Security Audit for WordCamp Remote CSS Plugin

UPDATE: The pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the Plugin Directory or can be cost-based plugin from a third-party has been deployed, so please disclose any vulnerabilities privately, either on Hacker1, or by pinging me privately on Slack.

The WordCamp Remote CSS plugin is ready to deployDeploy Launching code from a local development environment to the production web server, so that it's available to visitors., but before I do that, I want to get some extra eyes on a few potential attack vectors.

The plugin lets organizers develop their CSSCSS CSS is an acronym for cascading style sheets. This is what controls the design or look and feel of a site. with any tools/environments/platforms they want (rather than in a browser with Jetpack’s CSS editor), and then the plugin will download a copy of the CSS file from a remote server, sanitize it, cache it locally, and enqueue it as an extra stylesheet.

You can browse the source on GitHub. (It’ll be moved to the MetaMeta Meta is a term that refers to the inside workings of a group. For us, this is the team that works on internal WordPress sites like WordCamp Central and Make WordPress. repo before it’s deployedDeploy Launching code from a local development environment to the production web server, so that it's available to visitors..)

These are what I see as the weakest points, and why I think they’re safe:

  • validate_remote_css_url() – This makes sure the file we’re about to download meets our expectations. If this allowed any URLURL A specific web address of a website or web page on the Internet, such as a website’s URL, it’d be open to SSRF attacks. To avoid that, only specific platforms (like GitHubGitHub GitHub is a website that offers online implementation of git repositories that can can easily be shared, copied and modified by other developers. Public repositories are free to host, private repositories require a paid subscription. GitHub introduced the concept of the ‘pull request’ where code changes done in branches by contributors can be reviewed and discussed before being merged be the repository owner. are supported. Additionally, only URLs with a .css extension are allowed.
  • output_cached_css() – This outputs the user’s CSS on the front-end, after it’s been sanitized. There’s no escaping, because it’s CSS, but it’s already been sanitized. The correct content-type headerHeader The header of your site is typically the first thing people will experience. The masthead or header art located across the top of your page is part of the look and feel of your website. It can influence a visitor’s opinion about your content and you/ your organization’s brand. It may also look different on different screen sizes. is sent, to prevent browsers from interpreting it as HTMLHTML HTML is an acronym for Hyper Text Markup Language. It is a markup language that is used in the development of web pages and websites.. I guess if the database is compromised, the content could be manipulated, but if that happens then there’s probably a hundred different things the attacker could do, so I don’t think there’s really anything to do in that case.
  • webhook_handler() – This listens for notifications from webhooks that a repository has been updated, and refreshes the cache. It doesn’t require any authentication, because the worst an attacker could do would be to force us to unnecessarily refresh the cache. To avoid too many requests, though, it is rate-limited.

Does anyone see anything I’ve missed there, or anywhere else?

If you’d like to test it live, you’ll need to cherry pick 2955-jetpack.


cc @kovshenin

#code-review, #security, #wordcamp-org