Merge pull request #2 from iranpsc/security-bugfixes

theAwmin · web-flow · commit d96142605f0a · 2026-01-29T19:23:32.000+03:30
chore: update PHP and Laravel dependencies, enhance file upload secur…
diff --git a/app/Http/Controllers/FileUploadController.php b/app/Http/Controllers/FileUploadController.php
@@ -7,6 +7,8 @@
 use Pion\Laravel\ChunkUpload\Exceptions\UploadMissingFileException;
 use Pion\Laravel\ChunkUpload\Handler\HandlerFactory;
 use Illuminate\Http\UploadedFile;
+use Illuminate\Support\Facades\Validator;
+use App\Rules\SecureFile;
 
 class FileUploadController extends Controller
 {
@@ -58,6 +60,16 @@ public function upload(Request $request)
      */
     protected function saveFile(UploadedFile $file)
     {
+        $allowedExtensions = ['jpg', 'jpeg', 'png', 'gif', 'webp', 'zip', 'rar', 'pdf', 'doc', 'docx', 'fbx', 'obj', 'blend', 'stl', 'gltf', 'glb'];
+
+        $validator = Validator::make(['file' => $file], [
+            'file' => ['required', 'file', new SecureFile($allowedExtensions)],
+        ]);
+
+        if ($validator->fails()) {
+            abort(422, $validator->errors()->first());
+        }
+
         $fileName = $this->createFilename($file);
         $fileSize = $this->formatSizeUnits($file->getSize());
         // Group files by mime type
@@ -88,7 +100,8 @@ protected function saveFile(UploadedFile $file)
     protected function createFilename(UploadedFile $file)
     {
         $extension = $file->getClientOriginalExtension();
-        $filename = str_replace("." . $extension, "", $file->getClientOriginalName()); // Filename without extension
+        $originalName = pathinfo($file->getClientOriginalName(), PATHINFO_FILENAME);
+        $filename = \Illuminate\Support\Str::slug($originalName);
 
         // Add timestamp hash to name of the file
         $filename .= "_" . md5(time()) . "." . $extension;
diff --git a/app/Http/Middleware/Admin.php b/app/Http/Middleware/Admin.php
@@ -16,7 +16,7 @@ class Admin
     public function handle(Request $request, Closure $next): Response
     {
         if (! $request->user()->hasRole('admin')) {
-            abort(404);
+            return redirect()->back()->with('error', 'شما اجازه دسترسی به این صفحه را ندارید.');
         }
 
         return $next($request);
diff --git a/app/Imports/ProductImport.php b/app/Imports/ProductImport.php
@@ -200,6 +200,12 @@ private function createImages(\App\Models\Product $product, array $images): void
      */
     private function createFile(\App\Models\Product $product, string $filePath): void
     {
+        // Security check: prevent path traversal
+        if (strpos($filePath, '..') !== false) {
+             Log::warning("Skipping file creation for product {$product->id} due to invalid path: {$filePath}");
+             return;
+        }
+
         $product->file()->updateOrCreate(
             ['product_id' => $product->id],
             ['path' => $filePath]
diff --git a/app/Livewire/Forms/CreateProductForm.php b/app/Livewire/Forms/CreateProductForm.php
@@ -106,7 +106,21 @@ public function save()
             mkdir(storage_path('app/' . $uploadPath), 0777, true);
         }
 
+        // Security check for file path traversal
+        $inputPath = $this->fbx_file['path'] . $this->fbx_file['name'];
+        if (strpos($inputPath, '..') !== false || strpos($this->fbx_file['path'], 'upload/') !== 0) {
+            $this->addError('fbx_file', 'Invalid file path.');
+            return;
+        }
+
         $originalPath = storage_path('app/' . $this->fbx_file['path'] . $this->fbx_file['name']);
+
+        // Verify the file exists and is inside the upload directory
+        if (!file_exists($originalPath) || !str_starts_with(realpath($originalPath), storage_path('app/upload'))) {
+             $this->addError('fbx_file', 'File not found or invalid path.');
+             return;
+        }
+
         $newPath = storage_path('app/' . $uploadPath . '/' . $this->fbx_file['name']);
 
         rename($originalPath, $newPath);
diff --git a/app/Livewire/Forms/UpdateProduct.php b/app/Livewire/Forms/UpdateProduct.php
@@ -148,7 +148,21 @@ public function update()
                 mkdir(storage_path('app/' . $uploadPath), 0777, true);
             }
 
