From 3fbebc339ad0f6db1a4cb26bf408ab7add321b56 Mon Sep 17 00:00:00 2001
From: Mike Jolley <mike.jolley@me.com>
Date: Mon, 17 Jul 2023 10:37:11 +0100
Subject: [PATCH] Replace sanitization functions to enforce string values

---
 .../Schemas/V1/AbstractAddressSchema.php      | 20 ++++----
 .../Schemas/V1/BillingAddressSchema.php       |  2 +-
 tests/php/StoreApi/Routes/Checkout.php        | 48 +++++++++++++++++++
 3 files changed, 59 insertions(+), 11 deletions(-)

diff --git a/src/StoreApi/Schemas/V1/AbstractAddressSchema.php b/src/StoreApi/Schemas/V1/AbstractAddressSchema.php
index 3d1e313b4a8..77b2198cbba 100644
--- a/src/StoreApi/Schemas/V1/AbstractAddressSchema.php
+++ b/src/StoreApi/Schemas/V1/AbstractAddressSchema.php
@@ -92,16 +92,16 @@ public function sanitize_callback( $address, $request, $param ) {
 		$validation_util = new ValidationUtils();
 
 		$address               = array_merge( array_fill_keys( array_keys( $this->get_properties() ), '' ), (array) $address );
-		$address['country']    = wc_strtoupper( wc_clean( wp_unslash( $address['country'] ) ) );
-		$address['first_name'] = wc_clean( wp_unslash( $address['first_name'] ) );
-		$address['last_name']  = wc_clean( wp_unslash( $address['last_name'] ) );
-		$address['company']    = wc_clean( wp_unslash( $address['company'] ) );
-		$address['address_1']  = wc_clean( wp_unslash( $address['address_1'] ) );
-		$address['address_2']  = wc_clean( wp_unslash( $address['address_2'] ) );
-		$address['city']       = wc_clean( wp_unslash( $address['city'] ) );
-		$address['state']      = $validation_util->format_state( wc_clean( wp_unslash( $address['state'] ) ), $address['country'] );
-		$address['postcode']   = $address['postcode'] ? wc_format_postcode( wc_clean( wp_unslash( $address['postcode'] ) ), $address['country'] ) : '';
-		$address['phone']      = wc_clean( wp_unslash( $address['phone'] ) );
+		$address['country']    = wc_strtoupper( sanitize_text_field( wp_unslash( $address['country'] ) ) );
+		$address['first_name'] = sanitize_text_field( wp_unslash( $address['first_name'] ) );
+		$address['last_name']  = sanitize_text_field( wp_unslash( $address['last_name'] ) );
+		$address['company']    = sanitize_text_field( wp_unslash( $address['company'] ) );
+		$address['address_1']  = sanitize_text_field( wp_unslash( $address['address_1'] ) );
+		$address['address_2']  = sanitize_text_field( wp_unslash( $address['address_2'] ) );
+		$address['city']       = sanitize_text_field( wp_unslash( $address['city'] ) );
+		$address['state']      = $validation_util->format_state( sanitize_text_field( wp_unslash( $address['state'] ) ), $address['country'] );
+		$address['postcode']   = $address['postcode'] ? wc_format_postcode( sanitize_text_field( wp_unslash( $address['postcode'] ) ), $address['country'] ) : '';
+		$address['phone']      = sanitize_text_field( wp_unslash( $address['phone'] ) );
 		return $address;
 	}
 
diff --git a/src/StoreApi/Schemas/V1/BillingAddressSchema.php b/src/StoreApi/Schemas/V1/BillingAddressSchema.php
index 0ae1ca68e56..80fb83a8b78 100644
--- a/src/StoreApi/Schemas/V1/BillingAddressSchema.php
+++ b/src/StoreApi/Schemas/V1/BillingAddressSchema.php
@@ -54,7 +54,7 @@ public function get_properties() {
 	 */
 	public function sanitize_callback( $address, $request, $param ) {
 		$address          = parent::sanitize_callback( $address, $request, $param );
-		$address['email'] = wc_clean( wp_unslash( $address['email'] ) );
+		$address['email'] = sanitize_text_field( wp_unslash( $address['email'] ) );
 		return $address;
 	}
 
diff --git a/tests/php/StoreApi/Routes/Checkout.php b/tests/php/StoreApi/Routes/Checkout.php
index 5af95a114d0..1c43f21ed8b 100644
--- a/tests/php/StoreApi/Routes/Checkout.php
+++ b/tests/php/StoreApi/Routes/Checkout.php
@@ -19,6 +19,8 @@
 
 /**
  * Checkout Controller Tests.
+ *
+ * phpcs:disable WordPress.PHP.DevelopmentFunctions.error_log_print_r, WooCommerce.Commenting.CommentHooks.MissingHookComment
  */
 class Checkout extends MockeryTestCase {
 	/**
@@ -385,4 +387,50 @@ public function test_checkout_force_create_account() {
 		$customer = get_user_by( 'id', $data['customer_id'] );
 		$this->assertEquals( $customer->user_email, 'testaccount@test.com' );
 	}
+
+	/**
+	 * Test account creation options.
+	 */
+	public function test_checkout_invalid_address_data() {
+		$request = new \WP_REST_Request( 'POST', '/wc/store/v1/checkout' );
+		$request->set_header( 'Nonce', wp_create_nonce( 'wc_store_api' ) );
+		$request->set_body_params(
+			array(
+				'billing_address'  => (object) array(
+					'first_name' => 'test',
+					'last_name'  => array(
+						'invalid' => 'invalid_data',
+					),
+					'company'    => '',
+					'address_1'  => 'test',
+					'address_2'  => '',
+					'city'       => 'test',
+					'state'      => '',
+					'postcode'   => 'cb241ab',
+					'country'    => 'GB',
+					'phone'      => '',
+					'email'      => 'testaccount@test.com',
+				),
+				'shipping_address' => (object) array(
+					'first_name' => 'test',
+					'last_name'  => 'test',
+					'company'    => '',
+					'address_1'  => 'test',
+					'address_2'  => '',
+					'city'       => 'test',
+					'state'      => '',
+					'postcode'   => 'cb241ab',
+					'country'    => 'GB',
+					'phone'      => '',
+				),
+				'payment_method'   => 'bacs',
+			)
+		);
+
+		$response = rest_get_server()->dispatch( $request );
+		$status   = $response->get_status();
+		$data     = $response->get_data();
+
+		$this->assertEquals( 400, $status, print_r( $data, true ) );
+	}
 }