Title: Code Review – Make WordPress.org

---

#  Tag Archives: Code Review

 [  ](https://profiles.wordpress.org/iandunn/) [Ian Dunn](https://profiles.wordpress.org/iandunn/)
7:47 pm _on_ November 17, 2015     
Tags: Code Review, [security ( 2 )](https://make.wordpress.org/meta/tag/security/),
[wordcamp.org ( 11 )](https://make.wordpress.org/meta/tag/wordcamp-org/)   

# 󠀁[Security Audit for WordCamp Remote CSS Plugin](https://make.wordpress.org/meta/2015/11/17/security-audit-for-wordcamp-remote-css-plugin/)󠁿

**UPDATE:_ _**The pluginPlugin A plugin is a piece of software containing a group
of functions that can be added to a WordPress website. They can extend functionality
or add new features to your WordPress websites. WordPress plugins are written in
the PHP programming language and integrate seamlessly with WordPress. These can 
be free in the WordPress.org Plugin Directory [https://wordpress.org/plugins/](https://wordpress.org/plugins/)
or can be cost-based plugin from a third-party. [has been deployed](https://make.wordpress.org/community/2015/11/24/remote-css-plugin-launched-on-wordcamp-org/),
so please disclose any vulnerabilities privately, either [on Hacker1](https://hackerone.com/automattic),
or by pinging me privately on [Slack](https://chat.wordpress.org).

---

The [WordCamp Remote CSS](https://make.wordpress.org/community/2015/06/16/editing-wordcamp-css-locally-with-git/)
plugin is ready to deployDeploy Launching code from a local development environment
to the production web server, so that it's available to visitors., but before I 
do that, I want to get some extra eyes on a few potential attack vectors.

The plugin lets organizers develop their CSSCSS CSS is an acronym for cascading 
style sheets. This is what controls the design or look and feel of a site. with 
any tools/environments/platforms they want (rather than in a browser with Jetpack’s
CSS editor), and then the plugin will download a copy of the CSS file from a remote
server, sanitize it, cache it locally, and enqueue it as an extra stylesheet.

You can [browse the source on GitHub](https://github.com/iandunn/wordcamp-remote-css).(
It’ll be moved to the MetaMeta Meta is a term that refers to the inside workings
of a group. For us, this is the team that works on internal WordPress sites like
WordCamp Central and Make WordPress. repo before it’s deployedDeploy Launching code
from a local development environment to the production web server, so that it's 
available to visitors..)

These are what I see as the weakest points, and why I think they’re safe:

 * [validate_remote_css_url()](https://github.com/iandunn/wordcamp-remote-css/blob/b7c0f3a3c5b9423edef5fdc1c202740be2b522bc/app/user-interface.php#L185)–
   This makes sure the file we’re about to download meets our expectations. If this
   allowed any URLURL A specific web address of a website or web page on the Internet,
   such as a website’s URL www.wordpress.org, it’d be open to SSRF attacks. To avoid
   that, only specific platforms (like GitHubGitHub GitHub is a website that offers
   online implementation of git repositories that can easily be shared, copied and
   modified by other developers. Public repositories are free to host, private repositories
   require a paid subscription. GitHub introduced the concept of the ‘pull request’
   where code changes done in branches by contributors can be reviewed and discussed
   before being merged by the repository owner. [https://github.com/](https://github.com/))
   are supported. Additionally, only URLs with a _.css_ extension are allowed.
 * [output_cached_css()](https://github.com/iandunn/wordcamp-remote-css/blob/b7c0f3a3c5b9423edef5fdc1c202740be2b522bc/app/output-cached-css.php#L93)–
   This outputs the user’s CSS on the front-end, after it’s been sanitized. There’s
   no escaping, because it’s CSS, but it’s already been sanitized. The correct content-
   type headerHeader The header of your site is typically the first thing people
   will experience. The masthead or header art located across the top of your page
   is part of the look and feel of your website. It can influence a visitor’s opinion
   about your content and you/ your organization’s brand. It may also look different
   on different screen sizes. is sent, to prevent browsers from interpreting it 
   as HTMLHTML HTML is an acronym for Hyper Text Markup Language. It is a markup
   language that is used in the development of web pages and websites.. I guess 
   if the database is compromised, the content could be manipulated, but if that
   happens then there’s probably a hundred different things the attacker could do,
   so I don’t think there’s really anything to do in that case.
 * [webhook_handler()](https://github.com/iandunn/wordcamp-remote-css/blob/b7c0f3a3c5b9423edef5fdc1c202740be2b522bc/app/webhook-handler.php#L11)–
   This listens for notifications from webhooks that a repository has been updated,
   and refreshes the cache. It doesn’t require any authentication, because the worst
   an attacker could do would be to force us to unnecessarily refresh the cache.
   To avoid too many requests, though, it is rate-limited.

Does anyone see anything I’ve missed there, or anywhere else?

If you’d like to test it live, you’ll need to cherry pick [2955-jetpack](https://github.com/Automattic/jetpack/pull/2955).

 

cc [@kovshenin](https://profiles.wordpress.org/kovshenin/)

[#code-review](https://make.wordpress.org/meta/tag/code-review/), [#security](https://make.wordpress.org/meta/tag/security/),
[#wordcamp-org](https://make.wordpress.org/meta/tag/wordcamp-org/)

 * [Login to Reply](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fmake.wordpress.org%2Fmeta%2F2015%2F11%2F17%2Fsecurity-audit-for-wordcamp-remote-css-plugin%2F%23respond&locale=en_US)