+            // Security check for file path traversal
+            $inputPath = $this->fbx_file['path'] . $this->fbx_file['name'];
+            if (strpos($inputPath, '..') !== false || strpos($this->fbx_file['path'], 'upload/') !== 0) {
+                $this->addError('fbx_file', 'Invalid file path.');
+                return;
+            }
+
             $originalPath = storage_path('app/' . $this->fbx_file['path'] . $this->fbx_file['name']);
+
+             // Verify the file exists and is inside the upload directory
+            if (!file_exists($originalPath) || !str_starts_with(realpath($originalPath), storage_path('app/upload'))) {
+                 $this->addError('fbx_file', 'File not found or invalid path.');
+                 return;
+            }
+
             $newPath = storage_path('app/' . $uploadPath . '/' . $this->fbx_file['name']);
 
             // Move the file to the new path
diff --git a/app/Livewire/Support/CreateTicket.php b/app/Livewire/Support/CreateTicket.php
@@ -16,12 +16,15 @@ class CreateTicket extends Component
     public $attachment;
     public $priority = 'medium';
 
-    protected $rules = [
-        'title' => 'required|string|min:3|max:255',
-        'message' => 'required|string|min:3|max:5000',
-        'attachment' => 'nullable|file|mimes:pdf,jpg,jpeg,png|max:1024',
-        'priority' => 'required|in:low,medium,high'
-    ];
+    public function rules()
+    {
+        return [
+            'title' => 'required|string|min:3|max:255',
+            'message' => 'required|string|min:3|max:5000',
+            'attachment' => ['nullable', 'file', 'max:1024', new \App\Rules\SecureFile(['pdf', 'jpg', 'jpeg', 'png'])],
+            'priority' => 'required|in:low,medium,high'
+        ];
+    }
 
     public function createTicket()
     {
diff --git a/app/Models/Category.php b/app/Models/Category.php
@@ -49,7 +49,7 @@ public function getBreadcrumbAttribute()
     {
         $this->loadMissing('parent');
 
-        $url = '<a href="' . url('categories/' . $this->url) . '">' . $this->name . '</a>';
+        $url = '<a href="' . url('categories/' . $this->url) . '">' . e($this->name) . '</a>';
 
         return $this->parent ? $this->parent->breadcrumb . ' / ' . $url : $url;
     }
diff --git a/app/Models/Order.php b/app/Models/Order.php
@@ -10,7 +10,12 @@ class Order extends Model
 {
     use HasFactory, HasUuids;
 
-    protected $guarded = [];
+    protected $fillable = [
+        'user_id',
+        'amount',
+        'status',
+        'tracking_id',
+    ];
 
     /**
      * The data type of the primary key ID.
diff --git a/app/Models/OrderItem.php b/app/Models/OrderItem.php
@@ -9,7 +9,11 @@ class OrderItem extends Model
 {
     use HasFactory;
 
-    protected $guarded = [];
+    protected $fillable = [
+        'order_id',
+        'product_id',
+        'quantity',
+    ];
 
     public $timestamps = false;
 
diff --git a/app/Models/Transaction.php b/app/Models/Transaction.php
@@ -9,7 +9,18 @@ class Transaction extends Model
 {
     use HasFactory;
 
-    protected $guarded = [];
+    protected $fillable = [
+        'order_id',
+        'authority',
+        'amount',
+        'currency',
+        'status',
+        'card_hash',
+        'card_pan',
+        'fee_type',
+        'fee',
+        'reference_id',
+    ];
 
