Skip to content

Security: allow-list the model identifier in Limitations::remove_limitations#1375

Open
vuckro wants to merge 1 commit into
Ultimate-Multisite:mainfrom
vuckro:security/limitations-sqli-allowlist
Open

Security: allow-list the model identifier in Limitations::remove_limitations#1375
vuckro wants to merge 1 commit into
Ultimate-Multisite:mainfrom
vuckro:security/limitations-sqli-allowlist

Conversation

@vuckro

@vuckro vuckro commented Jun 10, 2026

Copy link
Copy Markdown
Contributor

Summary

Limitations::remove_limitations() interpolated its $slug argument straight
into the meta table name and the id column name of a DELETE query.
$slug originates from request input (model) in
handle_confirm_limitations_reset(), and wu_request() does not make a value
identifier-safe, so a crafted value could inject SQL through the identifier
(the bound %d id is safe; the identifier is not).

Changes

Validate $slug against a fixed allow-list of the models that actually carry
limitations (membership, product, customer, site) before it is used to
build any SQL.

Compatibility

All legitimate callers pass one of the allow-listed models, so the reset flow is
unchanged.

Part of a small series of focused security hardening PRs. Full technical detail
is available privately to the maintainers on request (coordinated disclosure).

@claude
fix(security): allow-list the model identifier in Limitations::remove…
b74f4f5 
…_limitations

remove_limitations() interpolated its $slug argument straight into the meta
table name and the id column name of a DELETE query. $slug originates from
the request ('model') in handle_confirm_limitations_reset(), and wu_request()
does not make a value identifier-safe, so a crafted model value could inject
SQL through the table/column identifier.

Validate $slug against a fixed allow-list of the models that actually carry
limitations (membership, product, customer, site) before it is used to build
any SQL.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jun 10, 2026

Copy link
Copy Markdown
Contributor

Warning

Review limit reached

@vuckro, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 28 minutes and 54 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: cfce9c21-66be-475e-a554-7aec0f82c9bd

📥 Commits

Reviewing files that changed from the base of the PR and between 1310078 and b74f4f5.

📒 Files selected for processing (1)
  • inc/objects/class-limitations.php
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@superdav42 superdav42 mentioned this pull request Jun 10, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@vuckro