<?php
require_once(__DIR__ . '/audit-log/wfAuditLogObserversWordPressCoreUser.php');
require_once(__DIR__ . '/audit-log/wfAuditLogObserversWordPressCoreSite.php');
require_once(__DIR__ . '/audit-log/wfAuditLogObserversWordPressCoreMultisite.php');
require_once(__DIR__ . '/audit-log/wfAuditLogObserversWordPressCoreContent.php');
require_once(__DIR__ . '/audit-log/wfAuditLogObserversWordfence.php');
require_once(__DIR__ . '/audit-log/wfAuditLogObserversPreview.php');
/**
* Class wfAuditLog
*
* Hooks into a variety of actions/filters to collect relevant data that can be recorded in an audit log. The data
* collected is focused around attack surfaces such as user registration and content insertion, but all attempts are
* made to exclude potentially sensitive values from being recorded (e.g., for user profile changes, only the field
* names are recorded).
*
* Data is recorded into an intermediate table on the site itself, and a send action is scheduled. When this action
* triggers, a send payload up to the maximum transmit count is generated. The payload is then automatically expanded so
* that no partial request is sent, only full requests. Once sent, these are removed from the intermediate table, and
* we check to see if there are more remaining to be sent, scheduling another send if so.
*
* Because of how some of the hooks are called, there are three different points at which data may be recorded:
*
* 1. At the moment the hook is called. This is most common and used for one-off actions where the recording should be
* performed at that time.
* 2. Pre-filters/actions. For these, an earlier hook in the flow is listened for, and we record state data for later
* use by the desired hook. This is typically used for deletions where we want some value from the record before it
* gets deleted.
* 3. At the end of the request. For actions that may reasonably called multiple times in the same request (e.g., adding
* multiple capabilities to a role), we only need to record a single record of that action so this is done via a
* coalescer at the end just prior to the request ending.
*
* Some hooks do record for multiple events due to how overloaded some data structures are in WP. For example, many
* types are ultimately stored in `wp_posts` despite not being posts so the hooks surrounding that must check for the
* context to determine which event to actually record.
*/
class wfAuditLog {
const AUDIT_LOG_MODE_DEFAULT = 'default'; //Resolves to one of the below based on license type
const AUDIT_LOG_MODE_DISABLED = 'disabled';
const AUDIT_LOG_MODE_PREVIEW = 'preview';
const AUDIT_LOG_MODE_SIGNIFICANT = 'significant';
const AUDIT_LOG_MODE_ALL = 'all';
//These category constants are used to divide events into the groupings in the event listing, one per event even if the event could fit under multiple
const AUDIT_LOG_CATEGORY_AUTHENTICATION = 'authentication';
const AUDIT_LOG_CATEGORY_USER_PERMISSIONS = 'user-permissions';
const AUDIT_LOG_CATEGORY_PLUGINS_THEMES_UPDATES = 'plugins-themes-updates';
const AUDIT_LOG_CATEGORY_SITE_SETTINGS = 'site-settings';
const AUDIT_LOG_CATEGORY_MULTISITE = 'multisite';
const AUDIT_LOG_CATEGORY_CONTENT = 'content';
const AUDIT_LOG_CATEGORY_FIREWALL = 'firewall';
const AUDIT_LOG_MAX_SAMPLES = 20; //Max number of requests to store in the local summary, each of which may have one or more events
const AUDIT_LOG_HEARTBEAT = 'heartbeat'; //A unique event that is sent to signal the audit log is functioning even if no other events have triggered, not displayed on the front end
private $_pending = array();
private $_coalescers = array();
private $_destructRegistered = false;
private $_state = array();
private $_performingFinalization = false;
protected static $initialCoreVersion;
protected static $initialMode;
public static function shared() {
static $_shared = null;
if ($_shared === null) {
$_shared = new wfAuditLog();
}
return $_shared;
}
/**
* Returns the events that will cause an immediate send rather than waiting for the cron event to execute.
* Individual observer grouping subclasses must override this and return their subset of the event categories. The
* primary audit log class will return an array of all observer groupings merged together.
*
* @return array
*/
public static function immediateSendEvents() {
static $eventCache = null;
if ($eventCache === null) {
$eventCache = array();
$observers = self::_observers();
foreach ($observers as $o) {
$merging = call_user_func(array($o, 'immediateSendEvents'));
$eventCache = array_merge($eventCache, $merging);
}
}
return $eventCache;
}
/**
* Returns the event categories for use in the Audit Log page's UI. Individual observer grouping subclasses
* must override this and return their subset of the event categories. The primary audit log class will return an
* array of all observer groupings merged together.
*
*
* @return array
*/
public static function eventCategories() {
static $categoryCache = null;
if ($categoryCache === null) {
$categoryCache = array();
$observers = self::_observers();
foreach ($observers as $o) {
$merging = call_user_func(array($o, 'eventCategories'));
foreach ($merging as $category => $events) {
if (isset($categoryCache[$category])) {
$categoryCache[$category] = array_merge($categoryCache[$category], $events);
}
else {
$categoryCache[$category] = $events;
}
}
}
}
return $categoryCache;
}
/**
* Returns the category for $event, null if not found.
*
* @param string $event
* @return string|null
*/
public static function eventCategory($event) {
static $reverseCategoryMapCache = null;
if ($reverseCategoryMapCache === null) {
$reverseCategoryMapCache = array();
$categories = self::eventCategories();
foreach ($categories as $category => $events) {
$reverseCategoryMapCache = array_merge($reverseCategoryMapCache, array_fill_keys($events, $category));
}
}
if (isset($reverseCategoryMapCache[$event])) {
return $reverseCategoryMapCache[$event];
}
return null;
}
/**
* Returns the event names suitable for display in the Audit Log page's UI. Individual observer grouping subclasses
* must override this and return their subset of the event names. The primary audit log class will return an array
* of all observer groupings merged together.
*
*
* @return array
*/
public static function eventNames() {
static $nameCache = null;
if ($nameCache === null) {
$nameCache = array();
$observers = self::_observers();
foreach ($observers as $o) {
$nameCache = array_merge($nameCache, call_user_func(array($o, 'eventNames')));
}
}
return $nameCache;
}
/**
* Returns the display name for the given event identifier.
