fix: resolve asset versions #2387
Conversation
|
Code Climate has analyzed commit e01522c and detected 2 issues on this pull request. Here's the issue category breakdown:
View more on Code Climate. |
justlevine
added
type: bug
| @@ -52,7 +52,7 @@ public static function register_type( TypeRegistry $type_registry ) { | |||
| ], | |||
| 'version' => [ | |||
| 'type' => 'String', | |||
| 'description' => __( 'The version of the enqueued asset', 'wp-graphql' ), | |||
| 'description' => __( 'The version of the enqueued asset. Defaults to the current version of WordPress.', 'wp-graphql' ), | |||
There was a problem hiding this comment.
I wonder if we should not disclose this as it could leave sites vulnerable.
If a security report were announced about a specific version of WordPress and folks were able to identify that any given site was using that version from this query, it would help bad actors identify which sites are vulnerable. 🤔
| global $wp_scripts; | ||
|
|
||
| return isset( $script->ver ) && is_string( $script->ver ) ? (string) $script->ver : $wp_scripts->default_version; | ||
| }, |
There was a problem hiding this comment.
along the lines of my other comment, when we default to the current WordPress version, perhaps we should hash it to make it an arbitrary value? maybe something like:
$version = \WPGraphQL\Router::$route . $wp_scripts->default_version;
$hashed_version = md5( $version );
|
@jasonbahl If we're really worried about security, the version number for the asset could also tell malicious actors about vulnerabilities. That said, both a 'naked' version number, and using WP's version as a fallback are default WP behavior, so I'll leave the question to you as to how far we want to stray from core WP? Two possible alternatives:
|
|
Perhaps we leave it as is for now, but leave the comment out of the description. 🤔 |
|
okay I fixed the description |
What does this implement/fix? Explain your changes.
This PR fixes issues with
EnqueuedAssettypes not always having a set version, providing the default version when none is explicitly set.Does this close any currently open issues?
#2297
Any relevant logs, error output, GraphiQL screenshots, etc?
Before:
After:
Any other comments?
Also backfilled tests for some of the other missing
EnqueuedAssetfields:extra,handle,src. Unsure how to testdependencies, since we can't query for a specific asset, nor predict what array position innodeswill contain an asset with a set dependency.Where has this been tested?
Operating System: Ubuntu 20.04 (Wsl2 + devilbox + php 8.0.15)
WordPress Version: 5.9.3