einundzwanzig/einundzwanzig-app
1
0
Fork 0
mirror of https://github.com/HolgerHatGarKeineNode/einundzwanzig-app.git synced 2026-05-05 04:54:53 +00:00
Code Issues Packages Projects Releases Wiki Activity

security: high-severity fixes (api throttle, fillable, idor, path, rel)

Browse Source 
- Add 60 req/min throttle to the public API group and a stricter 10 req/min
  throttle to POST /highscores.
- Replace mass-assigned $guarded=[] with explicit $fillable on User, Meetup,
  Course, Lecturer, and SelfHostedService. created_by stays out of the
  whitelist; the existing creating() hooks continue to populate it.
- Require authenticated user on Api/MeetupController::index instead of
  trusting the user_id query parameter (IDOR).
- Constrain the /img and /img-public route paths to a safe character set
  and reject any path containing ".." in ImageController.
- Add rel="noopener noreferrer" to every target="_blank" link on the meetup
  and course landing pages.
This commit is contained in:
Claude
2026-05-03 12:55:09 +00:00
parent 90835f8b1f
commit 9b81f6cd92
11 changed files with 100 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app/Http/Controllers/Api/MeetupController.php
+3 -8
View File
@@ -4,7 +4,6 @@ namespace App\Http\Controllers\Api;
use App\Http\Controllers\Controller; use App\Http\Controllers\Controller;
use App\Models\Meetup; use App\Models\Meetup;
use App\Models\User;
use Illuminate\Database\Eloquent\Builder; use Illuminate\Database\Eloquent\Builder;
use Illuminate\Http\Request; use Illuminate\Http\Request;
@@ -17,14 +16,10 @@ class MeetupController extends Controller
public function index(Request $request) public function index(Request $request)
{ {
if (!is_numeric($request->input('user_id'))) { $user = $request->user();
abort(404); abort_unless($user, 401);
}
$myMeetupIds = User::query() $myMeetupIds = $user->meetups->pluck('id');
->findOrFail($request->input('user_id'))
?->meetups
->pluck('id');
return Meetup::query() return Meetup::query()
->select('id', 'name', 'city_id', 'slug') ->select('id', 'name', 'city_id', 'slug')
app/Http/Controllers/ImageController.php
+2
View File
@@ -12,6 +12,8 @@ class ImageController extends Controller
{ {
public function __invoke(Request $request, $path) public function __invoke(Request $request, $path)
{ {
abort_if(str_contains($path, '..'), 404);
$source = new \League\Flysystem\Filesystem( $source = new \League\Flysystem\Filesystem(
new \League\Flysystem\Local\LocalFilesystemAdapter(storage_path('app')) new \League\Flysystem\Local\LocalFilesystemAdapter(storage_path('app'))
); );
app/Models/Course.php
+6 -4
View File
@@ -20,11 +20,13 @@ class Course extends Model implements HasMedia
use InteractsWithMedia; use InteractsWithMedia;
/** /**
* The attributes that aren't mass assignable. * @var array<int, string>
*
* @var array
*/ */
protected $guarded = []; protected $fillable = [
'name',
'lecturer_id',
'description',
];
/** /**
* The attributes that should be cast to native types. * The attributes that should be cast to native types.
app/Models/Lecturer.php
+17 -4
View File
@@ -22,11 +22,24 @@ class Lecturer extends Model implements HasMedia
use InteractsWithMedia; use InteractsWithMedia;
/** /**
* The attributes that aren't mass assignable. * @var array<int, string>
*
* @var array
*/ */
protected $guarded = []; protected $fillable = [
'name',
'slug',
'subtitle',
'intro',
'description',
'active',
'website',
'twitter_username',
'nostr',
'lightning_address',
'lnurl',
'node_id',
'paynym',
'team_id',
];
/** /**
* The attributes that should be cast to native types. * The attributes that should be cast to native types.
app/Models/Meetup.php
+18 -4
View File
@@ -23,11 +23,25 @@ class Meetup extends Model implements HasMedia
use InteractsWithMedia; use InteractsWithMedia;
/** /**
* The attributes that aren't mass assignable. * @var array<int, string>
*
* @var array
*/ */
protected $guarded = []; protected $fillable = [
'name',
'slug',
'city_id',
'intro',
'telegram_link',
'webpage',
'twitter_username',
'matrix_group',
'nostr',
'nostr_status',
'simplex',
'signal',
'community',
'github_data',
'visible_on_map',
];
/** /**
* The attributes that should be cast to native types. * The attributes that should be cast to native types.
