Improved: hardened Proxy Speed Module, to make sure it doesn't disable plugins on non-proxy requests.

[Dan0sz]

Summary by CodeRabbit

• Chores

  • Updated plugin version to 1.0.1

• Bug Fixes

  • Refined proxy request detection logic for improved accuracy
  • Strengthened plugin filtering with stricter matching requirements

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[coderabbitai]

Warning

Rate limit exceeded

@Dan0sz has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 35 minutes and 12 seconds before requesting another review.

To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 31b6f271-5ece-4809-acb6-11cbbc7de24a

📥 Commits

Reviewing files that changed from the base of the PR and between b397652 and 4c416a3.

📒 Files selected for processing (2)

• mu-plugin/plausible-proxy-speed-module.php
• src/Admin/Upgrades.php

📝 Walkthrough

Walkthrough

Plugin version bumped to 1.0.1 with security and accuracy improvements. Request URI detection now uses null-coalescing for safety. Proxy request detection rewritten to strictly match REST-path-segment namespace. Plugin filtering changed from substring to exact filename matching.

Changes

Plausible Proxy Speed Module Hardening

Layer / File(s)	Summary
Plugin Metadata & Initialization mu-plugin/plausible-proxy-speed-module.php (lines 4–38)	Version bumped from 1.0.0 to 1.0.1. Constructor refactored to initialize $request_uri and $is_proxy_request via helper method calls instead of property defaults.
Request Detection Logic mu-plugin/plausible-proxy-speed-module.php (lines 41–78)	get_request_uri() now uses null-coalescing ($_SERVER['REQUEST_URI'] ?? '') for safer access. is_proxy_request() rewritten to parse request URI path and strictly match the REST prefix as a path segment using rest_get_url_prefix() (or fallback to wp-json), replacing prior substring checks.
Plugin Filtering mu-plugin/plausible-proxy-speed-module.php (lines 93–113)	filter_active_plugins() switched from substring matching (strpos) to exact filename matching via basename() and strict in_array(..., true) comparison against the allowlist.

Poem

🐰 A proxy module springs ahead,
With safer paths and firmer threads,
Strict REST-route matching takes the stage,
Exact filenames mark the page—
Version one-point-one shines bright!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main change: hardening the Proxy Speed Module to prevent plugin disabling on non-proxy requests, which aligns with the refactored proxy-request detection and improved plugin filtering logic.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix_speed_module

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

mu-plugin/plausible-proxy-speed-module.php (1)

109-111: ⚡ Quick win

Compare against the full plugin basename, not only the filename.

Using basename( $plugin ) still keeps any plugin whose main file is also named plausible-analytics.php. Since option_active_plugins already stores dir/file.php, matching the full plugin basename would make this allowlist truly exact.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@mu-plugin/plausible-proxy-speed-module.php` around lines 109 - 111, The
current check uses basename($plugin) which only compares filename and can
false-match plugins with the same main filename; change the comparison to use
the full plugin basename (e.g. plugin_basename($plugin) or compare $plugin
directly) so the allowlist ($allowed_plugin_files) is matched against the full
"dir/file.php" identifier; update the loop where $active_plugins, $plugin,
$allowed_plugin_files, and $filtered_plugins are used to replace
basename($plugin) with the full plugin basename function or the full path string
for an exact match.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@mu-plugin/plausible-proxy-speed-module.php`:
- Around line 71-78: The current check builds $expected from
rest_get_url_prefix() and assumes the REST root is at document root, which fails
for subdirectory installs; instead derive the full REST path from rest_url()
(e.g. $rest_path = trim( parse_url( rest_url(), PHP_URL_PATH ), '/' ) ), build
$expected using that ($expected = '/' . $rest_path . '/' . trim($namespace,
'/')), and then compare $path against this $expected (or starts with $expected .
'/'); update the logic that sets $rest_prefix/$expected and the return condition
(the symbols to edit are $rest_prefix, $expected, $path and replace or augment
rest_get_url_prefix() usage with rest_url()/parse_url).

---

Nitpick comments:
In `@mu-plugin/plausible-proxy-speed-module.php`:
- Around line 109-111: The current check uses basename($plugin) which only
compares filename and can false-match plugins with the same main filename;
change the comparison to use the full plugin basename (e.g.
plugin_basename($plugin) or compare $plugin directly) so the allowlist
($allowed_plugin_files) is matched against the full "dir/file.php" identifier;
update the loop where $active_plugins, $plugin, $allowed_plugin_files, and
$filtered_plugins are used to replace basename($plugin) with the full plugin
basename function or the full path string for an exact match.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: bfb86f4e-2321-444f-910b-279a1a83ffe5

📥 Commits

Reviewing files that changed from the base of the PR and between 8c36f00 and b397652.

📒 Files selected for processing (1)

• mu-plugin/plausible-proxy-speed-module.php