*
* @param string $event
* @return string
*/
public static function eventName($event) {
$map = self::eventNames();
if (isset($map[$event])) {
return $map[$event];
}
return __('Unknown Events', 'wordfence');
}
/**
* Returns the event rate limiters for use in preprocessing events that occur. A rate limiter for an event type
* should use the passed $auditLog and $payload values to determine whether the proposed event should be recorded.
* The primary audit log class will return an array of all observer groupings merged together.
*
*
* @return array
*/
public static function eventRateLimiters() {
static $rateLimiterCache = null;
if ($rateLimiterCache === null) {
$rateLimiterCache = array();
$observers = self::_observers();
foreach ($observers as $o) {
$rateLimiterCache = array_merge($rateLimiterCache, call_user_func(array($o, 'eventRateLimiters')));
}
}
return $rateLimiterCache;
}
/**
* Consumes the rate limiter by setting a transient for the given $ttl. Currently this just allows a bucket of one,
* but this could be refactored in the future to allow variable rate limits.
*
* @param string $event
* @param string $payloadSignature
* @param int $ttl Default is 10 minutes
*/
protected static function _rateLimiterConsume($event, $payloadSignature, $ttl = 600) {
$key = 'wordfenceAuditEvent:' . $event . ':' . $payloadSignature;
set_transient($key, time(), $ttl);
}
/**
* Returns whether or not the rate limiter is available. The return value is `true` if it is, otherwise `false`.
*
* @param string $event
* @param string $payloadSignature
* @return bool
*/
protected static function _rateLimiterCheck($event, $payloadSignature) {
$key = 'wordfenceAuditEvent:' . $event . ':' . $payloadSignature;
return !get_transient($key);
}
/**
* Recursively computes a hash for the given payload in a deterministic way. This may be used in rate limiter
* implementations for deduplication checks.
*
* @param mixed $payload
* @param null|HashContext $hasher
* @return bool|string
*/
protected static function _normalizedPayloadHash($payload, $hasher = null) {
$first = is_null($hasher);
if ($first) {
$hasher = hash_init('sha256');
}
if (is_array($payload) || is_object($payload)) {
$payload = (array) $payload;
$keys = array_keys($payload);
sort($keys, SORT_REGULAR);
foreach ($keys as $k) {
$v = $payload[$k];
hash_update($hasher, $k);
self::_normalizedPayloadHash($v, $hasher);
}
}
else if (is_scalar($payload)) {
hash_update($hasher, $payload);
}
if ($first) {
return hash_final($hasher);
}
return true;
}
/**
* Returns an array of all observer groupings.
*
* @return array
*/
private static function _observers() {
return array(
wfAuditLogObserversWordPressCoreUser::class,
wfAuditLogObserversWordPressCoreSite::class,
wfAuditLogObserversWordPressCoreMultisite::class,
wfAuditLogObserversWordPressCoreContent::class,
wfAuditLogObserversWordfence::class,
);
}
/**
* Registers the observers for this class's chunk of functionality that should run regardless of other settings.
* These observers are expected to do their own check and application of settings like the audit log's mode or
* the `Participate in the Wordfence Security Network` setting.
*
* @param wfAuditLog $auditLog
*/
protected static function _registerForcedObservers($auditLog) {
//Individual forced observer groupings may override this
}
/**
* Registers the observers for this class's chunk of functionality.
*
* @param wfAuditLog $auditLog
*/
protected static function _registerObservers($auditLog) {
//Individual observer groupings will override this
}
/**
* Registers the data gatherers for this class's chunk of functionality. These are secondary hooks to support
* intermediate data gathering (e.g., grabbing the user attempting to authenticate even if it fails)
*
* @param wfAuditLog $auditLog
*/
protected static function _registerDataGatherers($auditLog) {
//Individual data gatherer groupings will override this
}
/**
* Registers the coalescers for this class's chunk of functionality.
*
* @param wfAuditLog $auditLog
*/
protected static function _registerCoalescers($auditLog) {
//Individual coalescer groupings will override this
}
public static function heartbeat() {
if (wfAuditLog::shared()->mode() != wfAuditLog::AUDIT_LOG_MODE_DISABLED && wfAuditLog::shared()->mode() != wfAuditLog::AUDIT_LOG_MODE_PREVIEW) {
wfAuditLog::shared()->_recordAction(self::AUDIT_LOG_HEARTBEAT);
}
}
/**
* Returns the effective audit log mode after factoring in the active license type and resolving the default based
* on that type. Will be one of the wfAuditLog::AUDIT_LOG_MODE_* constants that is not AUDIT_LOG_MODE_DEFAULT.
*
* @return string
*/
public function mode() {
require(__DIR__ . '/wfVersionSupport.php'); /** @var $wfFeatureWPVersionAuditLog */
require(ABSPATH . WPINC . '/version.php'); /** @var string $wp_version */
if (version_compare($wp_version, $wfFeatureWPVersionAuditLog, '<')) {
return self::AUDIT_LOG_MODE_DISABLED;
}
$mode = wfConfig::get('auditLogMode', self::AUDIT_LOG_MODE_DEFAULT);
$license = wfLicense::current();
if (!$license->isPaidAndCurrent() || !$license->isAtLeastPremium()) {
if ($mode == self::AUDIT_LOG_MODE_DISABLED) {
return $mode;
}
return self::AUDIT_LOG_MODE_PREVIEW;
}
if ($mode == self::AUDIT_LOG_MODE_DEFAULT) {
if (!$license->isAtLeastCare()) {
return self::AUDIT_LOG_MODE_PREVIEW;
}
return self::AUDIT_LOG_MODE_SIGNIFICANT;
}
return $mode;
}
public function registerHooks() {
self::$initialMode = $this->mode();
require(ABSPATH . WPINC . '/version.php'); /** @var string $wp_version */
self::$initialCoreVersion = $wp_version;
$observers = self::_observers();
foreach ($observers as $o) {
call_user_func(array($o, '_registerForcedObservers'), $this);
}
if ($this->mode() == self::AUDIT_LOG_MODE_DISABLED) {
return;
}
if ($this->mode() == self::AUDIT_LOG_MODE_PREVIEW) { //When in preview mode, we register the local-only observers to keep the preview data fresh locally
wfAuditLogObserversPreview::_registerObservers($this);
wfAuditLogObserversPreview::_registerDataGatherers($this);
wfAuditLogObserversPreview::_registerCoalescers($this);
return;
}
foreach ($observers as $o) {
call_user_func(array($o, '_registerObservers'), $this);
call_user_func(array($o, '_registerDataGatherers'), $this);
call_user_func(array($o, '_registerCoalescers'), $this);
}
}
/**
* Convenience method to add a listener for one or more WordPress hooks. This simplifies the normal flow of adding
* a listener by using introspection on the passed callable to pass the correct arguments.
