Skip to content

[personal-wp] Ask before applying blueprints to your site#3195

Draft
akirk wants to merge 7 commits intotrunkfrom
persistent/blueprint-confirmation
Draft

[personal-wp] Ask before applying blueprints to your site#3195
akirk wants to merge 7 commits intotrunkfrom
persistent/blueprint-confirmation

Conversation

@akirk
Copy link
Member

@akirk akirk commented Jan 27, 2026
edited
Loading

Motivation for the change, related issues

Adds a security confirmation system for blueprints applied to persistent WordPress installations. When a user has an existing WordPress site and tries to apply an external blueprint, they should be warned about what the blueprint will do before it executes.

Screenshots

Screenshot 2026-01-27 at 12 21 32 Screenshot 2026-01-27 at 12 24 14

Security Concerns Addressed

  1. Destructive blueprints - Malicious blueprints could delete files or corrupt the installation
  2. Data exfiltration - Plugins installed via blueprint could send WordPress data to third-party servers
  3. Arbitrary code execution - runPHP steps can execute any PHP code

Trust Model

Blueprints from these sources bypass confirmation:

  • https://raw.githubusercontent.com/WordPress/blueprints/ - Official blueprints repo
  • https://wordpress.org/plugins/wp-json/plugins/v1/plugin - WordPress.org plugin API
  • ?plugin=friends style query params (type: 'none') - Resolves to wordpress.org

Not trusted (requires confirmation):

  • data:application/json;base64,... URLs - Can contain arbitrary content
  • Inline hash fragments #{...}
  • Any other external URLs

Implementation details

Architecture

Blueprint JSON → isTrustedSource() → [trusted: skip] or [untrusted: analyze]
                                              ↓
                                    Run analysis rules
                                              ↓
                                    Show confirmation modal

Rule-based Analysis System

Rule Analyzes Severity
run-php runPHP, runPHPWithOptions steps Varies by content
filesystem-operations writeFile, rm, mkdir, etc. info/warning/danger
external-plugin-source installPlugin steps info for wordpress.org, warning for external
external-theme-source installTheme steps info for wordpress.org, warning for external
wp-cli wp-cli steps warning
request HTTP request steps warning

PHP Tokenizer (TypeScript)

Custom synchronous tokenizer that parses PHP code:

  • Identifies function calls, variables, strings, backticks, comments
  • Tracks line numbers for detailed error reporting
  • No external dependencies or async php-wasm needed

PHP Code Analysis

Detects dangerous patterns:

  • Danger: eval, system, exec, shell_exec, curl_exec, fsockopen, variable function calls ($func())
  • Warning: file_get_contents, base64_decode, wp_remote_get, wp_insert_user, superglobals ($_GET, $_POST)
  • Info: phpinfo, update_option, getenv

File Content Analysis

Analyzes writeFile step content:

  • Detects PHP code injection patterns
  • Flags webshell signatures
  • Warns about PHP files in suspicious locations (uploads, cache dirs)
  • Checks for backdoor patterns (eval(base64_decode(...)))

Test Coverage

152 unit tests covering:

  • Tokenizer: 22 tests
  • PHP Analyzer: 25 tests
  • All 6 rules with edge cases
  • Trusted source detection: 13 tests

Testing Instructions (or ideally a Blueprint)

Run the test suite:

npx nx test playground-personal-wp --testFile=blueprint-confirmation

Manual testing:

  1. Start personal-wp with an existing WordPress installation
  2. Apply an untrusted blueprint URL
  3. Verify confirmation modal appears with detailed warnings
  4. Test trusted sources bypass confirmation (install app from menu)

@akirk akirk changed the title [personal-wp] Add blueprint confirmation system with tokenizer-based PHP analysis [personal-wp] Ask before applying blueprints to your site Jan 27, 2026
@akirk akirk changed the base branch from trunk to add-my-wordpress-net-deployment January 27, 2026 11:40
@akirk akirk force-pushed the add-my-wordpress-net-deployment branch from 9f8eaa3 to 41ba1a3 Compare January 27, 2026 14:07
Base automatically changed from add-my-wordpress-net-deployment to trunk January 27, 2026 14:23
akirk added 6 commits January 27, 2026 15:41
@akirk
Confirm execution of untrusted blueprints
9f366d1
@akirk
Add tokenizer-based PHP analysis for blueprint confirmation
4546c7d 
Enhances the blueprint confirmation system with:
- TypeScript-based PHP tokenizer for static analysis
- Detection of dangerous function calls (eval, system, curl, etc.)
- Detection of variable function calls ($func())
- Detection of superglobal access ($_GET, $_POST, etc.)
- Detection of backtick shell execution
- File content analysis for malicious patterns
- Comprehensive test suite (152 tests)

Removes data:application/json;base64 URLs from trusted sources
as they can contain arbitrary content like inline hash fragments.
@akirk
Fix blueprint source missing from URL resolution
f0b3ef5 
- Add source property to BlueprintResolvedFromUrl interface
- Update resolveUrlParamsForExistingSite to return both blueprint and source
- Fix type error in analyzer by removing redundant token type checks

This fixes a runtime TypeError when accessing urlBlueprint.source.type
where source was undefined because it wasn't being passed through
the URL resolution pipeline.
@akirk
Show blueprint contents instead of raw base64 data URLs
1ce6e8b 
- For remote URLs: display the URL
- For inline/data URLs: show expandable "View blueprint contents" section
- Format blueprint JSON for readability
@akirk
Improve blueprint confirmation modal UX and cancel behavior
f897f2d 
- Add severity icons to steps that have warnings in the overview
- Fix cancel to properly reject blueprint, clear URL params, and boot without it
- Remove focus border from modal
- Hide "Steps" separator line when no properties are shown above
- Remove confusing "no recognized operations" message
- Fix TypeScript types (use BlueprintV1Declaration)
@akirk
Fix lint errors in blueprint confirmation code
0dbe893 
- Wrap case block with lexical declaration in braces
- Remove unnecessary escape characters in regex patterns
- Remove unused imports
@akirk akirk force-pushed the persistent/blueprint-confirmation branch from faded1b to 0dbe893 Compare January 27, 2026 15:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Awaiting requested review from Copilot Copilot will automatically review once the pull request is marked ready for review

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

[Feature] Personal Playground

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@akirk