Fixed CVEs

fixed CVEs

fixed CVEs

code format

Author: yushine

innopacks/common/src/Repositories/AddressRepo.php

@@ -44,15 +44,13 @@ public static function getAddressTypes(): array
      */
     public function builder(array $filters = []): Builder
     {
-        $builder    = Address::query();
-        $customerID = $filters['customer_id'] ?? 0;
-        if ($customerID) {
-            $builder->where('customer_id', $customerID);
+        $builder = Address::query();
+        if (isset($filters['customer_id'])) {
+            $builder->where('customer_id', (int) $filters['customer_id']);
         }
 
-        $guestID = $filters['guest_id'] ?? '';
-        if (empty($customerID) && $guestID) {
-            $builder->where('guest_id', $guestID);
+        if (isset($filters['guest_id'])) {
+            $builder->where('guest_id', (int) $filters['guest_id']);
         }
 
         return fire_hook_filter('repo.address.builder', $builder);

innopacks/common/src/Repositories/OrderRepo.php

@@ -206,10 +206,12 @@ private function handleData($requestData): array
             $customer = Customer::query()->find($customerID);
         }
 
+        $guestID = $requestData['guest_id'] ?? '';
+
         $shippingAddressID = (int) $requestData['shipping_address_id'];
         $billingAddressID  = (int) $requestData['billing_address_id'];
-        $shippingAddress   = $shippingAddressID ? Address::query()->findOrFail($shippingAddressID) : null;
-        $billingAddress    = $billingAddressID ? Address::query()->findOrFail($billingAddressID) : null;
+        $shippingAddress   = $this->getValidatedAddress($shippingAddressID, $customerID, $guestID);
+        $billingAddress    = $this->getValidatedAddress($billingAddressID, $customerID, $guestID);
 
         $saData = $shippingAddress ? (new AddressListItem($shippingAddress))->jsonSerialize() : [];
         $baData = $billingAddress ? (new AddressListItem($billingAddress))->jsonSerialize() : [];
@@ -275,6 +277,33 @@ public function getOrderByNumber($orderNumber, bool $force = false): mixed
         return $this->builder(['number' => $orderNumber])->first();
     }
 
+    /**
+     * Get validated address by ID and customer/guest ownership
+     *
+     * @param  int  $addressID
+     * @param  int  $customerID
+     * @param  string  $guestID
+     * @return Address|null
+     */
+    private function getValidatedAddress(int $addressID, int $customerID, string $guestID = ''): ?Address
+    {
+        if (! $addressID) {
+            return null;
+        }
+
+        $query = Address::query()->where('id', $addressID);
+
+        if ($customerID) {
+            $query->where('customer_id', $customerID);
+        } elseif ($guestID) {
+            $query->where('customer_id', 0)->where('guest_id', $guestID);
+        } else {
+            throw new Exception('Address validation requires either customer_id or guest_id');
+        }
+
+        return $query->firstOrFail();
+    }
+
     /**
      * Generate order number.
      *

…front/src/Requests/UploadFileRequest.php …ommon/src/Requests/UploadFileRequest.phpinnopacks/front/src/Requests/UploadFileRequest.php renamed to innopacks/common/src/Requests/UploadFileRequest.php innopacks/front/src/Requests/UploadFileRequest.php renamed to innopacks/common/src/Requests/UploadFileRequest.php

@@ -7,7 +7,7 @@
  * @license    https://opensource.org/licenses/OSL-3.0 Open Software License (OSL 3.0)
  */
 
-namespace InnoShop\Front\Requests;
+namespace InnoShop\Common\Requests;
 
 use Illuminate\Foundation\Http\FormRequest;
 
@@ -30,14 +30,18 @@ public function authorize(): bool
      */
     public function rules(): array
     {
-        if (is_admin()) {
-            $rule = 'required|image|mimes:jpg,png,jpeg,gif,svg,webp,zip,doc,docx,xls,xlsx,ppt,pptx,pdf,mp4|max:4096';
+        // Unified security policy - no dangerous file types including SVG
+        $allowedMimes = 'jpg,png,jpeg,gif,webp,zip,doc,docx,xls,xlsx,ppt,pptx,pdf,mp4';
+
+        // Dynamic file size limits based on context
+        if (request()->is('panel/*') || is_admin()) {
+            $maxSize = 8192; // 8MB for admin/panel
         } else {
-            $rule = 'required|image|mimes:jpg,png,jpeg,gif,webp,zip,doc,docx,xls,xlsx,ppt,pptx,pdf,mp4|max:2048';
+            $maxSize = 2048; // 2MB for regular users
         }
 
         return [
-            'file' => $rule,
+            'file' => "required|file|mimes:{$allowedMimes}|max:{$maxSize}",
             'type' => 'required|alpha_dash',
         ];
     }

…ront/src/Requests/UploadImageRequest.php …mmon/src/Requests/UploadImageRequest.phpinnopacks/front/src/Requests/UploadImageRequest.php renamed to innopacks/common/src/Requests/UploadImageRequest.php innopacks/front/src/Requests/UploadImageRequest.php renamed to innopacks/common/src/Requests/UploadImageRequest.php

@@ -7,7 +7,7 @@
  * @license    https://opensource.org/licenses/OSL-3.0 Open Software License (OSL 3.0)
  */
 
-namespace InnoShop\Front\Requests;
+namespace InnoShop\Common\Requests;
 
 use Illuminate\Foundation\Http\FormRequest;
 
@@ -30,14 +30,19 @@ public function authorize(): bool
      */
     public function rules(): array
     {
-        if (is_admin()) {
-            $rule = 'required|image|mimes:jpg,png,jpeg,gif,svg,webp|max:4096';
+        // Unified security policy for all contexts
+        // No SVG support for security reasons
+        $allowedMimes = 'jpg,png,jpeg,gif,webp';
+
+        // Dynamic file size limits based on context
+        if (request()->is('panel/*') || is_admin()) {
+            $maxSize = 8192; // 8MB for admin/panel
         } else {
-            $rule = 'required|image|mimes:jpg,png,jpeg,gif,webp|max:2048';
+            $maxSize = 2048; // 2MB for regular users
         }
 
         return [
-            'image' => $rule,
+            'image' => "required|image|mimes:{$allowedMimes}|max:{$maxSize}",
             'type'  => 'required|alpha_dash',
         ];
     }

innopacks/common/src/Services/FileSecurityValidator.php

@@ -0,0 +1,220 @@
+<?php
+/**
+ * Copyright (c) Since 2024 InnoShop - All Rights Reserved
+ *
+ * @link       https://www.innoshop.com
+ * @author     InnoShop <team@innoshop.com>
+ * @license    https://opensource.org/licenses/OSL-3.0 Open Software License (OSL 3.0)
+ */
+
+namespace InnoShop\Common\Services;
+
+use Exception;
+
+class FileSecurityValidator
+{
+    /**
+     * List of dangerous file extensions
+     */
+    private const DANGEROUS_EXTENSIONS = [
+        'php', 'php3', 'php4', 'php5', 'phtml', 'php7', 'php8',
+        'asp', 'aspx', 'jsp', 'pl', 'py', 'rb', 'sh', 'cgi',
+        'exe', 'bat', 'cmd', 'com', 'scr', 'vbs', 'js', 'jar',
+        'htaccess', 'htpasswd',
+    ];
+
+    /**
+     * File extensions that may contain malicious code
+     */
+    private const POTENTIALLY_DANGEROUS_EXTENSIONS = [
+        'svg', 'html', 'htm', 'xml',
+    ];
+
+    /**
+     * Validate file extension security
+     *
+     * @param  string  $fileName  File name
+     * @param  bool  $allowSvg  Whether to allow SVG files (requires additional processing)
+     * @throws Exception
+     */
+    public static function validateFileExtension(string $fileName, bool $allowSvg = false): void
+    {
+        $extension = strtolower(pathinfo($fileName, PATHINFO_EXTENSION));
+
+        // Check absolutely dangerous extensions
+        if (in_array($extension, self::DANGEROUS_EXTENSIONS)) {
+            throw new Exception("Dangerous file extension '{$extension}' is not allowed");
+        }
+
+        // Check potentially dangerous extensions (like SVG)
+        if (! $allowSvg && in_array($extension, self::POTENTIALLY_DANGEROUS_EXTENSIONS)) {
+            throw new Exception("Potentially dangerous file extension '{$extension}' is not allowed. Use allowSvg=true if you want to enable SVG with proper sanitization.");
+        }
+    }
+
+    /**
+     * Validate and sanitize SVG file content (remove scripts and event handlers)
+     *
+     * @param  string  $svgContent  SVG file content
+     * @return string Sanitized SVG content
+     * @throws Exception
+     */
+    public static function sanitizeSvgContent(string $svgContent): string
+    {
+        // Remove script tags
+        $svgContent = preg_replace('/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/mi', '', $svgContent);
+
+        // Remove event handler attributes
+        $dangerousAttributes = [
+            'onload', 'onerror', 'onmouseover', 'onmouseout', 'onclick', 'onmousemove',
+            'onmousedown', 'onmouseup', 'onfocus', 'onblur', 'onkeydown', 'onkeyup',
+            'onsubmit', 'onreset', 'onchange', 'onselect', 'javascript:',
+        ];
+
+        foreach ($dangerousAttributes as $attr) {
+            $svgContent = preg_replace('/'.$attr.'\s*=\s*["\'][^"\']*["\']/i', '', $svgContent);
+        }
+
+        // Remove external resource references (prevent external script loading)
+        $svgContent = preg_replace('/href\s*=\s*["\'](?!#)[^"\']*["\']/i', '', $svgContent);
+
+        // Check if it's still valid SVG
+        if (! preg_match('/<svg\b/i', $svgContent)) {
+            throw new Exception('Invalid SVG content after sanitization');
+        }
+
+        return $svgContent;
+    }
+
+    /**
+     * Check if file MIME type is safe
+     *
+     * @param  string  $mimeType  MIME type
+     * @throws Exception
+     */
+    public static function validateMimeType(string $mimeType): void
+    {
+        $dangerousMimeTypes = [
+            'application/x-php',
+            'application/x-httpd-php',
+            'text/x-php',
+            'application/php',
+            'application/x-sh',
+            'application/x-csh',
+            'text/x-shellscript',
+        ];
+
+        if (in_array(strtolower($mimeType), $dangerousMimeTypes)) {
+            throw new Exception("Dangerous MIME type '{$mimeType}' is not allowed");
+        }
+    }
+
+    /**
+     * Check if file name contains path traversal attacks
+     *
+     * @param  string  $fileName  File name
+     * @throws Exception
+     */
+    public static function validateFileName(string $fileName): void
+    {
+        // Check path traversal
+        if (str_contains($fileName, '..') || str_contains($fileName, '/') || str_contains($fileName, '\\')) {
+            throw new Exception('Invalid file name: path traversal detected');
+        }
+
+        // Check file name length
+        if (strlen($fileName) > 255) {
+            throw new Exception('File name too long');
+        }
+
+        // Check empty file name
+        if (empty(trim($fileName))) {
+            throw new Exception('File name cannot be empty');
+        }
+    }
+
+    /**
+     * Comprehensive file security validation
+     *
+     * @param  string  $fileName  File name
+     * @param  string|null  $mimeType  MIME type
+     * @param  bool  $allowSvg  Whether to allow SVG
+     * @throws Exception
+     */
+    public static function validateFile(string $fileName, ?string $mimeType = null, bool $allowSvg = false): void
+    {
+        self::validateFileName($fileName);
+        self::validateFileExtension($fileName, $allowSvg);
+
+        if ($mimeType) {
+            self::validateMimeType($mimeType);
+        }
+    }
+
+    /**
+     * Get list of safe image file extensions
+     */
+    public static function getSafeImageExtensions(): array
+    {
+        return ['jpg', 'jpeg', 'png', 'gif', 'webp'];
+    }
+
+    /**
+     * Get list of safe document file extensions
+     */
+    public static function getSafeDocumentExtensions(): array
+    {
+        return ['pdf', 'doc', 'docx', 'xls', 'xlsx', 'ppt', 'pptx', 'txt', 'zip', 'rar'];
+    }
+
+    /**
+     * Validate and sanitize directory path to prevent path traversal attacks
+     *
+     * @param  string  $path  Directory path to validate
+     * @return string Sanitized safe path
+     * @throws Exception If path contains dangerous patterns
+     */
+    public static function validateDirectoryPath(string $path): string
+    {
+        // URL decode the path first
+        $decodedPath = urldecode($path);
+
+        // Check for path traversal attacks BEFORE any normalization
+        if (str_contains($decodedPath, '..')) {
+            throw new Exception('Path traversal attack detected');
+        }
+
+        // Check for null bytes and other dangerous characters
+        if (str_contains($decodedPath, "\0") || str_contains($decodedPath, "\x00")) {
+            throw new Exception('Null byte attack detected');
+        }
+
+        // Normalize path separators
+        $normalizedPath = str_replace('\\', '/', $decodedPath);
+
+        // Remove multiple consecutive slashes
+        $normalizedPath = preg_replace('#/+#', '/', $normalizedPath);
+
+        // Handle root directory case
+        if ($normalizedPath === '' || $normalizedPath === '/') {
+            return '/';
+        }
+
+        // Handle relative paths - convert to absolute paths with leading slash
+        if (! str_starts_with($normalizedPath, '/')) {
+            $normalizedPath = '/'.$normalizedPath;
+        }
+
+        // Remove trailing slash (except for root)
+        if ($normalizedPath !== '/') {
+            $normalizedPath = rtrim($normalizedPath, '/');
+        }
+
+        // Final check after normalization to prevent any remaining traversal attempts
+        if (str_contains($normalizedPath, '..')) {
+            throw new Exception('Path traversal attack detected after normalization');
+        }
+
+        return $normalizedPath;
+    }
+}

innopacks/front/src/Controllers/Account/AddressesController.php

@@ -59,8 +59,14 @@ public function store(Request $request): mixed
      */
     public function update(Request $request, Address $address): mixed
     {
+        $currentCustomerId = current_customer_id();
+
+        if ($address->customer_id !== $currentCustomerId) {
+            return json_fail('Unauthorized', null, 403);
+        }
+
         $data                = $request->all();
-        $data['customer_id'] = current_customer_id();
+        $data['customer_id'] = $currentCustomerId;
 
         $address = AddressRepo::getInstance()->update($address, $data);
         $result  = new AddressListItem($address);
@@ -74,6 +80,12 @@ public function update(Request $request, Address $address): mixed
      */
     public function destroy(Address $address): mixed
     {
+        $currentCustomerId = current_customer_id();
+
+        if ($address->customer_id !== $currentCustomerId) {
+            return json_fail('Unauthorized', null, 403);
+        }
+
         AddressRepo::getInstance()->destroy($address);
 
         return delete_json_success();