Short-circuit validate_url() when attempting validation requests to other sites (which will always fail)

Author: westonruter

includes/validation/class-amp-validation-manager.php

@@ -1757,6 +1757,24 @@ public static function validate_after_plugin_activation() {
 		return $validation_errors;
 	}
 
+	/**
+	 * Validate a URL to be validated.
+	 *
+	 * @param string $url URL.
+	 * @return string|WP_Error Validated URL or else error.
+	 */
+	private static function validate_validation_url( $url ) {
+		$validated_url = wp_validate_redirect( $url );
+		if ( ! $validated_url ) {
+			return new WP_Error(
+				'http_request_failed',
+				/* translators: %s is the URL being redirected to. */
+				sprintf( __( 'Unable to validate a URL on another site. Attempted to validate: %s', 'amp' ), $url )
+			);
+		}
+		return $validated_url;
+	}
+
 	/**
 	 * Validates a given URL.
 	 *
@@ -1783,7 +1801,13 @@ public static function validate_url( $url ) {
 			self::VALIDATE_QUERY_VAR   => self::get_amp_validate_nonce(),
 			self::CACHE_BUST_QUERY_VAR => wp_rand(),
 		];
-		$validation_url   = add_query_arg( $added_query_vars, $url );
+
+		// Ensure the URL to be validated is on the site.
+		$validation_url = self::validate_validation_url( $url );
+		if ( is_wp_error( $validation_url ) ) {
+			return $validation_url;
+		}
+		$validation_url = add_query_arg( $added_query_vars, $validation_url );
 
 		$r = null;
 
@@ -1823,13 +1847,12 @@ public static function validate_url( $url ) {
 				$location_header = preg_replace( '#(^https?://[^/]+)/.*#', '$1', home_url( '/' ) ) . $location_header;
 			}
 
-			// Block redirecting to a different host.
-			$location_header = wp_validate_redirect( $location_header );
-			if ( ! $location_header ) {
-				break;
+			// Prevent following a redirect to another site, which won't work for validation anyway.
+			$validation_url = self::validate_validation_url( $location_header );
+			if ( is_wp_error( $validation_url ) ) {
+				return $validation_url;
 			}
-
-			$validation_url = add_query_arg( $added_query_vars, $location_header );
+			$validation_url = add_query_arg( $added_query_vars, $validation_url );
 		}
 
 		if ( is_wp_error( $r ) ) {

tests/php/validation/test-class-amp-validation-manager.php

@@ -2317,6 +2317,41 @@ public function test_validate_url( $validation_errors, $after_matter ) {
 		remove_filter( 'pre_http_request', $filter );
 	}
 
+	/**
+	 * Test for validate_url() for a URL on another site.
+	 *
+	 * @covers AMP_Validation_Manager::validate_url()
+	 */
+	public function test_validate_url_on_another_site() {
+		$r = AMP_Validation_Manager::validate_url( 'https://another-site.example.com/' );
+		$this->assertInstanceOf( WP_Error::class, $r );
+		$this->assertEquals( 'http_request_failed', $r->get_error_code() );
+		$this->assertStringStartsWith( 'Unable to validate a URL on another site. Attempted to validate: https://another-site.example.com/', $r->get_error_message() );
+	}
+
+	/**
+	 * Test for validate_url() for a URL that redirects to another site.
+	 *
+	 * @covers AMP_Validation_Manager::validate_url()
+	 */
+	public function test_validate_url_for_redirect_to_another_site() {
+		$filter = static function() {
+			return [
+				'response' => [
+					'code' => 301,
+				],
+				'headers'  => [
+					'Location' => 'https://redirected-site.example.com/',
+				],
+			];
+		};
+		add_filter( 'pre_http_request', $filter );
+		$r = AMP_Validation_Manager::validate_url( home_url() );
+		$this->assertInstanceOf( WP_Error::class, $r );
+		$this->assertEquals( 'http_request_failed', $r->get_error_code() );
+		$this->assertStringStartsWith( 'Unable to validate a URL on another site. Attempted to validate: https://redirected-site.example.com/', $r->get_error_message() );
+	}
+
 	/**
 	 * @covers AMP_Validation_Manager::serialize_validation_error_messages()
 	 * @covers AMP_Validation_Manager::unserialize_validation_error_messages()