Update the API client to validate route params before making a request

[deepakpathania]

Fixes https://github.com/Automattic/woocommerce-payments-server/issues/1548

Changes proposed in this Pull Request

• Validate the entity id against regex before making a request to the server.

Testing instructions

• Test the various routes that are affected by this PR (in the API client) and ensure they work as intended.

---

• Run npm run changelog to add a changelog file, choose patch to leave it empty if the change is not significant. You can add multiple changelog files in one PR by running this command a few times.
• Covered with tests (or have a good reason not to test in description ☝️)
• Tested on mobile (or does not apply)

Post merge

• Link to testing instructions from release testing doc following these instructions : Add link here / 'QA Testing Not Applicable'
• Add or update critical flows and testing instructions for critical flows, if applicable.
• Add what's changed (description, screenshot, demo videos etc.) to the release announcement post, if applicable.

[botwoo]

Test the build

Option 1. Jetpack Beta

• Install and activate Jetpack Beta.
• Use this build by searching for PR number 9030 or branch name update/route-regex-validation in your-test.site/wp-admin/admin.php?page=jetpack-beta&plugin=woocommerce-payments

Option 2. Jurassic Ninja - available for logged-in A12s

🚀 Launch a JN site with this branch 🚀

ℹ️ Install this Tampermonkey script to get more options.

---

Build info:

• Latest commit: f865ce9
• Build time: 2024-07-04 07:08:57 UTC

Note: the build is updated when a new commit is pushed to this PR.

[github-actions]

