Prevent Updating AU via API

namithj · namithj · commit bfaccc2c9221 · 2025-03-09T00:28:12.000+05:30
Prevent Updating AU via API Fixes #325 Fixes #324
diff --git a/includes/class-controller.php b/includes/class-controller.php
@@ -22,6 +22,7 @@ public function __construct() {
 		$this->api_rewrite();
 		add_action( 'wp_ajax_aspireupdate_clear_log', [ $this, 'clear_log' ] );
 		add_action( 'wp_ajax_aspireupdate_read_log', [ $this, 'read_log' ] );
+		add_filter( 'site_transient_update_plugins', [ $this, 'check_self_update_notifications' ] );
 	}
 
 	/**
@@ -125,4 +126,19 @@ public function read_log() {
 			]
 		);
 	}
+
+	/**
+	 * Hide Aspire Update plugin from plugin update notifications.
+	 * This is to prevent supply chain attacks via unverified API providers.
+	 *
+	 * @param object $value The Update Notifications Data.
+	 *
+	 * @return object $value The Update Notifications Data.
+	 */
+	public function check_self_update_notifications( $value ) {
+		if ( isset( $value->response['aspireupdate/aspire-update.php'] ) ) {
+			unset( $value->response['aspireupdate/aspire-update.php'] );
+		}
+		return $value;
+	}
 }
diff --git a/includes/class-plugins-screens.php b/includes/class-plugins-screens.php
@@ -35,6 +35,7 @@ public function __construct() {
 		$admin_settings = Admin_Settings::get_instance();
 		if ( $admin_settings->get_setting( 'enable', false ) ) {
 			add_filter( 'install_plugins_tabs', [ $this, 'remove_unused_filter_tabs' ] );
+			add_filter( 'plugins_api_result', [ $this, 'hide_self_plugins_api_result' ], 10, 1 );
 		}
 	}
 
@@ -62,4 +63,37 @@ public function remove_unused_filter_tabs( $tabs ) {
 		}
 		return $tabs;
 	}
+
+	/**
+	 * Hide Aspire Update plugin from plugin search results.
+	 * This is to prevent supply chain attacks via unverified API providers.
+	 *
+	 * @param array $results The Results of the Plugins API call.
+	 *
+	 * @return array $results The updated Results of the Plugins API call.
+	 */
+	public function hide_self_plugins_api_result( $results ) {
+		if (
+			! is_admin() ||
+			! isset( $_REQUEST['s'] )
+		) {
+			return $results;
+		}
+
+		if (
+			! is_object( $results ) ||
+			! isset( $results->plugins ) ||
+			! is_array( $results->plugins )
+		) {
+			return $results;
+		}
+
+		foreach ( $results->plugins as $key => $plugin ) {
+			if ( isset( $plugin['slug'] ) && ( 'aspireupdate' === $plugin['slug'] ) ) {
+				unset( $results->plugins[ $key ] );
+				break;
+			}
+		}
+		return $results;
+	}
 }
