CANTINA-954: Security: Use ambiguous error message in forgot password

security/login-error.php

@@ -1,13 +1,17 @@
 <?php
 namespace Automattic\VIP\Security;
 
+use WP_Error;
+
+const FORGET_PWD_MESSAGE = 'If there is an account associated with the username/email address, you will receive an email with a link to reset your password.';
+
 /**
  * Use a login message that does not reveal the type of login error in an attempted brute-force.
- * 
+ *
  * @param string $error Login error message.
- * 
+ *
  * @return string $error Login error message.
- * 
+ *
  * @since 1.1
  */
 function use_ambiguous_login_error( $error ): string {
@@ -17,6 +21,11 @@ function use_ambiguous_login_error( $error ): string {
 		return (string) $error;
 	}
 
+	// For lostpassword action, use different message.
+	if ( isset( $_GET['action'] ) && 'lostpassword' === $_GET['action'] ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+		return FORGET_PWD_MESSAGE;
+	}
+
 	$err_codes = $errors->get_error_codes();
 
 	$err_types = [
@@ -35,5 +44,26 @@ function use_ambiguous_login_error( $error ): string {
 
 	return (string) $error;
 }
-
 add_filter( 'login_errors', __NAMESPACE__ . '\use_ambiguous_login_error', 99, 1 );
+
+/**
+ * Use a message that does not reveal the type of login error in an attempted brute-force on forget password.
+ *
+ * @param WP_Error $errors WP Error object.
+ *
+ * @return WP_Error $errors WP Error object.
+ *
+ * @since 1.1
+ */
+function use_ambiguous_confirmation( $errors ): WP_Error {
+	if ( isset( $_GET['checkemail'] ) && 'confirm' === $_GET['checkemail'] ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+		$messages = $errors->get_error_messages( 'confirm' );
+		if ( ! empty( $messages ) ) {
+			$errors->remove( 'confirm' );
+			$errors->add( 'confirm', FORGET_PWD_MESSAGE, 'message' );
+		}
+	}
+
+	return $errors;
+}
+add_filter( 'wp_login_errors', __NAMESPACE__ . '\use_ambiguous_confirmation', 99 );

tests/security/test-login-error.php

@@ -0,0 +1,53 @@
+<?php
+
+namespace Automattic\VIP\Security;
+
+use WP_Error;
+use WP_UnitTestCase;
+
+class Login_Error_Test extends WP_UnitTestCase {
+	public function tearDown(): void {
+		global $errors;
+
+		unset( $errors );
+		parent::tearDown();
+	}
+
+	public function test_has_filters(): void {
+		self::assertEquals( 99, has_filter( 'login_errors', __NAMESPACE__ . '\use_ambiguous_login_error' ) );
+		self::assertEquals( 99, has_filter( 'wp_login_errors', __NAMESPACE__ . '\use_ambiguous_confirmation' ) );
+	}
+
+	public function test_use_ambiguous_confirmation(): void {
+		$errors = new WP_Error();
+		$errors->add(
+			'confirm',
+			sprintf(
+				'Check your email for the confirmation link, then visit the <a href="%s">login page</a>.',
+				wp_login_url()
+			),
+			'message'
+		);
+
+		$_GET['checkemail'] = 'confirm';
+		$actual             = apply_filters( 'wp_login_errors', $errors, admin_url() );
+
+		self::assertInstanceOf( WP_Error::class, $actual );
+		self::assertContains( FORGET_PWD_MESSAGE, $actual->get_error_messages( 'confirm' ) );
+	}
+
+	public function test_ambiguous_reset(): void {
+		global $errors;
+
+		$message = 'Something went terribly wrong';
+
+		// phpcs:ignore WordPress.WP.GlobalVariablesOverride.Prohibited
+		$errors = new WP_Error();
+		$errors->add( 'error', $message );
+
+		$_GET['action'] = 'lostpassword';
+
+		$actual = apply_filters( 'login_errors', $message );
+		self::assertSame( FORGET_PWD_MESSAGE, $actual );
+	}
+}