Security: reject unsafe manifest plugin paths during site import

[vuckro]

Summary

move_and_activate_plugins() builds rename() / activate_plugin() targets
from the plugin keys of the imported site manifest (untrusted JSON inside the
import package). Those keys were used without validation, so a crafted manifest
could use a path-traversal key (e.g. ../../..) to relocate files or activate a
PHP file outside WP_PLUGIN_DIR — a second-order path-traversal /
arbitrary-inclusion risk when a network admin imports a site package from an
untrusted source (e.g. a template marketplace).

Changes

Validate each plugin key before use: reject non-strings, absolute paths, NUL
bytes and any parent-directory (..) segment, skipping them with a warning.

The import action itself remains network-admin-gated; this hardens what a
malicious package can do once an admin chooses to import it.

[coderabbitai]

Warning

Review limit reached

@vuckro, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 12 minutes and 9 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 235d152a-6934-4a99-9161-511c2379d2bd

📥 Commits

Reviewing files that changed from the base of the PR and between 1310078 and 123fb62.

📒 Files selected for processing (1)

• inc/site-exporter/mu-migration/includes/commands/class-mu-migration-import.php

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}