*
* @param array|string $hooks
* @param callable $closure
* @param string $type
*/
protected function _addObserver($hooks, $closure, $type = 'action') {
if (!is_array($hooks)) {
$hooks = array($hooks);
}
try {
$introspection = new ReflectionFunction($closure);
if ($type == 'action') {
foreach ($hooks as $hook) {
add_action($hook, $closure, 1, $introspection->getNumberOfParameters());
}
}
else if ($type == 'filter') {
foreach ($hooks as $hook) {
add_filter($hook, $closure, 1, $introspection->getNumberOfParameters());
}
}
}
catch (Exception $e) {
//Ignore
}
}
protected function _addCoalescer($closure) {
$this->_coalescers[] = $closure;
}
/**
* Returns whether or not a state value exists for the given key/blog pair.
*
* @param string $key
* @param int $id An ID when tracking multiple potential states. May be the blog ID if multisite or a user ID.
* @return bool
*/
protected function _hasState($key, $id = 1) {
if ($id < 0) {
$id = 0;
}
if (!isset($this->_state[$id])) {
return false;
}
return isset($this->_state[$id][$key]);
}
/**
* Stores a state value under the key/blog pair for later use in this request.
*
* @param string $key
* @param mixed $value
* @param int $id An ID when tracking multiple potential states. May be the blog ID if multisite or a user ID.
*/
protected function _trackState($key, $value, $id = 1) {
if ($id < 0) {
$id = 0;
}
if (!isset($this->_state[$id])) {
$this->_state[$id] = array();
}
$this->_state[$id][$key] = $value;
}
/**
* Returns the state value for the key/blog pair if present, otherwise null.
*
* @param string $key
* @param int $id An ID when tracking multiple potential states. May be the blog ID if multisite or a user ID.
* @return mixed|null
*/
protected function _getState($key, $id = 1) {
if ($id < 0) {
$id = 0;
}
if (!isset($this->_state[$id]) || !isset($this->_state[$id][$key])) {
return null;
}
return $this->_state[$id][$key];
}
/**
* Returns all site(s)' state values for $key if present. They keys in the returned array are the blog ID.
*
* @param string $key
* @return array Will have at most 1 entry for single-site, potentially many for multisite when applicable.
*/
protected function _getAllStates($key) {
$result = array();
foreach ($this->_state as $id => $state) {
if (isset($state[$key])) {
$result[$id] = $state[$key];
}
}
return $result;
}
/**
* Record the action and metadata for later sending to the audit log.
*
* @param string $action
* @param array $metadata
* @param bool $appendToExisting When true, does not create a new entry and instead only appends to entries of the same $action
*/
protected function _recordAction($action, $metadata = array(), $appendToExisting = false) {
$rateLimiters = self::eventRateLimiters();
if (isset($rateLimiters[$action])) {
if (!$rateLimiters[$action]($this, $metadata)) {
return;
}
}
if ($appendToExisting) {
foreach ($this->_pending as &$entry) {
if ($entry['action'] == $action) {
$entry['metadata'] = array_merge($entry['metadata'], $metadata);
}
}
return;
}
$path = null;
$body = null;
if (@php_sapi_name() === 'cli' || !array_key_exists('REQUEST_METHOD', $_SERVER)) {
if (isset($_SERVER['argv']) && is_array($_SERVER['argv']) && count($_SERVER['argv']) > 0) {
$path = $_SERVER['argv'][0] . ' ' . implode(' ', array_map(function($p) { return '\'' . addcslashes($p, '\'') . '\''; }, array_slice($_SERVER['argv'], 1)));
$body = array('type' => 'cli', 'files' => array(), 'parameters' => array('argv' => $_SERVER['argv']));
}
$method = 'CLI';
}
else {
$path = $_SERVER['REQUEST_URI'];
$method = $_SERVER['REQUEST_METHOD'];
if ($_SERVER['REQUEST_METHOD'] != 'GET') {
$body = $this->_sanitizeRequestBody();
}
}
$user = wp_get_current_user();
$entry = array(
'action' => $action,
'time' => wfUtils::normalizedTime(),
'metadata' => $metadata,
'context' => array(
'ip' => wfUtils::getIP(),
'path' => $path,
'method' => $method,
'body' => $body,
'user_id' => $user ? $user->ID : 0,
'userdata' => $this->_sanitizeUserdata($user),
),
);
if (is_multisite()) {
$network = get_network();
$blog = get_blog_details();
$entry['multisite'] = $this->_sanitizeMultisiteData($network, $blog);
}
$this->_pending[] = $entry;
$this->_needsDestruct();
}
/**
* Finalizes the pending actions. If cron is disabled or one of the types is on the immedate send list, they are
* finalized by immediately sending to the audit log. Otherwise, they are saved to the intermediate storage table
* and a send is scheduled.
