Merge pull request #1155 from Codeinwp/bugfix/pro/938

Prevent SSRF vulnerability

Author: vytisbulkevicius

includes/gutenberg/feedzy-rss-feeds-gutenberg-block.php

@@ -284,8 +284,9 @@ public function feedzy_register_rest_route() {
 			array(
 				'methods'             => 'POST',
 				'callback'            => array( $this, 'feedzy_rest_route' ),
-				'permission_callback' => function () {
-					return is_user_logged_in();
+				'permission_callback' => function ( WP_REST_Request $request ) {
+					$post_id = absint( $request->get_param( 'postId' ) );
+					return current_user_can( 'edit_post', $post_id );
 				},
 				'args'                => array(
 					'url'      => array(
@@ -398,12 +399,14 @@ public function feedzy_rest_route( $data ) {
 	 */
 	public function feedzy_sanitize_feeds( $input ) {
 		if ( count( $input ) === 1 ) {
-			$feed = esc_url( $input[0] );
+			$feed = wp_http_validate_url( $input[0] );
 			return $feed;
 		} else {
 			$feeds = array();
 			foreach ( $input as $item ) {
-				$feeds[] = esc_url( $item );
+				if ( wp_http_validate_url( $item ) ) {
+					$feeds[] = esc_url_raw( $item );
+				}
 			}
 			return $feeds;
 		}

js/FeedzyBlock/Editor.js

@@ -194,11 +194,12 @@ class Editor extends Component {
 				.filter((item) => item !== '');
 			url = queryString.stringify({ url }, { arrayFormat: 'bracket' });
 		}
+		const postId = wp.data.select('core/editor').getCurrentPostId();
 
 		apiFetch({
 			path: `/feedzy/v1/feed?${url}`,
 			method: 'POST',
-			data: this.props.attributes,
+			data: {...this.props.attributes, postId: postId},
 		})
 			.then((data) => {
 				if (this.unmounting) {