Size Change: 0 B

Total Size: 1.26 MB

ℹ️ View Unchanged

Filename	Size
release/woocommerce-payments/assets/css/admin.css	1.08 kB
release/woocommerce-payments/assets/css/admin.rtl.css	1.08 kB
release/woocommerce-payments/assets/css/success.css	172 B
release/woocommerce-payments/assets/css/success.rtl.css	172 B
release/woocommerce-payments/dist/blocks-checkout-rtl.css	2.07 kB
release/woocommerce-payments/dist/blocks-checkout.css	2.07 kB
release/woocommerce-payments/dist/blocks-checkout.js	52.2 kB
release/woocommerce-payments/dist/bnpl-announcement-rtl.css	530 B
release/woocommerce-payments/dist/bnpl-announcement.css	531 B
release/woocommerce-payments/dist/bnpl-announcement.js	20 kB
release/woocommerce-payments/dist/cart-block.js	15.4 kB
release/woocommerce-payments/dist/cart.js	4.57 kB
release/woocommerce-payments/dist/checkout-rtl.css	599 B
release/woocommerce-payments/dist/checkout.css	599 B
release/woocommerce-payments/dist/checkout.js	31.5 kB
release/woocommerce-payments/dist/express-checkout-rtl.css	155 B
release/woocommerce-payments/dist/express-checkout.css	155 B
release/woocommerce-payments/dist/express-checkout.js	5.65 kB
release/woocommerce-payments/dist/index-rtl.css	41.3 kB
release/woocommerce-payments/dist/index.css	41.2 kB
release/woocommerce-payments/dist/index.js	294 kB
release/woocommerce-payments/dist/multi-currency-analytics.js	1.05 kB
release/woocommerce-payments/dist/multi-currency-rtl.css	3.42 kB
release/woocommerce-payments/dist/multi-currency-switcher-block.js	59.5 kB
release/woocommerce-payments/dist/multi-currency.css	3.42 kB
release/woocommerce-payments/dist/multi-currency.js	54.7 kB
release/woocommerce-payments/dist/order-rtl.css	733 B
release/woocommerce-payments/dist/order.css	735 B
release/woocommerce-payments/dist/order.js	41.8 kB
release/woocommerce-payments/dist/payment-gateways-rtl.css	1.36 kB
release/woocommerce-payments/dist/payment-gateways.css	1.36 kB
release/woocommerce-payments/dist/payment-gateways.js	38.6 kB
release/woocommerce-payments/dist/payment-request-rtl.css	155 B
release/woocommerce-payments/dist/payment-request.css	155 B
release/woocommerce-payments/dist/payment-request.js	5.93 kB
release/woocommerce-payments/dist/plugins-page-rtl.css	388 B
release/woocommerce-payments/dist/plugins-page.css	388 B
release/woocommerce-payments/dist/plugins-page.js	19.3 kB
release/woocommerce-payments/dist/product-details-rtl.css	398 B
release/woocommerce-payments/dist/product-details.css	402 B
release/woocommerce-payments/dist/product-details.js	11.2 kB
release/woocommerce-payments/dist/settings-rtl.css	11.1 kB
release/woocommerce-payments/dist/settings.css	11 kB
release/woocommerce-payments/dist/settings.js	201 kB
release/woocommerce-payments/dist/subscription-edit-page.js	669 B
release/woocommerce-payments/dist/subscription-product-onboarding-modal-rtl.css	527 B
release/woocommerce-payments/dist/subscription-product-onboarding-modal.css	527 B
release/woocommerce-payments/dist/subscription-product-onboarding-modal.js	19.4 kB
release/woocommerce-payments/dist/subscription-product-onboarding-toast.js	693 B
release/woocommerce-payments/dist/subscriptions-empty-state-rtl.css	120 B
release/woocommerce-payments/dist/subscriptions-empty-state.css	120 B
release/woocommerce-payments/dist/subscriptions-empty-state.js	18.5 kB
release/woocommerce-payments/dist/tokenized-payment-request-rtl.css	155 B
release/woocommerce-payments/dist/tokenized-payment-request.css	155 B
release/woocommerce-payments/dist/tokenized-payment-request.js	6.65 kB
release/woocommerce-payments/dist/tos-rtl.css	235 B
release/woocommerce-payments/dist/tos.css	236 B
release/woocommerce-payments/dist/tos.js	21 kB
release/woocommerce-payments/dist/woopay-direct-checkout.js	4.94 kB
release/woocommerce-payments/dist/woopay-express-button-rtl.css	155 B
release/woocommerce-payments/dist/woopay-express-button.css	155 B
release/woocommerce-payments/dist/woopay-express-button.js	15.2 kB
release/woocommerce-payments/dist/woopay-rtl.css	4.25 kB
release/woocommerce-payments/dist/woopay.css	4.22 kB
release/woocommerce-payments/dist/woopay.js	69.4 kB
release/woocommerce-payments/includes/subscriptions/assets/css/plugin-page.css	622 B
release/woocommerce-payments/includes/subscriptions/assets/js/plugin-page.js	815 B
release/woocommerce-payments/vendor/automattic/jetpack-assets/build/i18n-loader.js	2.44 kB
release/woocommerce-payments/vendor/automattic/jetpack-assets/src/js/i18n-loader.js	1.01 kB
release/woocommerce-payments/vendor/automattic/jetpack-connection/dist/jetpack-sso-admin-create-user.css	196 B
release/woocommerce-payments/vendor/automattic/jetpack-connection/dist/jetpack-sso-admin-create-user.js	20 B
release/woocommerce-payments/vendor/automattic/jetpack-connection/dist/jetpack-sso-admin-create-user.rtl.css	196 B
release/woocommerce-payments/vendor/automattic/jetpack-connection/dist/jetpack-sso-login.css	627 B
release/woocommerce-payments/vendor/automattic/jetpack-connection/dist/jetpack-sso-login.js	20 B
release/woocommerce-payments/vendor/automattic/jetpack-connection/dist/jetpack-sso-login.rtl.css	628 B
release/woocommerce-payments/vendor/automattic/jetpack-connection/dist/jetpack-sso-users.js	390 B