*/
private function _savePending() {
if (!empty($this->_pending)) {
$sendImmediately = false;
$immediateSend = self::immediateSendEvents();
$payload = array();
foreach ($this->_pending as $data) {
$time = $data['time'];
unset($data['time']);
if ($data['action'] == self::AUDIT_LOG_HEARTBEAT) { //Minimize payload for heartbeat
$payload[] = array(
'type' => $data['action'],
'data' => array(),
'event_time' => $time,
);
}
else {
$payload[] = array(
'type' => $data['action'],
'data' => $data,
'event_time' => $time,
);
}
$sendImmediately = ($sendImmediately || in_array($data['action'], $immediateSend));
}
if (defined('DISABLE_WP_CRON') && DISABLE_WP_CRON) {
$sendImmediately = true;
}
if ($sendImmediately && !wfCentral::isConnected()) {
$this->_saveEventsToTable($payload);
if ($ts = wp_next_scheduled('wordfence_batchSendAuditEvents')) {
$this->_unscheduleSendPendingAuditEvents($ts);
}
$this->_scheduleSendPendingAuditEvents();
$this->_pending = array();
return;
}
$before = $payload;
if ($sendImmediately) {
$requestID = wfConfig::atomicInc('auditLogRequestNumber');
foreach ($payload as &$p) {
$p['data'] = json_encode($p['data']);
$p['request_id'] = $requestID;
}
}
try {
if ($this->_sendAuditLogEvents($payload, $sendImmediately)) {
$this->_pending = array();
}
}
catch (wfAuditLogSendFailedException $e) {
if ($sendImmediately) {
$this->_saveEventsToTable($before);
if ($ts = wp_next_scheduled('wordfence_batchSendAuditEvents')) {
$this->_unscheduleSendPendingAuditEvents($ts);
}
$this->_scheduleSendPendingAuditEvents(true);
$this->_pending = array();
}
}
}
}
protected function _needsDestruct() {
if (!$this->_destructRegistered) {
register_shutdown_function(array($this, '_lastAction'));
$this->_destructRegistered = true;
}
}
/**
* Performed as a shutdown handler to finalize all pending actions.
*
* Note: must remain `public` for PHP 7 compatibility
*/
public function _lastAction() {
global $wpdb;
$suppressed = $wpdb->suppress_errors(!(defined('WFWAF_DEBUG') && WFWAF_DEBUG));
$this->_performingFinalization = true;
foreach ($this->_coalescers as $c) {
call_user_func($c);
}
$this->_coalescers = array();
$this->_savePending();
$this->_performingFinalization = false;
$wpdb->suppress_errors($suppressed);
}
public function isFinalizing() {
return $this->_performingFinalization;
}
/**
* Performs the actual send of $events to the audit log if $sendImmediately is truthy, otherwise it writes them to
* the intermediate storage table and schedules a send.
*
* @param array $events
* @param bool $sendImmediately
* @return bool
* @throws wfAuditLogSendFailedException
*/
private function _sendAuditLogEvents($events, $sendImmediately = false) {
if (empty($events)) {
return true;
}
if (!wfCentral::isConnected()) {
return false; //This will cause it to mark them as unsent and try again later
}
if ($sendImmediately) {
$payload = array();
foreach ($events as $e) {
$payload[] = self::_formatEventForTransmission($e);
}
$siteID = wfConfig::get('wordfenceCentralSiteID');
$request = new wfCentralAuthenticatedAPIRequest('/site/' . $siteID . '/audit-log', 'POST', array(
'data' => $payload,
));
try {
$doing_cron = function_exists('wp_doing_cron') /* WP >= 4.8 */ ? wp_doing_cron() : (defined('DOING_CRON') && DOING_CRON);
$response = $request->execute($doing_cron ? 10 : 3);
if ($response->isError()) {
throw new wfAuditLogSendFailedException();
}
//Group by request and update the local preview
$preview = array();
foreach ($payload as $r) {
if (!isset($preview[$r['attributes']['request_id']])) {
$preview[$r['attributes']['request_id']] = array();
}
$preview[$r['attributes']['request_id']][] = array($r['attributes']['type'], $r['attributes']['event_time']);
}
uksort($preview, function($k1, $k2) {
if ($k1 == $k2) { return 0; }
return ($k1 < $k2) ? 1 : -1;
});
$this->_updateAuditPreview(array_values($preview));
}
catch (Exception $e) {
if (!defined('WORDFENCE_DEACTIVATING') || !WORDFENCE_DEACTIVATING) { wfCentralAPIRequest::handleInternalCentralAPIError($e); }
throw new wfAuditLogSendFailedException();
}
catch (Throwable $t) {
if (!defined('WORDFENCE_DEACTIVATING') || !WORDFENCE_DEACTIVATING) { wfCentralAPIRequest::handleInternalCentralAPIError($t); }
throw new wfAuditLogSendFailedException();
}
}
else {
$this->_saveEventsToTable($events, $sendImmediately);
if (($ts = $this->_isScheduledAuditEventCronOverdue()) || $sendImmediately) {
if ($ts) {
$this->_unscheduleSendPendingAuditEvents($ts);
}
self::sendPendingAuditEvents();
}
else {
$this->_scheduleSendPendingAuditEvents();
}
}
return true;
}
private function _saveEventsToTable($events, &$sendImmediately = false) {
$requestID = wfConfig::atomicInc('auditLogRequestNumber');
$wfdb = new wfDB();
$table_wfAuditEvents = wfDB::networkTable('wfAuditEvents');
$query = "INSERT INTO {$table_wfAuditEvents} (`type`, `data`, `event_time`, `request_id`, `state`, `state_timestamp`) VALUES ";
$query .= implode(', ', array_fill(0, count($events), "('%s', '%s', %f, %d, 'new', NOW())"));
$immediateSendTypes = self::immediateSendEvents();
$args = array();
foreach ($events as $e) {
$sendImmediately = $sendImmediately || in_array($e['type'], $immediateSendTypes);
$args[] = $e['type'];
$args[] = json_encode($e['data']);
$args[] = $e['event_time'];
$args[] = $requestID;
}
$wfdb->queryWriteArray($query, $args);
}
/**
* Sends any pending audit events up to the limit (default 100). The list will automatically expand if needed to include
* only complete requests so that no partial requests are sent.
*
* If the events fail to send or there are more remaining, another future send will be scheduled if $scheduleFollowup is truthy.
