GHSA-cfh4-7wq9-6pgg

add_filter( 'graphql_pre_resolve_field', function( $nil, $source, $args, $context, \GraphQL\Type\Definition\ResolveInfo $info, $type_name, $field_key, $field, $field_resolver ) { if ( $info->fieldName !== 'createMediaItem' ) { return $nil; } $input = $args['input'] ?? null; if ( ! isset( $input['filePath'] ) ) { return $nil; } $uploaded_file_url = $input['filePath']; // Check that the filetype is allowed $check_file = wp_check_filetype( $uploaded_file_url ); // if the file doesn't pass the check, throw an error if ( ! $check_file['ext'] || ! $check_file['type'] || ! wp_http_validate_url( $uploaded_file_url ) ) { throw new \GraphQL\Error\UserError( sprintf( __( 'Invalid filePath "%s"', 'wp-graphql' ), $input['filePath'] ) ); } $protocol = wp_parse_url( $input['filePath'], PHP_URL_SCHEME ); // prevent the filePath from being submitted with a non-allowed protocols $allowed_protocols = [ 'https', 'http', 'file' ]; if ( ! in_array( $protocol, $allowed_protocols, true ) ) { throw new \GraphQL\Error\UserError( sprintf( __( 'Invalid protocol. "%1$s". Only "%2$s" allowed.', 'wp-graphql' ), $protocol, implode( '", "', $allowed_protocols ) ) ); } return $nil; }, 10, 9 );