Skip to content

JSON API: serializable_error() valid-int-only status hardening#50077

Merged
darssen merged 5 commits into
trunkfrom
update/json-api-serializable-error-valid-int
Jul 2, 2026
Merged

JSON API: serializable_error() valid-int-only status hardening#50077
darssen merged 5 commits into
trunkfrom
update/json-api-serializable-error-valid-int

Conversation

@darssen

@darssen darssen commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Related to CONNECT-267 (problem 1)

This is a second attempt after #50047 failed deployment CI in WPCOM. More info in p1782802283094959-slack-C01U2KGS2PQ
It is less ambitious than the previous PR, but we will handle problem 2 separately.

Proposed changes

Harden WPCOM_JSON_API::serializable_error() so an error always serializes a valid HTTP status (>= 400) — never 1, a non-integer, or a 2xx an app could read as success.

The previous extraction let array-shaped error data without a status_code key fall through as a truthy array, which downstream (int)-cast to 1 (and, without http_envelope, a 200 OK) — the root of the app-crash incident. It now coerces non-numeric / array data and any < 400 value to 400.

Does this pull request change what data or activity we track or use?

No

Testing instructions

  • jetpack docker phpunit jetpack -- --filter=WPCOM_JSON_API_Serializable_Error_Test — 11 tests green.
  • Covers: valid status passthrough (incl. unknown-but->= 400 left unchanged), array-without-status_code -> 400 (not 1), 2xx -> 400, and the error body shape (code/message/additional_data) preserved.

@github-actions

github-actions Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Are you an Automattician? Please test your changes on all WordPress.com environments to help mitigate accidental explosions.

  • To test on WoA, go to the Plugins menu on a WoA dev site. Click on the "Upload" button and follow the upgrade flow to be able to upload, install, and activate the Jetpack Beta plugin. Once the plugin is active, go to Jetpack > Jetpack Beta, select your plugin (Jetpack), and enable the update/json-api-serializable-error-valid-int branch.
  • To test on Simple, run the following command on your sandbox:
bin/jetpack-downloader test jetpack update/json-api-serializable-error-valid-int

Interested in more tips and information?

  • In your local development environment, use the jetpack rsync command to sync your changes to a WoA dev blog.
  • Read more about our development workflow here: PCYsg-eg0-p2
  • Figure out when your changes will be shipped to customers here: PCYsg-eg5-p2

@github-actions github-actions Bot added [Plugin] Jetpack Issues about the Jetpack plugin. https://wordpress.org/plugins/jetpack/ [Status] In Progress [Tests] Includes Tests labels Jun 30, 2026
@github-actions

github-actions Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Thank you for your PR!

When contributing to Jetpack, we have a few suggestions that can help us test and review your patch:

  • ✅ Include a description of your PR changes.
  • ✅ Add a "[Status]" label (In Progress, Needs Review, ...).
  • ✅ Add testing instructions.
  • ✅ Specify whether this PR includes any changes to data or privacy.
  • ✅ Add changelog entries to affected projects

This comment will be updated as you work on your PR and make changes. If you think that some of those checks are not needed for your PR, please explain why you think so. Thanks for cooperation 🤖


Follow this PR Review Process:

  1. Ensure all required checks appearing at the bottom of this PR are passing.
  2. Make sure to test your changes on all platforms that it applies to. You're responsible for the quality of the code you ship.
  3. You can use GitHub's Reviewers functionality to request a review.
  4. When it's reviewed and merged, you will be pinged in Slack to deploy the changes to WordPress.com simple once the build is done.

If you have questions about anything, reach out in #jetpack-developers for guidance!


Jetpack plugin:

The Jetpack plugin has different release cadences depending on the platform:

  • WordPress.com Simple releases happen as soon as you deploy your changes after merging this PR (PCYsg-Jjm-p2).
  • WoA releases happen weekly.
  • Releases to self-hosted sites happen monthly:
    • Scheduled release: July 7, 2026
    • Code freeze: July 6, 2026

If you have any questions about the release process, please ask in the #jetpack-releases channel on Slack.

