security: fix critical and high vulnerabilities — v0.4.1

CRITICAL:
- InstallController: add isInstalled() guard to setupEnvironment() and setupDatabase() POST handlers
- CsvImportController: block path traversal — enforce csv-imports/ prefix on file_path
- API login: add throttle:10,1 rate limiting
- CORS: disable supports_credentials (was wildcard+credentials — invalid/risky combination)

HIGH:
- API routes: add role:Admin to audit-log/event-log endpoints
- API routes: add role:Supervisor|Admin to analytics/reports endpoints
- SettingsController: fix IDOR — verify token ownership before revocation
- UpdateController: wrap exec() path in escapeshellarg()
- ActionExecutor: block SSRF in webhook forwarding — reject private/loopback/metadata IPs
- Web login: add throttle:10,1 rate limiting
- composer: update league/commonmark to patched version (XSS bypass fix)
- package.json: add overrides for rollup and picomatch (HIGH severity advisories)

Author: jakub-przepiora

backend/app/Http/Controllers/InstallController.php

@@ -83,6 +83,10 @@ public function showEnvironmentForm()
      */
     public function setupEnvironment(Request $request)
     {
+        if ($this->isInstalled()) {
+            return redirect('/');
+        }
+
         $validated = $request->validate([
             'app_name' => 'required|string|max:255',
             'app_url'  => 'required|url',
@@ -135,6 +139,10 @@ public function showDatabaseForm()
      */
     public function setupDatabase(Request $request)
     {
+        if ($this->isInstalled()) {
+            return redirect('/');
+        }
+
         $driver = $request->input('db_driver', 'pgsql');
 
         if (!array_key_exists($driver, self::DB_DRIVERS)) {

backend/app/Http/Controllers/Web/Admin/CsvImportController.php

@@ -103,7 +103,10 @@ public function process(Request $request)
             'production_year' => 'nullable|integer|min:2000|max:2100',
         ]);
 
-        $filePath       = $request->input('file_path');
+        $filePath = $request->input('file_path');
+        if (!str_starts_with($filePath, 'csv-imports/')) {
+            abort(422, 'Invalid file path.');
+        }
         $strategy       = $request->input('import_strategy');
         $mapping        = $request->input('mapping');
         $targetLineId   = $request->input('target_line_id');

backend/app/Http/Controllers/Web/Admin/UpdateController.php

@@ -63,7 +63,7 @@ public function apply(): RedirectResponse
         // 1. git pull
         $gitOutput = [];
         $gitStatus = 0;
-        exec("cd {$root} && git pull origin main 2>&1", $gitOutput, $gitStatus);
+        exec('cd ' . escapeshellarg($root) . ' && git pull origin main 2>&1', $gitOutput, $gitStatus);
         $log[] = implode("\n", $gitOutput);
 
         if ($gitStatus !== 0) {
@@ -75,7 +75,7 @@ public function apply(): RedirectResponse
 
         // 2. composer install
         $composerOutput = [];
-        exec("cd {$root} && composer install --no-dev --optimize-autoloader 2>&1", $composerOutput);
+        exec('cd ' . escapeshellarg($root) . ' && composer install --no-dev --optimize-autoloader 2>&1', $composerOutput);
         $log[] = implode("\n", $composerOutput);
 
         // 3. artisan

backend/app/Http/Controllers/Web/SettingsController.php

@@ -131,6 +131,11 @@ public function createApiToken(Request $request)
      */
     public function revokeApiToken(Request $request, PersonalAccessToken $token)
     {
+        abort_if(
+            $token->tokenable_id !== auth()->id() || $token->tokenable_type !== get_class(auth()->user()),
+            403
+        );
+
         $token->delete();
 
         return redirect()->route('settings.api-tokens')

backend/app/Services/Connectivity/ActionExecutor.php

@@ -246,6 +246,26 @@ private function webhookForward(array $params, array $data): array
             throw new \RuntimeException("Invalid or missing webhook URL");
         }
 
+        // Block SSRF — reject requests to private/loopback/metadata addresses
+        $host = parse_url($url, PHP_URL_HOST);
+        if ($host) {
+            $ip = gethostbyname($host);
+            if (filter_var($ip, FILTER_VALIDATE_IP)) {
+                foreach ([
+                    FILTER_FLAG_NO_PRIV_RANGE,
+                    FILTER_FLAG_NO_RES_RANGE,
+                ] as $flag) {
+                    if (!filter_var($ip, FILTER_VALIDATE_IP, $flag)) {
+                        throw new \RuntimeException("Webhook URL resolves to a private/reserved address");
+                    }
+                }
+                // Block AWS/GCP/Azure metadata endpoints explicitly
+                if (in_array($ip, ['169.254.169.254', '169.254.170.2', '100.100.100.200'])) {
+                    throw new \RuntimeException("Webhook URL resolves to a private/reserved address");
+                }
+            }
+        }
+
         $response = Http::withHeaders($headers)
             ->timeout(5)
             ->{$method}($url, $data);