app/Models/SelfHostedService.php
+16 -1
View File
@@ -22,7 +22,22 @@ class SelfHostedService extends Model implements HasMedia
use HasTags; use HasTags;
use InteractsWithMedia; use InteractsWithMedia;
protected $guarded = []; /**
* @var array<int, string>
*/
protected $fillable = [
'name',
'slug',
'type',
'intro',
'url_clearnet',
'url_onion',
'url_i2p',
'url_pkdns',
'ip',
'contact',
'anon',
];
protected $casts = [ protected $casts = [
'id' => 'integer', 'id' => 'integer',
app/Models/User.php
+22 -1
View File
@@ -24,7 +24,28 @@ class User extends Authenticatable implements CipherSweetEncrypted
use Notifiable; use Notifiable;
use UsesCipherSweet; use UsesCipherSweet;
protected $guarded = []; protected $fillable = [
'name',
'email',
'password',
'email_verified_at',
'remember_token',
'profile_photo_path',
'public_key',
'is_lecturer',
'is_leader',
'current_team_id',
'current_language',
'timezone',
'lightning_address',
'lnurl',
'node_id',
'paynym',
'nostr',
'lnbits',
'change',
'change_time',
];
/** /**
* The attributes that should be hidden for serialization. * The attributes that should be hidden for serialization.
resources/views/livewire/courses/landingpage.blade.php
+4 -3
View File
@@ -87,7 +87,7 @@ class extends Component {
<!-- Lecturer Social Links --> <!-- Lecturer Social Links -->
<div class="mt-4 flex flex-wrap gap-2"> <div class="mt-4 flex flex-wrap gap-2">
@if($course->lecturer->website) @if($course->lecturer->website)
<flux:button href="{{ $course->lecturer->website }}" target="_blank" variant="ghost" <flux:button href="{{ $course->lecturer->website }}" target="_blank" rel="noopener noreferrer" variant="ghost"
size="xs"> size="xs">
<flux:icon.globe-alt class="w-4 h-4 mr-1"/> <flux:icon.globe-alt class="w-4 h-4 mr-1"/>
Website Website
@@ -96,7 +96,7 @@ class extends Component {
@if($course->lecturer->twitter_username) @if($course->lecturer->twitter_username)
<flux:button href="https://twitter.com/{{ $course->lecturer->twitter_username }}" <flux:button href="https://twitter.com/{{ $course->lecturer->twitter_username }}"
target="_blank" variant="ghost" size="xs"> target="_blank" rel="noopener noreferrer" variant="ghost" size="xs">
<svg class="w-4 h-4 mr-1" fill="currentColor" viewBox="0 0 24 24"> <svg class="w-4 h-4 mr-1" fill="currentColor" viewBox="0 0 24 24">
<path <path
d="M18.244 2.25h3.308l-7.227 8.26 8.502 11.24H16.17l-5.214-6.817L4.99 21.75H1.68l7.73-8.835L1.254 2.25H8.08l4.713 6.231zm-1.161 17.52h1.833L7.084 4.126H5.117z"/> d="M18.244 2.25h3.308l-7.227 8.26 8.502 11.24H16.17l-5.214-6.817L4.99 21.75H1.68l7.73-8.835L1.254 2.25H8.08l4.713 6.231zm-1.161 17.52h1.833L7.084 4.126H5.117z"/>
@@ -106,7 +106,7 @@ class extends Component {
@endif @endif
@if($course->lecturer->nostr) @if($course->lecturer->nostr)
<flux:button href="https://njump.me/{{ $course->lecturer->nostr }}" target="_blank" <flux:button href="https://njump.me/{{ $course->lecturer->nostr }}" target="_blank" rel="noopener noreferrer"
variant="ghost" size="xs"> variant="ghost" size="xs">
<flux:icon.bolt class="w-4 h-4 mr-1"/> <flux:icon.bolt class="w-4 h-4 mr-1"/>
Nostr Nostr
@@ -173,6 +173,7 @@ class extends Component {
<div class="mt-auto pt-4 flex gap-2"> <div class="mt-auto pt-4 flex gap-2">
<flux:button <flux:button
target="_blank" target="_blank"
rel="noopener noreferrer"
:href="$event->link" :href="$event->link"
size="xs" size="xs"
variant="primary" variant="primary"
resources/views/livewire/meetups/landingpage.blade.php
+6 -6
View File
@@ -84,7 +84,7 @@ class extends Component {
<div class="grid grid-cols-1 md:grid-cols-2 gap-3"> <div class="grid grid-cols-1 md:grid-cols-2 gap-3">
@if($meetup->webpage) @if($meetup->webpage)
<flux:button href="{{ $meetup->webpage }}" target="_blank" variant="ghost" <flux:button href="{{ $meetup->webpage }}" target="_blank" rel="noopener noreferrer" variant="ghost"
class="justify-start"> class="justify-start">
<flux:icon.globe-alt class="w-5 h-5 mr-2"/> <flux:icon.globe-alt class="w-5 h-5 mr-2"/>
Webseite Webseite
@@ -92,7 +92,7 @@ class extends Component {
@endif @endif
@if($meetup->telegram_link) @if($meetup->telegram_link)
