Querying order by meta key with empty value returns an order.

[shendy-a8c]

Describe the bug

order_id_from_meta_key_value() when passed with empty value, will return some order id, which is unexpected and potentially expose a security problem.

To Reproduce

1. Define a new route, `/disputes/something', at the end of WC_REST_Payments_Disputes_Controller:: register_routes().
2. Defining it at the end like that is incorrect because the /disputes/{dispute_id} route will match first.
3. An order will be returned along in the response, which is unexpected.

I actually bumped into this bug by accident when working on my PR and I'm not sure if this bug affects UX or exploitable because going to a dispute page with invalid id, eg /wp-admin/admin.php?page=wc-admin&path=%2Fpayments%2Fdisputes%2Fdetails&id=something, doesn't let me through.

Additional context

I found that WC_Payments_API_Client::get_dispute() calls add_order_info_to_object() with a null $charge_id which will eventually calls order_from_charge_id().

[jessy-p]

@shendy-a8c The code for order_id_from_meta_key_value has changed recently, could you check if this is still applicable?

[shendy-a8c]

This issue is still valid.

I just tested by following these steps:

1. Install WP-Console.
2. Open the Console menu from the top bar of the admin page.
3. Run this code

$client = WC_Payments::create_api_client();
$client->get_dispute('');

4. Note that the $order_id returned in this line is a valid order id.

It should not be like that. $order_id should be empty / null.

[shendy-a8c]

@jessy-p is this issue something @Automattic/gamma can / should do?

[haszari]

Removing disputes label (so Helix can ignore when triaging our backlog). Based on the above, this is a specific code bug in data access code, not necessarily related to disputes.

@naman03malhotra can you add this Gamma's backlog? (maybe it's already there!)

[htdat]

Thanks @haszari. I am going to move it to the proper Gamma queue for prioritiazation.