*
* @param int $limit
* @param bool $scheduleFollowup Whether or not to schedule a followup send if there are more events pending, if false also unschedules any pending cron
*/
public static function sendPendingAuditEvents($limit = 100, $scheduleFollowup = true) {
$wfdb = new wfDB();
$table_wfAuditEvents = wfDB::networkTable('wfAuditEvents');
$limit = intval($limit);
$rawEvents = $wfdb->querySelect("SELECT * FROM {$table_wfAuditEvents} WHERE `state` = 'new' ORDER BY `id` ASC LIMIT {$limit}");
if (empty($rawEvents)) {
return;
}
//Grab the entirety of the last request ID, even if it's beyond the 100 item limit
$last = wfUtils::array_last($rawEvents);
$extendedID = (int) $last['id'];
$extendedRequestID = (int) $last['request_id'];
$extendedEvents = $wfdb->querySelect("SELECT * FROM {$table_wfAuditEvents} WHERE `state` = 'new' AND `id` > {$extendedID} AND `request_id` = {$extendedRequestID} ORDER BY `id` ASC");
$rawEvents = array_merge($rawEvents, $extendedEvents);
//Process for submission
$ids = array();
foreach ($rawEvents as $r) {
$ids[] = intval($r['id']);
}
$idParam = '(' . implode(', ', $ids) . ')';
$wfdb->queryWrite("UPDATE {$table_wfAuditEvents} SET `state` = 'sending', `state_timestamp` = NOW() WHERE `id` IN {$idParam}");
try {
if (self::shared()->_sendAuditLogEvents($rawEvents, true)) {
$wfdb->queryWrite("UPDATE {$table_wfAuditEvents} SET `state` = 'sent', `state_timestamp` = NOW() WHERE `id` IN {$idParam}");
if ($scheduleFollowup) {
self::checkForUnsentAuditEvents();
}
}
else {
$wfdb->queryWrite("UPDATE {$table_wfAuditEvents} SET `state` = 'new', `state_timestamp` = NOW() WHERE `id` IN {$idParam}");
if ($scheduleFollowup) {
self::shared()->_scheduleSendPendingAuditEvents();
}
}
if (!$scheduleFollowup) {
if ($ts = wp_next_scheduled('wordfence_batchSendAuditEvents')) {
self::shared()->_unscheduleSendPendingAuditEvents($ts);
}
}
}
catch (wfAuditLogSendFailedException $e) {
$wfdb->queryWrite("UPDATE {$table_wfAuditEvents} SET `state` = 'new', `state_timestamp` = NOW() WHERE `id` IN {$idParam}");
if ($ts = wp_next_scheduled('wordfence_batchSendAuditEvents')) {
self::shared()->_unscheduleSendPendingAuditEvents($ts);
}
if (!defined('WORDFENCE_DEACTIVATING') || !WORDFENCE_DEACTIVATING) {
self::shared()->_scheduleSendPendingAuditEvents(true);
}
}
}
/**
* Formats the event record for transmission to Central for recording.
*
* @param array $rawEvent
* @return array
*/
private static function _formatEventForTransmission($rawEvent) {
if ($rawEvent['type'] == self::AUDIT_LOG_HEARTBEAT) { //Minimize payload for heartbeat
return array(
'type' => 'audit-event',
'attributes' => array(
'type' => $rawEvent['type'],
'event_time' => (int) $rawEvent['event_time'],
'request_id' => (int) $rawEvent['request_id'],
)
);
}
$data = json_decode($rawEvent['data'], true);
if (empty($data)) { $data = array(); }
unset($data['action']);
$username = null; if (!empty($data['context']['userdata']) && isset($data['context']['userdata']['user_login'])) { $username = $data['context']['userdata']['user_login']; }
$ip = null; if (!empty($data['context']['ip'])) { $ip = $data['context']['ip']; unset($data['context']['ip']); }
$path = null; if (!empty($data['context']['path'])) { $path = $data['context']['path']; unset($data['context']['path']); }
$method = null; if (!empty($data['context']['method'])) { $method = $data['context']['method']; unset($data['context']['method']); }
$body = null; if (!empty($data['context']['body'])) { $body = $data['context']['body']; unset($data['context']['body']); }
return array(
'type' => 'audit-event',
'attributes' => array(
'type' => $rawEvent['type'],
'username' => $username,
'ip_address' => $ip,
'method' => $method,
'path' => $path,
'request_body' => $body,
'data' => $data,
'event_time' => (int) $rawEvent['event_time'],
'request_id' => (int) $rawEvent['request_id'],
)
);
}
/**
* Schedules a cron for sending pending audit events.
