Security improvements and API compatibility fixes (v0.3.6)

- Add recursive key sorting for response signing compatibility
- Fix IP header spoofing in rate limiting with trusted proxy support
- Add CSRF protection to CSV export with nonce verification
- Explicit Twig autoescape for XSS prevention
- Escape status values in CSS classes
- Update README with security documentation and trusted proxy config
- Update translations for v0.3.6

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

src/Api/RestApiController.php

@@ -95,29 +95,152 @@ final class RestApiController
 
     /**
      * Get client IP address
+     *
+     * Security note: Only trust proxy headers when explicitly configured.
+     * Set WC_LICENSE_TRUSTED_PROXIES constant or configure trusted_proxies
+     * in wp-config.php to enable proxy header support.
+     *
+     * @return string Client IP address
      */
     private function getClientIp(): string
     {
-        $headers = [
-            'HTTP_CF_CONNECTING_IP', // Cloudflare
-            'HTTP_X_FORWARDED_FOR',
-            'HTTP_X_REAL_IP',
-            'REMOTE_ADDR',
-        ];
+        // Get the direct connection IP first
+        $remoteAddr = $_SERVER['REMOTE_ADDR'] ?? '0.0.0.0';
 
-        foreach ($headers as $header) {
-            if (!empty($_SERVER[$header])) {
-                $ips = explode(',', $_SERVER[$header]);
-                $ip = trim($ips[0]);
-                if (filter_var($ip, FILTER_VALIDATE_IP)) {
-                    return $ip;
+        // Only check proxy headers if we're behind a trusted proxy
+        if ($this->isTrustedProxy($remoteAddr)) {
+            // Check headers in order of trust preference
+            $headers = [
+                'HTTP_CF_CONNECTING_IP', // Cloudflare
+                'HTTP_X_FORWARDED_FOR',
+                'HTTP_X_REAL_IP',
+            ];
+
+            foreach ($headers as $header) {
+                if (!empty($_SERVER[$header])) {
+                    $ips = explode(',', $_SERVER[$header]);
+                    $ip = trim($ips[0]);
+                    if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)) {
+                        return $ip;
+                    }
                 }
             }
         }
 
+        // Validate and return direct connection IP
+        if (filter_var($remoteAddr, FILTER_VALIDATE_IP)) {
+            return $remoteAddr;
+        }
+
         return '0.0.0.0';
     }
 
+    /**
+     * Check if the given IP is a trusted proxy
+     *
+     * @param string $ip The IP address to check
+     * @return bool Whether the IP is a trusted proxy
+     */
+    private function isTrustedProxy(string $ip): bool
+    {
+        // Check if trusted proxies are configured
+        if (!defined('WC_LICENSE_TRUSTED_PROXIES')) {
+            return false;
+        }
+
+        $trustedProxies = WC_LICENSE_TRUSTED_PROXIES;
+
+        // Handle string constant (comma-separated list)
+        if (is_string($trustedProxies)) {
+            $trustedProxies = array_map('trim', explode(',', $trustedProxies));
+        }
+
+        if (!is_array($trustedProxies)) {
+            return false;
+        }
+
+        // Check for special keywords
+        if (in_array('CLOUDFLARE', $trustedProxies, true)) {
+            // Cloudflare IP ranges (simplified - in production, fetch from Cloudflare API)
+            if ($this->isCloudflareIp($ip)) {
+                return true;
+            }
+        }
+
+        // Check direct IP match or CIDR notation
+        foreach ($trustedProxies as $proxy) {
+            if ($proxy === $ip) {
+                return true;
+            }
+
+            // Support CIDR notation
+            if (str_contains($proxy, '/') && $this->ipMatchesCidr($ip, $proxy)) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
+    /**
+     * Check if IP is in Cloudflare range
+     *
+     * @param string $ip The IP to check
+     * @return bool Whether IP belongs to Cloudflare
+     */
+    private function isCloudflareIp(string $ip): bool
+    {
+        // Cloudflare IPv4 ranges (as of 2024)
+        $cloudflareRanges = [
+            '173.245.48.0/20',
+            '103.21.244.0/22',
+            '103.22.200.0/22',
+            '103.31.4.0/22',
+            '141.101.64.0/18',
+            '108.162.192.0/18',
+            '190.93.240.0/20',
+            '188.114.96.0/20',
+            '197.234.240.0/22',
+            '198.41.128.0/17',
+            '162.158.0.0/15',
+            '104.16.0.0/13',
+            '104.24.0.0/14',
+            '172.64.0.0/13',
+            '131.0.72.0/22',
+        ];
+
+        foreach ($cloudflareRanges as $range) {
+            if ($this->ipMatchesCidr($ip, $range)) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
+    /**
+     * Check if an IP matches a CIDR range
+     *
+     * @param string $ip The IP to check
+     * @param string $cidr The CIDR range (e.g., "192.168.1.0/24")
+     * @return bool Whether the IP matches the CIDR range
+     */
+    private function ipMatchesCidr(string $ip, string $cidr): bool
+    {
+        [$subnet, $bits] = explode('/', $cidr);
+
+        if (!filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4) ||
+            !filter_var($subnet, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4)) {
+            return false;
+        }
+
+        $ipLong = ip2long($ip);
+        $subnetLong = ip2long($subnet);
+        $mask = -1 << (32 - (int) $bits);
+
+        return ($ipLong & $mask) === ($subnetLong & $mask);
+    }
+
     /**
      * Register REST API routes
      */