einundzwanzig/einundzwanzig-app
1
0
Fork 0
mirror of https://github.com/HolgerHatGarKeineNode/einundzwanzig-app.git synced 2026-05-05 04:54:53 +00:00
Code Issues Packages Projects Releases Wiki Activity

security: high-severity fixes (api throttle, fillable, idor, path, rel)

Browse Source 
- Add 60 req/min throttle to the public API group and a stricter 10 req/min
  throttle to POST /highscores.
- Replace mass-assigned $guarded=[] with explicit $fillable on User, Meetup,
  Course, Lecturer, and SelfHostedService. created_by stays out of the
  whitelist; the existing creating() hooks continue to populate it.
- Require authenticated user on Api/MeetupController::index instead of
  trusting the user_id query parameter (IDOR).
- Constrain the /img and /img-public route paths to a safe character set
  and reject any path containing ".." in ImageController.
- Add rel="noopener noreferrer" to every target="_blank" link on the meetup
  and course landing pages.
This commit is contained in:
Claude
2026-05-03 12:55:09 +00:00
parent 90835f8b1f
commit 9b81f6cd92
11 changed files with 100 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files
routes/api.php
+4 -2
View File
@@ -11,7 +11,7 @@ use App\Models\User;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Route;
Route::middleware([])
Route::middleware(['throttle:60,1'])
->as('api.')
->group(function () {
Route::resource('countries', CountryController::class);
@@ -22,7 +22,9 @@ Route::middleware([])
Route::resource('cities', CityController::class);
Route::resource('venues', VenueController::class);
Route::get('highscores', [HighscoreController::class, 'index'])->name('highscores.index');
Route::post('highscores', [HighscoreController::class, 'store'])->name('highscores.store');
Route::post('highscores', [HighscoreController::class, 'store'])
->middleware('throttle:10,1')
->name('highscores.store');
Route::get('nostrplebs', function () {
return User::query()
->select([
routes/web.php
+2 -2
View File
@@ -43,12 +43,12 @@ Route::livewire('/kaninchenbau', FollowTheRabbit::class)
// Generic image handler route that serves images from storage
Route::get('/img/{path}', ImageController::class)
->where('path', '.*')
->where('path', '[A-Za-z0-9._\-/]+')
->name('img');
// Public image handler route for serving public images
Route::get('/img-public/{path}', ImageController::class)
->where('path', '.*')
->where('path', '[A-Za-z0-9._\-/]+')
->name('imgPublic');
// Welcome page route using Volt component