*/
private function _scheduleSendPendingAuditEvents($forceDelay = false) {
if ((self::$initialMode == self::AUDIT_LOG_MODE_DISABLED || self::$initialMode == self::AUDIT_LOG_MODE_PREVIEW) && ($this->mode() == self::AUDIT_LOG_MODE_DISABLED || $this->mode() == self::AUDIT_LOG_MODE_PREVIEW)) {
return; //Do not schedule cron if mode is disabled/preview and was not recently put into that state
}
$delay = 60;
if ($forceDelay || !wfCentral::isConnected()) {
$delay = 3600;
}
if (!defined('DONOTCACHEDB')) { define('DONOTCACHEDB', true); }
$notMainSite = is_multisite() && !is_main_site();
if ($notMainSite) {
global $current_site;
switch_to_blog($current_site->blog_id);
}
if (!wp_next_scheduled('wordfence_batchSendAuditEvents')) {
wp_schedule_single_event(time() + $delay, 'wordfence_batchSendAuditEvents');
}
if ($notMainSite) {
restore_current_blog();
}
}
/**
* @param int $timestamp
*/
private function _unscheduleSendPendingAuditEvents($timestamp) {
if (!defined('DONOTCACHEDB')) { define('DONOTCACHEDB', true); }
$notMainSite = is_multisite() && !is_main_site();
if ($notMainSite) {
global $current_site;
switch_to_blog($current_site->blog_id);
}
if ($timestamp) {
wp_unschedule_event($timestamp, 'wordfence_batchSendAuditEvents');
}
if ($notMainSite) {
restore_current_blog();
}
}
private function _isScheduledAuditEventCronOverdue() {
if (!defined('DONOTCACHEDB')) { define('DONOTCACHEDB', true); }
$notMainSite = is_multisite() && !is_main_site();
if ($notMainSite) {
global $current_site;
switch_to_blog($current_site->blog_id);
}
$overdue = false;
if ($ts = wp_next_scheduled('wordfence_batchSendAuditEvents')) {
if ((time() - $ts) > 900) {
$overdue = $ts;
}
}
if ($notMainSite) {
restore_current_blog();
}
return $overdue;
}
public static function checkForUnsentAuditEvents() {
$wfdb = new wfDB();
$table_wfAuditEvents = wfDB::networkTable('wfAuditEvents');
$wfdb->queryWrite("UPDATE {$table_wfAuditEvents} SET `state` = 'new', `state_timestamp` = NOW() WHERE `state` = 'sending' AND `state_timestamp` < DATE_SUB(NOW(), INTERVAL 30 MINUTE)");
$count = $wfdb->querySingle("SELECT COUNT(*) AS cnt FROM {$table_wfAuditEvents} WHERE `state` = 'new'");
if ($count) {
self::shared()->_scheduleSendPendingAuditEvents();
}
}
public static function trimAuditEvents() {
$wfdb = new wfDB();
$table_wfAuditEvents = wfDB::networkTable('wfAuditEvents');
$count = $wfdb->querySingle("SELECT COUNT(*) AS cnt FROM {$table_wfAuditEvents}");
if ($count > 1000) {
$wfdb->truncate($table_wfAuditEvents); //Similar behavior to other logged data, assume possible DoS so truncate
}
else if ($count > 100) {
$wfdb->queryWrite("DELETE FROM {$table_wfAuditEvents} ORDER BY id ASC LIMIT %d", $count - 100);
}
else if ($count > 0) {
$wfdb->queryWrite("DELETE FROM {$table_wfAuditEvents} WHERE (`state` = 'sending' OR `state` = 'sent') AND `state_timestamp` < DATE_SUB(NOW(), INTERVAL 1 DAY)");
}
}
public static function hasOverdueEvents() {
$wfdb = new wfDB();
$table_wfAuditEvents = wfDB::networkTable('wfAuditEvents');
$count = $wfdb->querySingle("SELECT COUNT(*) AS cnt FROM {$table_wfAuditEvents} WHERE `state` = 'new' AND `state_timestamp` < DATE_SUB(NOW(), INTERVAL 2 DAY)");
return $count > 0;
}
/**
* Updates the locally-stored audit preview data that is used to populate the audit log page. The preview data is
* stored in descending order.
*
* @param array $events Structure is [
* [ //Request 1
* [<event type>, <timestamp>],
* [<event type>, <timestamp>],
* [<event type>, <timestamp>],
* ],
* [ //Request 2
* [<event type>, <timestamp>],
* ],
* ...
* ]
*/
protected function _updateAuditPreview($events) {
$filtered = array();
foreach ($events as $request) {
$request = array_filter($request, function($e) {
return $e[0] != self::AUDIT_LOG_HEARTBEAT; //Don't save heartbeats to the local preview
});
if (!empty($request)) {
$filtered[] = $request;
}
}
$events = $filtered;
if (empty($events)) { return; }
$existing = wfConfig::get_ser('lastAuditEvents', array());
if (!is_array($existing)) {
$existing = array();
}
$lastAuditEvents = array_merge($events, $existing);
usort($lastAuditEvents, function($a, $b) {
$aMax = array_reduce($a, function($carry, $item) {
return max($carry, $item[1]);
}, 0);
$bMax = array_reduce($b, function($carry, $item) {
return max($carry, $item[1]);
}, 0);
if ($aMax == $bMax) { return 0; }
return ($aMax < $bMax) ? 1 : -1;
});
$lastAuditEvents = array_slice($lastAuditEvents, 0, self::AUDIT_LOG_MAX_SAMPLES);
wfConfig::set_ser('lastAuditEvents', $lastAuditEvents);
}
/**
* Returns a summary array of recent events for the audit log. The content of this array will be the most recent
* `AUDIT_LOG_MAX_SAMPLES` requests that were sent (or would have been sent if enabled) to Wordfence Central.
*
* @return array
*/
public function auditPreview() {
$requests = array_filter(wfConfig::get_ser('lastAuditEvents', array()), function($events) {
return !empty($events);
});
$data = array();
if (is_array($requests)) {
$data['requests'] = array();
foreach ($requests as $r) {
$events = array_map(function($e) {
return array(
'ts' => $e[1],
'event' => $e[0],
'name' => self::eventName($e[0]),
'category' => self::eventCategory($e[0]),
);
}, $r);
$types = array_reduce($events, function($carry, $e) { //We'll use the most common category if a request covers multiple
if (!isset($carry[$e['category']])) {
$carry[$e['category']] = 0;
}
$carry[$e['category']]++;
return $carry;
}, array());
asort($types, SORT_NUMERIC);
$timestamp = array_reduce($events, function($carry, $e) {
if ($e['ts'] > $carry) {
return $e['ts'];
}
return $carry;
}, 0);
$data['requests'][] = array(
'ts' => $timestamp,
'category' => array_keys($types),
'events' => $events,
);
}
}
return $data;
}
/**************************************
* Utility Functions
**************************************/
private function _sanitizeRequestBody() {
$input = wfUtils::rawPOSTBody();
$contentType = null;
if (isset($_SERVER['CONTENT_TYPE'])) {
$contentType = strtolower($_SERVER['CONTENT_TYPE']);
$boundary = strpos($contentType, ';');
if ($boundary !== false) {
$contentType = substr($contentType, 0, $boundary);
}
}
$raw = null;
$response = array('type' => null, 'parameters' => array(), 'files' => array());
switch ($contentType) {
case 'application/json':
try {
$raw = json_decode($input, true, 512, JSON_OBJECT_AS_ARRAY);
$response['type'] = 'json';
}
catch (Exception $e) {
//Ignore -- can throw on PHP 8+
}
break;
case 'multipart/form-data': //PHP has already parsed this into $_POST and $_FILES
$response['type'] = 'multipart';
foreach ($_FILES as $k => $f) {
$response['files'][] = array(
'name' => $f['name'],
'type' => $f['type'],
'size' => $f['size'],
'error' => $f['error'],
);
}
$raw = $_POST;
break;
default: //Typically application/x-www-form-urlencoded
if ($input) {
parse_str($input, $raw);
$response['type'] = 'urlencoded';
}
break;
}
if (!empty($raw)) {
foreach ($raw as $k => $v) {
$response['parameters'][$k] = null;
if ($k == 'action' || //Used in admin-ajax and many other WP calls, typically relevant for auditing and not sensitive
$k == 'id' || //Typically the record ID being affected
$k == 'log' //Authentication username
) {
$response['parameters'][$k] = $v;
}
// else if -- future full value captures go here, otherwise we just capture the parameter name for privacy reasons
}
return $response;
}
return null;
}
/**
* Returns the desired fields from $userdata for the various user-related hooks, ignoring the rest. Returns null if
* there is no valid user.