@github-actions github-actions Bot added the [Status] Needs Author Reply We need more details from you. This label will be auto-added until the PR meets all requirements. label Jun 30, 2026
@jp-launch-control

jp-launch-control Bot commented Jun 30, 2026

Copy link
Copy Markdown

Code Coverage Summary

Coverage changed in 1 file.

File Coverage Δ% Δ Uncovered
projects/plugins/jetpack/class.json-api.php 66/475 (13.89%) 3.37% -16 💚

Full summary · PHP report · JS report

@darssen darssen self-assigned this Jun 30, 2026
@darssen darssen requested a review from a team June 30, 2026 12:19
@darssen darssen added [Status] Needs Review This PR is ready for review. and removed [Status] Needs Author Reply We need more details from you. This label will be auto-added until the PR meets all requirements. [Status] In Progress labels Jun 30, 2026
@darssen darssen marked this pull request as ready for review June 30, 2026 12:22
@darssen darssen requested a review from Copilot June 30, 2026 12:22
@github-actions github-actions Bot added [Status] In Progress [Status] Needs Author Reply We need more details from you. This label will be auto-added until the PR meets all requirements. and removed [Status] Needs Review This PR is ready for review. labels Jun 30, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens WPCOM_JSON_API::serializable_error() so WP_Error responses always serialize a sane HTTP error status code (integer and >= 400), preventing array-shaped error data from being (int)-cast to 1 and avoiding accidental 2xx/3xx statuses that clients could interpret as success.

Changes:

  • Coerce error status_code to an integer and default/coerce any < 400 (or non-numeric) value to 400.
  • Add PHPUnit coverage for the regression cases (array-without-status_code400, non-error statuses → 400, unknown >= 400 statuses pass through, error shape preserved).
  • Add a Jetpack plugin changelog entry for the fix.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File Description
projects/plugins/jetpack/class.json-api.php Hardens status extraction/coercion in serializable_error() to ensure int >= 400.
projects/plugins/jetpack/tests/php/json-api/WPCOM_JSON_API_Serializable_Error_Test.php Adds targeted unit tests covering the regression and intended status coercion behavior.
projects/plugins/jetpack/changelog/update-json-api-serializable-error-valid-int Adds a changelog entry describing the JSON API error-status hardening.

Comment thread projects/plugins/jetpack/changelog/update-json-api-serializable-error-valid-int Outdated
darssen and others added 2 commits June 30, 2026 14:33
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

Comment thread projects/plugins/jetpack/class.json-api.php Outdated
@darssen darssen changed the title JSON API: serializable_error() valid-int-only status hardening (CONNECT-267 problem 1) JSON API: serializable_error() valid-int-only status hardening Jun 30, 2026
@darssen darssen removed [Status] Needs Author Reply We need more details from you. This label will be auto-added until the PR meets all requirements. [Status] In Progress labels Jul 2, 2026
@darssen darssen added the [Status] Needs Review This PR is ready for review. label Jul 2, 2026
@github-actions github-actions Bot added [Status] Needs Author Reply We need more details from you. This label will be auto-added until the PR meets all requirements. and removed [Status] Needs Review This PR is ready for review. labels Jul 2, 2026

@fgiannar fgiannar left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM :shipit:

@fgiannar fgiannar added [Status] Ready to Merge Go ahead, you can push that green button! and removed [Status] Needs Author Reply We need more details from you. This label will be auto-added until the PR meets all requirements. labels Jul 2, 2026
@darssen darssen merged commit ea8e801 into trunk Jul 2, 2026
90 checks passed
@darssen darssen deleted the update/json-api-serializable-error-valid-int branch July 2, 2026 10:25
@github-actions github-actions Bot removed the [Status] Ready to Merge Go ahead, you can push that green button! label Jul 2, 2026
@github-actions github-actions Bot added this to the jetpack/16.0 milestone Jul 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

[Plugin] Jetpack Issues about the Jetpack plugin. https://wordpress.org/plugins/jetpack/ [Tests] Includes Tests

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants