einundzwanzig/einundzwanzig-app
1
0
Fork 0
mirror of https://github.com/HolgerHatGarKeineNode/einundzwanzig-app.git synced 2026-05-05 04:54:53 +00:00
Code Issues Packages Projects Releases Wiki Activity

security: high-severity fixes (api throttle, fillable, idor, path, rel)

Browse Source 
- Add 60 req/min throttle to the public API group and a stricter 10 req/min
  throttle to POST /highscores.
- Replace mass-assigned $guarded=[] with explicit $fillable on User, Meetup,
  Course, Lecturer, and SelfHostedService. created_by stays out of the
  whitelist; the existing creating() hooks continue to populate it.
- Require authenticated user on Api/MeetupController::index instead of
  trusting the user_id query parameter (IDOR).
- Constrain the /img and /img-public route paths to a safe character set
  and reject any path containing ".." in ImageController.
- Add rel="noopener noreferrer" to every target="_blank" link on the meetup
  and course landing pages.
This commit is contained in:
Claude
2026-05-03 12:55:09 +00:00
parent 90835f8b1f
commit 9b81f6cd92
11 changed files with 100 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files
resources/views/livewire/meetups/landingpage.blade.php
+6 -6
View File
@@ -84,7 +84,7 @@ class extends Component {
<div class="grid grid-cols-1 md:grid-cols-2 gap-3">
@if($meetup->webpage)
<flux:button href="{{ $meetup->webpage }}" target="_blank" variant="ghost"
<flux:button href="{{ $meetup->webpage }}" target="_blank" rel="noopener noreferrer" variant="ghost"
class="justify-start">
<flux:icon.globe-alt class="w-5 h-5 mr-2"/>
Webseite
@@ -92,7 +92,7 @@ class extends Component {
@endif
@if($meetup->telegram_link)
<flux:button href="{{ $meetup->telegram_link }}" target="_blank" variant="ghost"
<flux:button href="{{ $meetup->telegram_link }}" target="_blank" rel="noopener noreferrer" variant="ghost"
class="justify-start">
<flux:icon.chat-bubble-left-right class="w-5 h-5 mr-2"/>
Telegram
@@ -100,7 +100,7 @@ class extends Component {
@endif
@if($meetup->twitter_username)
<flux:button href="https://twitter.com/{{ $meetup->twitter_username }}" target="_blank"
<flux:button href="https://twitter.com/{{ $meetup->twitter_username }}" target="_blank" rel="noopener noreferrer"
variant="ghost" class="justify-start">
<svg class="w-5 h-5 mr-2" fill="currentColor" viewBox="0 0 24 24">
<path
@@ -111,7 +111,7 @@ class extends Component {
@endif
@if($meetup->matrix_group)
<flux:button href="{{ $meetup->matrix_group }}" target="_blank" variant="ghost"
<flux:button href="{{ $meetup->matrix_group }}" target="_blank" rel="noopener noreferrer" variant="ghost"
class="justify-start">
<flux:icon.hashtag class="w-5 h-5 mr-2"/>
Matrix
@@ -119,14 +119,14 @@ class extends Component {
@endif
@if($meetup->signal)
<flux:button href="{{ $meetup->signal }}" target="_blank" variant="ghost" class="justify-start">
<flux:button href="{{ $meetup->signal }}" target="_blank" rel="noopener noreferrer" variant="ghost" class="justify-start">
<flux:icon.phone class="w-5 h-5 mr-2"/>
Signal
</flux:button>
@endif
@if($meetup->simplex)
<flux:button href="{{ $meetup->simplex }}" target="_blank" variant="ghost"
<flux:button href="{{ $meetup->simplex }}" target="_blank" rel="noopener noreferrer" variant="ghost"
class="justify-start">
<flux:icon.chat-bubble-oval-left-ellipsis class="w-5 h-5 mr-2"/>
SimpleX