REST API: Prevent fatal error when non-string value is passed in endpoints for font faces and font families.

The value is expected to be a serialized JSON string, which the validation callback validates.

Developed in #10966

Follow-up to r57548.

Props deepaklalwani, westonruter.
See #59166.
Fixes #64666.


git-svn-id: https://develop.svn.wordpress.org/trunk@61765 602fd350-edb4-49c9-b593-d223f7449a82

Author: westonruter

src/wp-includes/rest-api/endpoints/class-wp-rest-font-faces-controller.php

@@ -161,6 +161,14 @@ public function get_item_permissions_check( $request ) {
 	 * @return true|WP_Error True if the settings are valid, otherwise a WP_Error object.
 	 */
 	public function validate_create_font_face_settings( $value, $request ) {
+		// Enforce JSON Schema validity for field before applying custom validation logic.
+		$args     = $this->get_create_params();
+		$validity = rest_validate_value_from_schema( $value, $args['font_face_settings'], 'font_face_settings' );
+
+		if ( is_wp_error( $validity ) ) {
+			return $validity;
+		}
+
 		$settings = json_decode( $value, true );
 
 		// Check settings string is valid JSON.

src/wp-includes/rest-api/endpoints/class-wp-rest-font-families-controller.php

@@ -87,6 +87,14 @@ public function get_item_permissions_check( $request ) {
 	 * @return true|WP_Error True if the settings are valid, otherwise a WP_Error object.
 	 */
 	public function validate_font_family_settings( $value, $request ) {
+		// Enforce JSON Schema validity for field before applying custom validation logic.
+		$args     = $this->get_endpoint_args_for_item_schema( $request->get_method() );
+		$validity = rest_validate_value_from_schema( $value, $args['font_family_settings'], 'font_family_settings' );
+
+		if ( is_wp_error( $validity ) ) {
+			return $validity;
+		}
+
 		$settings = json_decode( $value, true );
 
 		// Check settings string is valid JSON.

tests/phpunit/tests/fonts/font-library/wpRestFontFacesController.php

@@ -769,6 +769,23 @@ public function test_create_item_invalid_settings_json() {
 		$this->assertSame( $expected_message, $message, 'The response error message should match.' );
 	}
 
+	/**
+	 * @covers WP_REST_Font_Faces_Controller::validate_create_font_face_settings
+	 */
+	public function test_create_item_non_string_settings() {
+		wp_set_current_user( self::$admin_id );
+		$request = new WP_REST_Request( 'POST', '/wp/v2/font-families/' . self::$font_family_id . '/font-faces' );
+		$request->set_param( 'theme_json_version', WP_REST_Font_Faces_Controller::LATEST_THEME_JSON_VERSION_SUPPORTED );
+		$request->set_param( 'font_face_settings', self::$default_settings );
+
+		$response = rest_get_server()->dispatch( $request );
+
+		$this->assertErrorResponse( 'rest_invalid_param', $response, 400, 'The response should return an error for "rest_invalid_param" with 400 status.' );
+		$expected_message = 'font_face_settings is not of type string.';
+		$message          = $response->as_error()->get_all_error_data()[0]['params']['font_face_settings'];
+		$this->assertSame( $expected_message, $message, 'The response error message should match.' );
+	}
+
 	/**
 	 * @covers WP_REST_Font_Faces_Controller::validate_create_font_face_settings
 	 */

tests/phpunit/tests/fonts/font-library/wpRestFontFamiliesController.php

@@ -628,6 +628,23 @@ public function test_create_item_invalid_settings_json() {
 		$this->assertSame( $expected_message, $message, 'The response error message should match.' );
 	}
 
+	/**
+	 * @covers WP_REST_Font_Family_Controller::validate_font_family_settings
+	 */
+	public function test_create_item_non_string_settings() {
+		wp_set_current_user( self::$admin_id );
+		$request = new WP_REST_Request( 'POST', '/wp/v2/font-families' );
+		$request->set_param( 'theme_json_version', WP_REST_Font_Families_Controller::LATEST_THEME_JSON_VERSION_SUPPORTED );
+		$request->set_param( 'font_family_settings', self::$default_settings );
+
+		$response = rest_get_server()->dispatch( $request );
+
+		$this->assertErrorResponse( 'rest_invalid_param', $response, 400, 'The response should return an error for "rest_invalid_param" with 400 status.' );
+		$expected_message = 'font_family_settings is not of type string.';
+		$message          = $response->as_error()->get_all_error_data()[0]['params']['font_family_settings'];
+		$this->assertSame( $expected_message, $message, 'The response error message should match.' );
+	}
+
 	/**
 	 * @covers WP_REST_Font_Family_Controller::create_item
 	 */
@@ -829,6 +846,22 @@ public function test_update_item_update_slug_not_allowed() {
 		$this->assertSame( $expected_message, $message, 'The response error message should match.' );
 	}
 
+	/**
+	 * @covers WP_REST_Font_Family_Controller::validate_font_family_settings
+	 */
+	public function test_update_item_non_string_settings() {
+		wp_set_current_user( self::$admin_id );
+		$request = new WP_REST_Request( 'POST', '/wp/v2/font-families/' . self::$font_family_id1 );
+		$request->set_param( 'font_family_settings', self::$default_settings );
+
+		$response = rest_get_server()->dispatch( $request );
+
+		$this->assertErrorResponse( 'rest_invalid_param', $response, 400, 'The response should return an error for "rest_invalid_param" with 400 status.' );
+		$expected_message = 'font_family_settings is not of type string.';
+		$message          = $response->as_error()->get_all_error_data()[0]['params']['font_family_settings'];
+		$this->assertSame( $expected_message, $message, 'The response error message should match.' );
+	}
+
 	/**
 	 * @covers WP_REST_Font_Families_Controller::update_item
 	 */