Unsupervised/unsupervised-scheduler
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Validate availability slot datetimes (REST and admin form) #42

New Issue
Closed
opened 2026-06-10 18:50:53 +00:00 by thatguygriff · 0 comments
thatguygriff commented 2026-06-10 18:50:53 +00:00
Owner
Copy Link
Copy Source

Finding (security review — Low / robustness)

Both availability creation paths accept arbitrary start_dt / end_dt strings:

  • AvailabilityEndpoint::create() (src/Availability/AvailabilityEndpoint.php) — REST, sanitize_text_field only
  • AvailabilityController::addSlot() (src/Availability/AvailabilityController.php) — admin form (datetime-local inputs, Y-m-d\TH:i)

On the weekly path, new \DateTimeImmutable($startDt) in AvailabilityRepository::createWeeklySeries() throws on garbage → unhandled 500. On the single path the raw string lands in a DATETIME column and MySQL decides what to store. There is also no check that end_dt > start_dt.

Only authenticated instructors reach these paths, so this is robustness/data-integrity more than exploitability.

Fix

Normalise and validate in both paths: accept Y-m-d H:i[:s] and the datetime-local Y-m-d\TH:i[:s] variants, canonicalise to Y-m-d H:i:s, reject anything else and any slot where end <= start (REST → 400; admin form → no-op like the existing empty-field check). Cover with unit tests.

## Finding (security review — Low / robustness) Both availability creation paths accept arbitrary `start_dt` / `end_dt` strings: - `AvailabilityEndpoint::create()` (src/Availability/AvailabilityEndpoint.php) — REST, `sanitize_text_field` only - `AvailabilityController::addSlot()` (src/Availability/AvailabilityController.php) — admin form (`datetime-local` inputs, `Y-m-d\TH:i`) On the weekly path, `new \DateTimeImmutable($startDt)` in `AvailabilityRepository::createWeeklySeries()` throws on garbage → unhandled 500. On the single path the raw string lands in a DATETIME column and MySQL decides what to store. There is also no check that `end_dt > start_dt`. Only authenticated instructors reach these paths, so this is robustness/data-integrity more than exploitability. ## Fix Normalise and validate in both paths: accept `Y-m-d H:i[:s]` and the `datetime-local` `Y-m-d\TH:i[:s]` variants, canonicalise to `Y-m-d H:i:s`, reject anything else and any slot where end <= start (REST → 400; admin form → no-op like the existing empty-field check). Cover with unit tests.
thatguygriff added the bugsecurity labels 2026-06-10 18:50:53 +00:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
Something isn't working
 enhancement
Extends an existing feature
 feature
New user-facing capability
 payments
Billing, Stripe, receipts, reporting
 security
Security vulnerability or hardening
No Label bug security
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
thatguygriff (James Griffin-Allwood)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Unsupervised/unsupervised-scheduler#42
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?