<flux:button href="{{ $meetup->telegram_link }}" target="_blank" variant="ghost" <flux:button href="{{ $meetup->telegram_link }}" target="_blank" rel="noopener noreferrer" variant="ghost"
class="justify-start"> class="justify-start">
<flux:icon.chat-bubble-left-right class="w-5 h-5 mr-2"/> <flux:icon.chat-bubble-left-right class="w-5 h-5 mr-2"/>
Telegram Telegram
@@ -100,7 +100,7 @@ class extends Component {
@endif @endif
@if($meetup->twitter_username) @if($meetup->twitter_username)
<flux:button href="https://twitter.com/{{ $meetup->twitter_username }}" target="_blank" <flux:button href="https://twitter.com/{{ $meetup->twitter_username }}" target="_blank" rel="noopener noreferrer"
variant="ghost" class="justify-start"> variant="ghost" class="justify-start">
<svg class="w-5 h-5 mr-2" fill="currentColor" viewBox="0 0 24 24"> <svg class="w-5 h-5 mr-2" fill="currentColor" viewBox="0 0 24 24">
<path <path
@@ -111,7 +111,7 @@ class extends Component {
@endif @endif
@if($meetup->matrix_group) @if($meetup->matrix_group)
<flux:button href="{{ $meetup->matrix_group }}" target="_blank" variant="ghost" <flux:button href="{{ $meetup->matrix_group }}" target="_blank" rel="noopener noreferrer" variant="ghost"
class="justify-start"> class="justify-start">
<flux:icon.hashtag class="w-5 h-5 mr-2"/> <flux:icon.hashtag class="w-5 h-5 mr-2"/>
Matrix Matrix
@@ -119,14 +119,14 @@ class extends Component {
@endif @endif
@if($meetup->signal) @if($meetup->signal)
<flux:button href="{{ $meetup->signal }}" target="_blank" variant="ghost" class="justify-start"> <flux:button href="{{ $meetup->signal }}" target="_blank" rel="noopener noreferrer" variant="ghost" class="justify-start">
<flux:icon.phone class="w-5 h-5 mr-2"/> <flux:icon.phone class="w-5 h-5 mr-2"/>
Signal Signal
</flux:button> </flux:button>
@endif @endif
@if($meetup->simplex) @if($meetup->simplex)
<flux:button href="{{ $meetup->simplex }}" target="_blank" variant="ghost" <flux:button href="{{ $meetup->simplex }}" target="_blank" rel="noopener noreferrer" variant="ghost"
class="justify-start"> class="justify-start">
<flux:icon.chat-bubble-oval-left-ellipsis class="w-5 h-5 mr-2"/> <flux:icon.chat-bubble-oval-left-ellipsis class="w-5 h-5 mr-2"/>
SimpleX SimpleX
routes/api.php
+4 -2
View File
@@ -11,7 +11,7 @@ use App\Models\User;
use Illuminate\Http\Request; use Illuminate\Http\Request;
use Illuminate\Support\Facades\Route; use Illuminate\Support\Facades\Route;
Route::middleware([]) Route::middleware(['throttle:60,1'])
->as('api.') ->as('api.')
->group(function () { ->group(function () {
Route::resource('countries', CountryController::class); Route::resource('countries', CountryController::class);
@@ -22,7 +22,9 @@ Route::middleware([])
Route::resource('cities', CityController::class); Route::resource('cities', CityController::class);
Route::resource('venues', VenueController::class); Route::resource('venues', VenueController::class);
Route::get('highscores', [HighscoreController::class, 'index'])->name('highscores.index'); Route::get('highscores', [HighscoreController::class, 'index'])->name('highscores.index');
Route::post('highscores', [HighscoreController::class, 'store'])->name('highscores.store'); Route::post('highscores', [HighscoreController::class, 'store'])
->middleware('throttle:10,1')
->name('highscores.store');
Route::get('nostrplebs', function () { Route::get('nostrplebs', function () {
return User::query() return User::query()
->select([ ->select([
routes/web.php
+2 -2
View File
@@ -43,12 +43,12 @@ Route::livewire('/kaninchenbau', FollowTheRabbit::class)
// Generic image handler route that serves images from storage // Generic image handler route that serves images from storage
Route::get('/img/{path}', ImageController::class) Route::get('/img/{path}', ImageController::class)
->where('path', '.*') ->where('path', '[A-Za-z0-9._\-/]+')
->name('img'); ->name('img');
// Public image handler route for serving public images // Public image handler route for serving public images
Route::get('/img-public/{path}', ImageController::class) Route::get('/img-public/{path}', ImageController::class)
->where('path', '.*') ->where('path', '[A-Za-z0-9._\-/]+')
->name('imgPublic'); ->name('imgPublic');
// Welcome page route using Volt component // Welcome page route using Volt component