einundzwanzig/einundzwanzig-app
1
0
Fork 0
mirror of https://github.com/HolgerHatGarKeineNode/einundzwanzig-app.git synced 2026-05-05 04:54:53 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
d46c0161feaf65fd87380be9031377cbafa7dd9e
einundzwanzig-app/bootstrap/app.php
T
Claude d46c0161fe security: medium-severity fixes (proxies, ssrf, uploads, lnurl, github_data) 
- Trust the Forge reverse proxy and force https URLs in production so
  generated absolute URLs match the actual TLS termination.
- Reject Nostr profile photo URLs that aren't http(s) or that resolve to
  loopback / private (RFC1918) addresses to close an SSRF vector in
  FetchNostrProfileJob.
- Tighten image upload validation across meetup, course, and lecturer
  create/edit components: explicit mimes whitelist (jpeg, png, webp),
  max 5 MiB, and dimension cap of 4000x4000.
- Replace the silent "skip if exists" branch in LnurlAuthController with
  updateOrCreate so concurrent callers cannot race on the k1 record.
- Validate github_data on Meetup edit, decoding the JSON, and keep only
  the whitelisted keys (top, left, state) with strict type coercion to
  prevent storing arbitrary attacker-controlled JSON.
2026-05-03 12:57:57 +00:00

53 lines
1.7 KiB
PHP
Raw Blame History

<?php
use App\Http\Middleware\DomainMiddleware;
use App\Http\Middleware\SetTimezone;
use Illuminate\Foundation\Application;
use Illuminate\Foundation\Configuration\Exceptions;
use Illuminate\Foundation\Configuration\Middleware;
use Illuminate\Http\Request;
use Stefro\LaravelLangCountry\Middleware\LangCountrySession;
return Application::configure(basePath: dirname(__DIR__))
->withRouting(
web: __DIR__.'/../routes/web.php',
api: __DIR__.'/../routes/api.php',
commands: __DIR__.'/../routes/console.php',
health: '/up',
)
->withMiddleware(function (Middleware $middleware) {
$middleware->trustProxies(at: '*');
$middleware->web(append: [
DomainMiddleware::class,
LangCountrySession::class,
SetTimezone::class,
]);
})
->withExceptions(function (Exceptions $exceptions) {
$exceptions->render(function (Throwable $e, Request $request) {
if (! preg_match('#^livewire-[a-f0-9]+/(?:css|js)/#', $request->path())) {
return null;
}
$message = $e->getMessage();
$stalePatterns = [
'does not have a style source',
'does not have a global style source',
'does not have a script source',
'Style file not found',
'Global style file not found',
'Script file not found',
];
foreach ($stalePatterns as $pattern) {
if (str_contains($message, $pattern)) {
return response('', 404);
}
}
return null;
});
})->create();
Reference in New Issue View Git Blame Copy Permalink