Changeset 14808

Timestamp:

04/13/2026 03:08:50 AM (4 weeks ago)

Author:

dd32

Message:

Harden the Community Deputies Caneldar webhook.

File:

• sites/trunk/api.wordpress.org/public_html/dotorg/slack/community-deputies-calendly-webhook.php (modified) (3 diffs)

sites/trunk/api.wordpress.org/public_html/dotorg/slack/community-deputies-calendly-webhook.php

@@ -18 +18 @@
     }
 
-    $req = wp_remote_get(
+    if ( 'api.calendly.com' !== parse_url( $url, PHP_URL_HOST ) ) {
+        trigger_error(
+            'Invalid URL provided to api_request, only api.calendly.com URLs are allowed.',
+            E_USER_WARNING
+        );
+
+        return false;
+    }
+
+    $req = wp_safe_remote_get(
         $url,
         [
@@ -41 +50 @@
 
 // Check the request is valid.
-if ( empty( $_GET['secret'] ) || $_GET['secret'] !== COMMUNITY_CALENDLY_SECRET ) {
-    die();
+if ( empty( $_GET['secret'] ) || ! hash_equals( COMMUNITY_CALENDLY_SECRET, $_GET['secret'] ) ) {
+    header( 'HTTP/1.1 403 Forbidden' );
+    die( 'Invalid secret provided.' );
 }
 
@@ -49 +59 @@
 $event               = $request_body_parsed->event ?? '';
 if ( ! $event ) {
-    die();
+    header( 'HTTP/1.1 400 Bad Request' );
+    die( 'Invalid event provided.' );
 }