release/woocommerce-payments/vendor/automattic/jetpack-connection/dist/tracks-ajax.js	522 B
release/woocommerce-payments/vendor/automattic/jetpack-connection/dist/tracks-callables.js	581 B
release/woocommerce-payments/vendor/automattic/jetpack-connection/src/sso/jetpack-sso-admin-create-user.css	214 B
release/woocommerce-payments/vendor/automattic/jetpack-connection/src/sso/jetpack-sso-admin-create-user.js	523 B
release/woocommerce-payments/vendor/automattic/jetpack-connection/src/sso/jetpack-sso-login.css	722 B
release/woocommerce-payments/vendor/automattic/jetpack-connection/src/sso/jetpack-sso-login.js	408 B
release/woocommerce-payments/vendor/automattic/jetpack-connection/src/sso/jetpack-sso-users.js	517 B
release/woocommerce-payments/vendor/automattic/jetpack-identity-crisis/babel.config.js	160 B
release/woocommerce-payments/vendor/automattic/jetpack-identity-crisis/build/index.css	2.36 kB
release/woocommerce-payments/vendor/automattic/jetpack-identity-crisis/build/index.js	13.5 kB
release/woocommerce-payments/vendor/automattic/jetpack-identity-crisis/build/index.rtl.css	2.36 kB
release/woocommerce-payments/vendor/woocommerce/subscriptions-core/assets/css/about.css	1.03 kB
release/woocommerce-payments/vendor/woocommerce/subscriptions-core/assets/css/admin-empty-state.css	291 B
release/woocommerce-payments/vendor/woocommerce/subscriptions-core/assets/css/admin-order-statuses.css	403 B
release/woocommerce-payments/vendor/woocommerce/subscriptions-core/assets/css/admin.css	3.6 kB
release/woocommerce-payments/vendor/woocommerce/subscriptions-core/assets/css/checkout.css	299 B
release/woocommerce-payments/vendor/woocommerce/subscriptions-core/assets/css/modal.css	742 B
release/woocommerce-payments/vendor/woocommerce/subscriptions-core/assets/css/view-subscription.css	572 B
release/woocommerce-payments/vendor/woocommerce/subscriptions-core/assets/css/wcs-upgrade.css	411 B
release/woocommerce-payments/vendor/woocommerce/subscriptions-core/assets/js/admin/admin-pointers.js	544 B
release/woocommerce-payments/vendor/woocommerce/subscriptions-core/assets/js/admin/admin.js	9.4 kB
release/woocommerce-payments/vendor/woocommerce/subscriptions-core/assets/js/admin/jstz.js	6.8 kB
release/woocommerce-payments/vendor/woocommerce/subscriptions-core/assets/js/admin/jstz.min.js	3.83 kB
release/woocommerce-payments/vendor/woocommerce/subscriptions-core/assets/js/admin/meta-boxes-coupon.js	544 B
release/woocommerce-payments/vendor/woocommerce/subscriptions-core/assets/js/admin/meta-boxes-subscription.js	2.52 kB
release/woocommerce-payments/vendor/woocommerce/subscriptions-core/assets/js/admin/moment.js	22.1 kB
release/woocommerce-payments/vendor/woocommerce/subscriptions-core/assets/js/admin/moment.min.js	11.6 kB
release/woocommerce-payments/vendor/woocommerce/subscriptions-core/assets/js/admin/payment-method-restrictions.js	1.29 kB
release/woocommerce-payments/vendor/woocommerce/subscriptions-core/assets/js/admin/wcs-meta-boxes-order.js	502 B
release/woocommerce-payments/vendor/woocommerce/subscriptions-core/assets/js/frontend/payment-methods.js	355 B
release/woocommerce-payments/vendor/woocommerce/subscriptions-core/assets/js/frontend/single-product.js	429 B
release/woocommerce-payments/vendor/woocommerce/subscriptions-core/assets/js/frontend/view-subscription.js	1.38 kB
release/woocommerce-payments/vendor/woocommerce/subscriptions-core/assets/js/frontend/wcs-cart.js	781 B
release/woocommerce-payments/vendor/woocommerce/subscriptions-core/assets/js/modal.js	1.1 kB
release/woocommerce-payments/vendor/woocommerce/subscriptions-core/assets/js/wcs-upgrade.js	1.27 kB
release/woocommerce-payments/vendor/woocommerce/subscriptions-core/build/index.css	392 B
release/woocommerce-payments/vendor/woocommerce/subscriptions-core/build/index.js	3.05 kB

_{compressed-size-action}

[dmvrtx]

Thanks for looking into this issue, but I don't think the suggestion is the right way to go, as explained below.

[dmvrtx]

Looks good to me. Only note is that maybe we can have a dedicated method to validate ID and throw an exception and re-use it in the affected places?

[deepakpathania]

dedicated method to validate ID and throw an exception and re-use it in the affected places?

I considered it but then thought different methods could also check for other conditions related to that param maybe and having it in the method itself might be more flexible, don't have a strong usecase for this at the top of my head except for length check in some cases like file endpoints.

[marcinbot]

[shendy-a8c]

Tested challenging dispute and it worked.

However, I check all the request() calls in wc-payment-api/class-wc-payments-api-client.php and found $customer_id is not validated here.

$product_id is not validated as well here.

There are more cases like that where parameter that is passed as part of the request URL, is not validated.

Are those out of this PR's scope?

[deepakpathania]

@shendy-a8c Wherever there was an existing validation for the param being passed, we didn't update that to defer to the existing checks.

Update: Added validation for missing places as well.

[shendy-a8c]

Looks good!