einundzwanzig/einundzwanzig-app
1
0
Fork 0
mirror of https://github.com/HolgerHatGarKeineNode/einundzwanzig-app.git synced 2026-05-05 04:54:53 +00:00
Code Issues Packages Projects Releases Wiki Activity

security: medium-severity fixes (proxies, ssrf, uploads, lnurl, github_data)

Browse Source 
- Trust the Forge reverse proxy and force https URLs in production so
  generated absolute URLs match the actual TLS termination.
- Reject Nostr profile photo URLs that aren't http(s) or that resolve to
  loopback / private (RFC1918) addresses to close an SSRF vector in
  FetchNostrProfileJob.
- Tighten image upload validation across meetup, course, and lecturer
  create/edit components: explicit mimes whitelist (jpeg, png, webp),
  max 5 MiB, and dimension cap of 4000x4000.
- Replace the silent "skip if exists" branch in LnurlAuthController with
  updateOrCreate so concurrent callers cannot race on the k1 record.
- Validate github_data on Meetup edit, decoding the JSON, and keep only
  the whitelisted keys (top, left, state) with strict type coercion to
  prevent storing arbitrary attacker-controlled JSON.
This commit is contained in:
Claude
2026-05-03 12:57:57 +00:00
parent 9b81f6cd92
commit d46c0161fe
10 changed files with 92 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app/Http/Controllers/LnurlAuthController.php
+4 -8
View File
@@ -154,14 +154,10 @@ final class LnurlAuthController extends Controller
*/ */
private function ensureLoginKeyExists(string $k1, int $userId): void private function ensureLoginKeyExists(string $k1, int $userId): void
{ {
$loginKey = LoginKey::where('k1', $k1)->first(); LoginKey::query()->updateOrCreate(
['k1' => $k1],
if (! $loginKey) { ['user_id' => $userId],
LoginKey::create([ );
'k1' => $k1,
'user_id' => $userId,
]);
}
} }
/** /**
app/Jobs/FetchNostrProfileJob.php
+44
View File
@@ -133,6 +133,15 @@ class FetchNostrProfileJob implements ShouldQueue
private function downloadAndSaveProfilePhoto(User $user, string $photoUrl): void private function downloadAndSaveProfilePhoto(User $user, string $photoUrl): void
{ {
if (!$this->isPublicHttpUrl($photoUrl)) {
\Log::warning('Refused to download Nostr profile photo from disallowed URL', [
'user_id' => $user->id,
'url' => $photoUrl,
]);
return;
}
try { try {
// Download the image from the URL // Download the image from the URL
$response = Http::timeout(10)->get($photoUrl); $response = Http::timeout(10)->get($photoUrl);
@@ -178,6 +187,41 @@ class FetchNostrProfileJob implements ShouldQueue
} }
} }
/**
* Reject URLs that are not http(s) or that resolve to a private/loopback
* address, to prevent SSRF when fetching arbitrary profile photo URLs.
*/
private function isPublicHttpUrl(string $url): bool
{
$parts = parse_url($url);
if ($parts === false || empty($parts['scheme']) || empty($parts['host'])) {
return false;
}
if (!in_array(strtolower($parts['scheme']), ['http', 'https'], true)) {
return false;
}
$host = $parts['host'];
$ips = filter_var($host, FILTER_VALIDATE_IP) ? [$host] : (gethostbynamel($host) ?: []);
if (empty($ips)) {
return false;
}
foreach ($ips as $ip) {
if (!filter_var(
$ip,
FILTER_VALIDATE_IP,
FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE,
)) {
return false;
}
}
return true;
}
private function getImageExtension(?string $contentType, string $url): string private function getImageExtension(?string $contentType, string $url): string
{ {
// Try to get extension from content type // Try to get extension from content type
app/Providers/AppServiceProvider.php
+5
View File
@@ -12,6 +12,7 @@ use Illuminate\Support\Facades\Date;
use Illuminate\Support\Facades\Event; use Illuminate\Support\Facades\Event;
use Illuminate\Support\Facades\RateLimiter; use Illuminate\Support\Facades\RateLimiter;
use Illuminate\Support\Facades\Route; use Illuminate\Support\Facades\Route;
use Illuminate\Support\Facades\URL;
use Illuminate\Support\ServiceProvider; use Illuminate\Support\ServiceProvider;
use Laravel\Nightwatch\Facades\Nightwatch; use Laravel\Nightwatch\Facades\Nightwatch;
use Laravel\Nightwatch\Http\Middleware\Sample; use Laravel\Nightwatch\Http\Middleware\Sample;
@@ -36,6 +37,10 @@ class AppServiceProvider extends ServiceProvider
{ {
$this->configureRateLimiting(); $this->configureRateLimiting();
if ($this->app->environment('production')) {
URL::forceScheme('https');
}
Livewire::setUpdateRoute(function ($handle) { Livewire::setUpdateRoute(function ($handle) {
return Route::post('/livewire/update', $handle) return Route::post('/livewire/update', $handle)
->middleware(['web', Sample::rate(0)]); ->middleware(['web', Sample::rate(0)]);
bootstrap/app.php
+2
View File
