fix: bloquer les appels de fonctions PHP dangereuses dans les templates email

Ajout des fonctions dangereuses (system, exec, file_get_contents, env, etc.)
et des superglobales dans dangerous_content_patterns() pour empêcher
l'injection de code via les expressions Blade {{ }}.

Author: FR-MaximeDev

app/functions.php

@@ -432,9 +432,13 @@ function dangerous_content_patterns(): array
             '/\?>/i',
             '/@php\b/i',
             '/@endphp\b/i',
+            '/@shell\b/i',
             '/\{\!\!.*?\!\!\}/s',
             '/@(include|extends|component|each|includeIf|includeWhen|includeFirst)\s*\(/i',
             '/@(yield|section|stack|push|prepend)\s*\(/i',
+            '/\b(?:env|exec|shell_exec|system|passthru|proc_open|popen|pcntl_exec|eval|assert|preg_replace|create_function|require|unlink|fopen|file_get_contents|file_put_contents|file|readfile|base64_decode|gzinflate|gzuncompress|gzdecode|gzcompress|gzdeflate|gzencode|ini_set|set_time_limit|error_reporting|ini_get|ini_restore|ini_alter|unserialize|serialize|var_dump|print_r|debug_backtrace|debug_print_backtrace|dump|die|exit|phpinfo|php_uname|getenv|get_current_user|getmyuid|getmygid|getmypid|getmyinode|getlastmod|getprotobyname|getprotobynumber|getservbyname|getservbyport)\s*\(/i',
+            '/\$(?:_ENV|_SERVER|_GET|_POST|_REQUEST|_SESSION|_COOKIE)\b/i',
+            '/\.env\b/i',
         ];
     }
 }

tests/Feature/Admin/Personalization/EmailTemplateControllerTest.php

@@ -73,6 +73,46 @@ public function test_email_template_update()
         $response->assertStatus(302);
     }
 
+    public function test_email_template_store_rejects_dangerous_function_calls()
+    {
+        $data = [
+            'name' => 'Test Template',
+            'subject' => 'Test Subject',
+            'content' => "{{ system('id') }}",
+            'button_text' => 'Test Button',
+            'hidden' => false,
+            'locale' => 'fr_FR',
+        ];
+
+        $response = $this->performAdminAction('POST', route('admin.personalization.email_templates.store'), $data);
+
+        $response->assertStatus(302);
+        $response->assertSessionHas('error');
+        $this->assertDatabaseMissing('email_templates', ['name' => 'Test Template']);
+    }
+
+    public function test_email_template_update_rejects_dangerous_function_calls()
+    {
+        $this->seed(EmailTemplateSeeder::class);
+        $emailTemplate = EmailTemplate::first();
+
+        $data = [
+            'name' => 'Updated Template',
+            'subject' => 'Updated Subject',
+            'content' => "{{ file_get_contents('.env') }}",
+            'button_text' => 'Updated Button',
+            'hidden' => true,
+            'locale' => 'fr_FR',
+        ];
+
+        $response = $this->performAdminAction('PUT', route('admin.personalization.email_templates.update', $emailTemplate), $data);
+
+        $response->assertStatus(302);
+        $response->assertSessionHas('error');
+        $this->assertDatabaseMissing('email_templates', ['id' => $emailTemplate->id, 'content' => "{{ file_get_contents('.env') }}"]);
+    }
+
+
     public function test_email_template_delete()
     {
         $this->seed(EmailTemplateSeeder::class);