( true );
+			ob_get_clean();
+			$this->assertTrue( true );
+		} catch ( InvalidIpException $e ) {
+			$this->assertFalse( true );
+		}
+		$_POST[ ExclusionSettings::FORM_NAME ] = array(
+			'excluded_ips' => '1.2.3.*',
+		);
+		try {
+			ob_start();
+			$this->exclusion_settings->show_settings( true );
+			ob_get_clean();
+			$this->assertTrue( true );
+		} catch ( InvalidIpException $e ) {
+			$this->assertFalse( true );
+		}
+		$_POST[ ExclusionSettings::FORM_NAME ] = array(
+			'excluded_ips' => '1.2.*.*',
+		);
+		try {
+			ob_start();
+			$this->exclusion_settings->show_settings( true );
+			ob_get_clean();
+			$this->assertTrue( true );
+		} catch ( InvalidIpException $e ) {
+			$this->assertFalse( true );
+		}
+		$_POST[ ExclusionSettings::FORM_NAME ] = array(
+			'excluded_ips' => '350.17.24.23',
+		);
+		try {
+			ob_start();
+			$this->exclusion_settings->show_settings( true );
+			ob_get_clean();
+			$this->assertFalse( true );
+		} catch ( InvalidIpException $e ) {
+			$this->assertTrue( true );
+		}
+		$_POST[ ExclusionSettings::FORM_NAME ] = array(
+			'excluded_ips' => 'not an ip',
+		);
+		try {
+			ob_start();
+			$this->exclusion_settings->show_settings( true );
+			ob_get_clean();
+			$this->assertFalse( true );
+		} catch ( InvalidIpException $e ) {
+			$this->assertTrue( true );
+		}
+		$_POST[ ExclusionSettings::FORM_NAME ] = array(
+			'excluded_ips' => '192.168.0.1/32',
+		);
+		try {
+			ob_start();
+			$this->exclusion_settings->show_settings( true );
+			ob_get_clean();
+			$this->assertFalse( true );
+		} catch ( InvalidIpException $e ) {
+			$this->assertTrue( true );
+		}
+	}
 }