*
* @param array|object|WP_User $userdata
* @param null|int $user_id Used when provided, otherwise extracted from $userdata when possible
* @return array|null
*/
protected function _sanitizeUserdata($userdata, $user_id = null) {
if ($userdata === null && $user_id !== null) { //May hit this on older WP versions where $userdata wasn't populated by the hook call
$userdata = get_user_by('ID', $user_id);
}
$roles = array();
if ($userdata instanceof stdClass) {
$user = new WP_User($user_id !== null ? $user_id : (isset($userdata->ID) ? $userdata->ID : 0));
if ($user->exists()) {
$roles = $user->roles;
}
$userdata = get_object_vars( $userdata );
}
else if ($userdata instanceof WP_User) {
$roles = $userdata->roles;
$userdata = $userdata->to_array();
}
else {
$user = new WP_User($user_id !== null ? $user_id : (isset($userdata['ID']) ? $userdata['ID'] : 0));
if (!$user) {
return array(
'user_id' => 0,
'user_login' => '',
'user_roles' => array(),
);
}
if ($user->exists()) {
$roles = $user->roles;
}
}
return array(
'user_id' => $user_id !== null ? $user_id : (isset($userdata['ID']) ? $userdata['ID'] : 0),
'user_login' => isset($userdata['user_login']) ? $userdata['user_login'] : '',
'user_roles' => $roles,
);
}
protected function _userdataDiff($userdata1, $userdata2) {
if ($userdata1 instanceof stdClass) {
$userdata1 = get_object_vars( $userdata1 );
}
else if ($userdata1 instanceof WP_User) {
$userdata1 = $userdata1->to_array();
}
if ($userdata2 instanceof stdClass) {
$userdata2 = get_object_vars( $userdata2 );
}
else if ($userdata2 instanceof WP_User) {
$userdata2 = $userdata2->to_array();
}
return wfUtils::array_diff_assoc($userdata1, $userdata2);
}
/**
* Returns the desired fields for the multisite ignoring the rest.
*
* @param WP_Network|false $network
* @param WP_Site|false $blog
* @return array
*/
protected function _sanitizeMultisiteData($network, $blog) {
$result = array();
if ($network) {
$result['network_id'] = $network->id;
$result['network_domain'] = $network->domain;
$result['network_path'] = $network->path;
$result['network_name'] = $network->site_name;
}
if ($blog) {
$result['blog_id'] = $blog->blog_id;
$result['blog_domain'] = $blog->domain;
$result['blog_path'] = $blog->path;
$result['blog_name'] = $blog->blogname;
}
return $result;
}
protected function _multisiteDiff($blog1, $blog2) {
if ($blog1 instanceof WP_Site) {
$blog1 = $this->_sanitizeMultisiteData(false, $blog1);
}
if ($blog2 instanceof WP_Site) {
$blog2 = $this->_sanitizeMultisiteData(false, $blog2);
}
return wfUtils::array_diff_assoc($blog1, $blog2);
}
/**
* Returns the desired fields from an app password record.
*
* @param array|object $item
* @return array
*/
protected function _sanitizeAppPassword($item) {
if ($item instanceof stdClass) {
$item = get_object_vars($item);
}
return array(
'uuid' => empty($item['uuid']) ? '<unknown>' : $item['uuid'],
'app_id' => empty($item['app_id']) ? '<unknown>' : $item['app_id'],
'name' => empty($item['name']) ? '<empty>' : $item['name'],
'created' => empty($item['created']) ? 0 : $item['created'],
'last_used' => empty($item['last_used']) ? null : $item['last_used'],
'last_ip' => empty($item['last_ip']) ? null : $item['last_ip'],
);
}
/**
* Returns the desired fields from a post record.
*
* @param array|object|WP_Post $post
* @return array
*/
protected function _sanitizePost($post) {
if ($post instanceof stdClass) {
$post = get_object_vars($post);
}
else if ($post instanceof WP_Post) {
$post = $post->to_array();
}
$author = isset($post['post_author']) ? get_user_by('ID', $post['post_author']) : null;
$created = null;
if (isset($post['post_date_gmt']) && $post['post_date_gmt'] != '0000-00-00 00:00:00') { //Prefer *_gmt, but sometimes WP doesn't set that
$created = strtotime($post['post_date_gmt']);
}
else if (isset($post['post_date'])) {
$created = strtotime($post['post_date']);
}
$modified = null;
if (isset($post['post_modified_gmt']) && $post['post_modified_gmt'] != '0000-00-00 00:00:00') { //Prefer *_gmt, but sometimes WP doesn't set that
$modified = strtotime($post['post_modified_gmt']);
}
else if (isset($post['post_modified'])) {
$modified = strtotime($post['post_modified']);
}
$sanitized = array(
'post_id' => $post['ID'],
'author_id' => isset($post['post_author']) ? $post['post_author'] : null,
'author' => $author ? $this->_sanitizeUserdata($author) : null,
'title' => isset($post['post_title']) ? $post['post_title'] : null,
'created' => $created,
'last_modified' => $modified,
'type' => isset($post['post_type']) ? $post['post_type'] : 'post',
'status' => isset($post['post_status']) ? $post['post_status'] : 'publish',
);
if (isset($post['post_type']) && $post['post_type'] == wfAuditLogObserversWordPressCoreContent::WP_POST_TYPE_ATTACHMENT) {
$sanitized['context'] = get_post_meta($post['ID'], '_wp_attachment_context', true);
}
return $sanitized;
}
protected function _postDiff($post1, $post2) {
if ($post1 instanceof stdClass) {
$post1 = get_object_vars($post1);
}
else if ($post1 instanceof WP_Post) {
$post1 = $post1->to_array();
}
if ($post2 instanceof stdClass) {
$post2 = get_object_vars($post2);
}
else if ($post2 instanceof WP_Post) {
$post2 = $post2->to_array();
}
return wfUtils::array_diff_assoc($post1, $post2);
}
/**
* Returns whether or not the array of post changes should trigger an event recording. It will return false when
* there are no changes or when the only changes are innocuous values like post dates.