backend/composer.lock

@@ -29,6 +29,6 @@
 
     'max_age' => 0,
 
-    'supports_credentials' => true,
+    'supports_credentials' => false,
 
 ];

backend/config/cors.php

@@ -1,5 +1,5 @@
 <?php
 
 return [
-    'current' => 'v0.4.0',
+    'current' => 'v0.4.1',
 ];

backend/config/version.php

@@ -17,5 +17,9 @@
     "dependencies": {
         "alpinejs": "^3.15.8",
         "chart.js": "^4.5.1"
+    },
+    "overrides": {
+        "rollup": "^4.29.1",
+        "picomatch": "^4.0.2"
     }
 }

backend/package.json

@@ -33,7 +33,7 @@
 
 // Authentication routes (no auth required)
 Route::prefix('auth')->group(function () {
-    Route::post('/login', [AuthController::class, 'login']);
+    Route::post('/login', [AuthController::class, 'login'])->middleware('throttle:10,1');
     Route::post('/logout', [AuthController::class, 'logout'])->middleware('auth:sanctum');
     Route::post('/refresh', [AuthController::class, 'refresh'])->middleware('auth:sanctum');
     Route::post('/change-password', [AuthController::class, 'changePassword'])->middleware('auth:sanctum');
@@ -85,25 +85,29 @@
     Route::post('/csv-import-mappings', [CsvImportController::class, 'saveMapping']);
 
     // Audit Logs (Admin only)
-    Route::get('/audit-logs', [AuditLogController::class, 'index']);
-    Route::get('/audit-logs/entity', [AuditLogController::class, 'entity']);
-    Route::get('/audit-logs/export', [AuditLogController::class, 'export']);
+    Route::middleware('role:Admin')->group(function () {
+        Route::get('/audit-logs', [AuditLogController::class, 'index']);
+        Route::get('/audit-logs/entity', [AuditLogController::class, 'entity']);
+        Route::get('/audit-logs/export', [AuditLogController::class, 'export']);
 
-    // Event Logs
-    Route::get('/event-logs', [EventLogController::class, 'index']);
-    Route::get('/event-logs/entity', [EventLogController::class, 'entity']);
+        // Event Logs
+        Route::get('/event-logs', [EventLogController::class, 'index']);
+        Route::get('/event-logs/entity', [EventLogController::class, 'entity']);
+    });
 
-    // Analytics (Supervisor Dashboard)
-    Route::get('/analytics/overview', [AnalyticsController::class, 'overview']);
-    Route::get('/analytics/production-by-line', [AnalyticsController::class, 'productionByLine']);
-    Route::get('/analytics/cycle-time', [AnalyticsController::class, 'cycleTime']);
-    Route::get('/analytics/throughput', [AnalyticsController::class, 'throughput']);
-    Route::get('/analytics/issue-stats', [AnalyticsController::class, 'issueStats']);
-    Route::get('/analytics/step-performance', [AnalyticsController::class, 'stepPerformance']);
+    // Analytics (Supervisor/Admin)
+    Route::middleware('role:Supervisor|Admin')->group(function () {
+        Route::get('/analytics/overview', [AnalyticsController::class, 'overview']);
+        Route::get('/analytics/production-by-line', [AnalyticsController::class, 'productionByLine']);
+        Route::get('/analytics/cycle-time', [AnalyticsController::class, 'cycleTime']);
+        Route::get('/analytics/throughput', [AnalyticsController::class, 'throughput']);
+        Route::get('/analytics/issue-stats', [AnalyticsController::class, 'issueStats']);
+        Route::get('/analytics/step-performance', [AnalyticsController::class, 'stepPerformance']);
 
-    // Reports (Supervisor/Admin)
-    Route::get('/reports/production-summary', [ReportController::class, 'productionSummary']);
-    Route::get('/reports/batch-completion', [ReportController::class, 'batchCompletion']);
-    Route::get('/reports/downtime', [ReportController::class, 'downtimeReport']);
-    Route::get('/reports/export-csv', [ReportController::class, 'exportCsv']);
+        // Reports
+        Route::get('/reports/production-summary', [ReportController::class, 'productionSummary']);
+        Route::get('/reports/batch-completion', [ReportController::class, 'batchCompletion']);
+        Route::get('/reports/downtime', [ReportController::class, 'downtimeReport']);
+        Route::get('/reports/export-csv', [ReportController::class, 'exportCsv']);
+    });
 });