@@ -16,6 +16,8 @@ return Application::configure(basePath: dirname(__DIR__))
health: '/up', health: '/up',
) )
->withMiddleware(function (Middleware $middleware) { ->withMiddleware(function (Middleware $middleware) {
$middleware->trustProxies(at: '*');
$middleware->web(append: [ $middleware->web(append: [
DomainMiddleware::class, DomainMiddleware::class,
LangCountrySession::class, LangCountrySession::class,
resources/views/livewire/courses/create.blade.php
+1 -1
View File
@@ -14,7 +14,7 @@ class extends Component {
use WithFileUploads; use WithFileUploads;
use SeoTrait; use SeoTrait;
#[Validate('image|max:10240')] // 10MB Max #[Validate('image|mimes:jpeg,png,webp|max:5120|dimensions:max_width=4000,max_height=4000')]
public $logo; public $logo;
public string $name = ''; public string $name = '';
resources/views/livewire/courses/edit.blade.php
+1 -1
View File
@@ -16,7 +16,7 @@ class extends Component {
use WithFileUploads; use WithFileUploads;
use SeoTrait; use SeoTrait;
#[Validate('image|max:10240')] // 10MB Max #[Validate('image|mimes:jpeg,png,webp|max:5120|dimensions:max_width=4000,max_height=4000')]
public $logo; public $logo;
public Course $course; public Course $course;
resources/views/livewire/lecturers/create.blade.php
+1 -1
View File
@@ -13,7 +13,7 @@ class extends Component {
use WithFileUploads; use WithFileUploads;
use SeoTrait; use SeoTrait;
#[Validate('image|max:10240')] // 10MB Max #[Validate('image|mimes:jpeg,png,webp|max:5120|dimensions:max_width=4000,max_height=4000')]
public $avatar; public $avatar;
public string $name = ''; public string $name = '';
resources/views/livewire/lecturers/edit.blade.php
+1 -1
View File
@@ -15,7 +15,7 @@ class extends Component {
use WithFileUploads; use WithFileUploads;
use SeoTrait; use SeoTrait;
#[Validate('image|max:10240')] // 10MB Max #[Validate('image|mimes:jpeg,png,webp|max:5120|dimensions:max_width=4000,max_height=4000')]
public $avatar; public $avatar;
public Lecturer $lecturer; public Lecturer $lecturer;
resources/views/livewire/meetups/create.blade.php
+1 -1
View File
@@ -15,7 +15,7 @@ class extends Component {
use WithFileUploads; use WithFileUploads;
use SeoTrait; use SeoTrait;
#[Validate('image|max:10240')] // 10MB Max #[Validate('image|mimes:jpeg,png,webp|max:5120|dimensions:max_width=4000,max_height=4000')]
public $logo; public $logo;
// Basic Information // Basic Information
resources/views/livewire/meetups/edit.blade.php
+32 -12
View File
@@ -17,7 +17,7 @@ class extends Component {
use WithFileUploads; use WithFileUploads;
use SeoTrait; use SeoTrait;
#[Validate('image|max:10240')] // 10MB Max #[Validate('image|mimes:jpeg,png,webp|max:5120|dimensions:max_width=4000,max_height=4000')]
public $logo; public $logo;
public Meetup $meetup; public Meetup $meetup;
@@ -90,6 +90,35 @@ class extends Component {
} }
} }
/**
* Whitelist the keys allowed inside github_data and coerce types so a
* tampered payload cannot smuggle arbitrary keys into the stored JSON.
*/
protected function sanitizeGithubData(?string $raw): ?array
{
if (empty($raw)) {
return null;
}
$decoded = json_decode($raw, true);
if (!is_array($decoded)) {
return null;
}
$clean = [];
if (array_key_exists('top', $decoded) && (is_string($decoded['top']) || is_numeric($decoded['top']))) {
$clean['top'] = (string) $decoded['top'];
}
if (array_key_exists('left', $decoded) && (is_string($decoded['left']) || is_numeric($decoded['left']))) {
$clean['left'] = (string) $decoded['left'];
}
if (array_key_exists('state', $decoded) && is_string($decoded['state'])) {
$clean['state'] = mb_substr($decoded['state'], 0, 64);
}
return $clean === [] ? null : $clean;
}
public function mount(): void public function mount(): void
{ {
$this->authorizeAccess(); $this->authorizeAccess();
@@ -140,19 +169,10 @@ class extends Component {
'simplex' => ['nullable', 'string', 'max:255'], 'simplex' => ['nullable', 'string', 'max:255'],
'signal' => ['nullable', 'string', 'max:255'], 'signal' => ['nullable', 'string', 'max:255'],
'community' => ['required', 'string', 'max:255'], 'community' => ['required', 'string', 'max:255'],
'github_data' => ['nullable', 'json'],
]); ]);
// Convert github_data string back to array if provided $validated['github_data'] = $this->sanitizeGithubData($validated['github_data'] ?? null);
if (!empty($validated['github_data'])) {
$decoded = json_decode($validated['github_data'], true);
if (json_last_error() === JSON_ERROR_NONE) {
$validated['github_data'] = $decoded;
} else {
$validated['github_data'] = null;
}
} else {
$validated['github_data'] = null;
}
$this->meetup->update($validated); $this->meetup->update($validated);