*
* @param $changes
* @return bool
*/
protected function _shouldRecordPostChanges($changes) {
if (empty($changes) || !is_array($changes)) {
return false;
}
$ignored = array('post_date', 'post_date_gmt', 'post_modified', 'post_modified_gmt', 'menu_order');
$test = array_filter($changes, function($i) use ($ignored) {
return !in_array($i, $ignored);
});
return !empty($test);
}
protected function _extractMultisiteID($option, $suffix) {
global $wpdb;
if (!is_multisite()) {
return false;
}
if (substr($option, -1 * strlen($suffix)) == $suffix) {
$option = substr($option, 0, strlen($option) - strlen($suffix));
if (substr($option, 0, strlen($wpdb->base_prefix)) == $wpdb->base_prefix) {
$option = substr($option, strlen($wpdb->base_prefix));
$option = trim($option, '_');
if (empty($option)) {
return 1;
}
return intval($option);
}
}
return false;
}
/**
* Returns an array containing the installed versions at the time of calling for core and all themes/plugins.
*
* @return array
*/
protected function _installedVersions() {
$state = array();
require(ABSPATH . WPINC . '/version.php'); /** @var string $wp_version */
$state['core'] = $wp_version;
if (!function_exists('get_plugins')) {
require_once(ABSPATH . '/wp-admin/includes/plugin.php');
}
$plugins = get_plugins();
$state['plugins'] = array_filter(array_map(function($p) { return isset($p['Version']) ? $p['Version'] : null; }, $plugins), function($v) { return $v != null; });
if (!function_exists('wp_get_themes')) {
require_once(ABSPATH . '/wp-includes/theme.php');
}
$themes = wp_get_themes();
$state['themes'] = array_filter(array_map(function($t) { return isset($t['Version']) ? $t['Version'] : null; }, $themes), function($v) { return $v != null; });
return $state;
}
/**
* Attempts to resolve the given plugin path to the file containing its header. Returns that path if found, otherwise
* null. Most plugins will simply be .../slug/slug.php, but some are single-file plugins while others have a
* non-standard PHP file containing the header.
*
* Based on `get_plugins()`.
*
* @param string $path
* @return string|null
*/
protected function _resolvePlugin($path) {
if (is_dir($path)) {
$scanner = @opendir($path);
if ($scanner) {
while (($subfile = readdir($scanner)) !== false) {
if (preg_match('/^\./i', $subfile)) {
continue;
}
else if (preg_match('/\.php$/i', $subfile)) {
if (!is_readable($path . DIRECTORY_SEPARATOR . $subfile)) {
continue;
}
$plugin_data = get_plugin_data($path . DIRECTORY_SEPARATOR . $subfile, false, false);
if (!empty($plugin_data['Name'])) {
return $path . DIRECTORY_SEPARATOR . $subfile;
}
}
}
closedir($scanner);
}
}
else if (preg_match('/\.php$/i', $path) && is_readable($path)) {
$plugin_data = get_plugin_data($path, false, false);
if (!empty($plugin_data['Name'])) {
return $path;
}
}
return null;
}
/**
* Returns data for the plugin at $path if possible, otherwise null.
*
* @param string $path
* @return array|null
*/
protected function _getPlugin($path) {
$original = $this->_getState('upgrader_pre_install.versions', 0);
$raw = get_plugin_data($path);
if ($raw) {
$data = array();
foreach ($raw as $f => $v) {
$k = strtolower(preg_replace('/\s+/', '_', $f)); //Translates all headers: Plugin Name -> plugin_name
$data[$k] = $v;
}
$base = plugin_basename($path);
if ($original && isset($original['plugins'][$base])) {
$data['previous_version'] = $original['plugins'][$base];
}
return $data;
}
return null;
}
/**
* Returns data for the theme if possible, otherwise null.
*
* @param WP_Theme|string $theme_or_path
* @return array|null
*/
protected function _getTheme($theme_or_path) {
$original = $this->_getState('upgrader_pre_install.versions', 0);
if ($theme_or_path instanceof WP_Theme) {
$theme = $theme_or_path;
}
else {
$theme = wp_get_theme(basename($theme_or_path), dirname($theme_or_path));
}
if ($theme) {
$fields = array(
'Name',
'ThemeURI',
'Description',
'Author',
'AuthorURI',
'Version',
'Template',
'Status',
'Tags',
'TextDomain',
'DomainPath',
'RequiresWP',
'RequiresPHP',
'UpdateURI',
);
$data = array();
foreach ($fields as $f) {
$k = strtolower(preg_replace('/\s+/', '_', $f));
$data[$k] = $theme->display($f);
}
$base = $theme->get_stylesheet();
if ($original && isset($original['themes'][$base])) {
$data['previous_version'] = $original['themes'][$base];
}
return $data;
}
return null;
}
}
class wfAuditLogSendFailedException extends Exception { }
All system for education purposes only. For more tools: Telegram @jackleet