     /**
      * Casts properties
diff --git a/app/Rules/SecureFile.php b/app/Rules/SecureFile.php
@@ -0,0 +1,126 @@
+<?php
+
+namespace App\Rules;
+
+use Closure;
+use Illuminate\Contracts\Validation\ValidationRule;
+use Illuminate\Http\UploadedFile;
+
+class SecureFile implements ValidationRule
+{
+    protected $allowedExtensions;
+    protected $maxSize; // in Kilobytes
+
+    /**
+     * @param array $allowedExtensions List of allowed file extensions (e.g. ['jpg', 'png'])
+     * @param int|null $maxSize Max size in KB (optional, but recommended if not handled elsewhere)
+     */
+    public function __construct(array $allowedExtensions = [], int $maxSize = null)
+    {
+        $this->allowedExtensions = array_map('strtolower', $allowedExtensions);
+        $this->maxSize = $maxSize;
+    }
+
+    public function validate(string $attribute, mixed $value, Closure $fail): void
+    {
+        if (!$value instanceof UploadedFile) {
+            $fail('The :attribute must be a valid file.');
+            return;
+        }
+
+        // 1. Check upload errors
+        if ($value->getError() !== UPLOAD_ERR_OK) {
+            $fail("The :attribute failed to upload (Error code: {$value->getError()}).");
+            return;
+        }
+
+        // 2. Check Size (if configured)
+        if ($this->maxSize && $value->getSize() > $this->maxSize * 1024) {
+             $fail("The :attribute must not be greater than {$this->maxSize} kilobytes.");
+             return;
+        }
+
+        $extension = strtolower($value->getClientOriginalExtension());
+        $filename = $value->getClientOriginalName();
+
+        // 3. Allowed Extensions Whitelist
+        if (!empty($this->allowedExtensions)) {
+            if (!in_array($extension, $this->allowedExtensions)) {
+                $fail("The :attribute extension (.$extension) is not allowed.");
+                return;
+            }
+        }
+
+        // 4. Double Extension & Forbidden Filename Check
+        // Prevents bypassing Apache/Nginx rules (e.g., shell.php.jpg, .htaccess)
+        if (preg_match('/\.(php|phtml|phar|pl|py|cgi|asp|aspx|jsp|exe|sh|bat|cmd|vbs|htaccess|htpasswd)\./i', $filename)) {
+            $fail('The :attribute filename contains forbidden characters or extensions.');
+            return;
+        }
+
+        // 5. Null Byte Injection
+        if (strpos($filename, "\0") !== false || strpos($value->getRealPath(), "\0") !== false) {
+             $fail('The :attribute contains invalid characters.');
+             return;
+        }
+
+        // 6. MIME Type & Magic Bytes Check
+        // We trust getMimeType() which uses fileinfo (magic bytes)
+        $mime = $value->getMimeType();
+
+        // Strict mapping for common types to prevent content-type spoofing
+        $strictMimeMap = [
+            'jpg' => ['image/jpeg', 'image/pjpeg'],
+            'jpeg' => ['image/jpeg', 'image/pjpeg'],
+            'png' => ['image/png'],
+            'gif' => ['image/gif'],
+            'webp' => ['image/webp'],
+            'pdf' => ['application/pdf'],
+            'zip' => ['application/zip', 'application/x-zip-compressed', 'multipart/x-zip'],
+            'txt' => ['text/plain'],
+        ];
+
+        if (isset($strictMimeMap[$extension])) {
+            if (!in_array($mime, $strictMimeMap[$extension])) {
+                $fail("The :attribute content type ($mime) does not match its extension (.$extension).");
+                return;
+            }
+        }
+
+        // 7. Malicious Content Scan (Polyglot / Webshell detection)
+        // We scan for PHP tags and suspicious script tags embedded in the file.
+        // This is crucial for "valid" images that contain PHP code.
+
+        // Only scan if the file is reasonable size to avoid memory exhaustion (e.g. < 10MB)
+        // If larger, we assume server execution policies prevent it, or scan chunks.
+        if ($value->getSize() < 10 * 1024 * 1024) {
+            try {
+                $content = file_get_contents($value->getRealPath());
+
+                $blacklist = [
+                    '<?php',
+                    '<?=',
+                    '<script language="php">',
+                ];
+
+                // If it's an image, also check for JS injection
+                if (in_array($extension, ['jpg', 'jpeg', 'png', 'gif', 'webp', 'bmp'])) {
+                    $blacklist[] = '<script';
+                    $blacklist[] = 'javascript:';
+                    $blacklist[] = 'vbscript:';
+                }
+
+                foreach ($blacklist as $pattern) {
+                    if (stripos($content, $pattern) !== false) {
+                        $fail('The :attribute contains malicious code or forbidden patterns.');
+                        return;
+                    }
+                }
+            } catch (\Exception $e) {
+                // If we can't read the file, fail safe
+                $fail('The :attribute could not be scanned for security.');
+                return;
+            }
+        }
+    }
+}
diff --git a/composer.json b/composer.json
@@ -5,9 +5,9 @@
     "keywords": ["laravel", "framework"],
     "license": "MIT",
     "require": {
-        "php": "^8.1",
+        "php": "^8.2",
         "guzzlehttp/guzzle": "^7.2",
-        "laravel/framework": "^11.0",
+        "laravel/framework": "^12.0",
         "laravel/sanctum": "^4.0",
         "laravel/tinker": "^2.8",
         "livewire/livewire": "^3.1",
@@ -28,7 +28,7 @@
         "laravel/sail": "^1.18",
         "mockery/mockery": "^1.4.4",
         "nunomaduro/collision": "^8.1",
-        "phpunit/phpunit": "^10.1",
+        "phpunit/phpunit": "^11.0",
         "spatie/laravel-ignition": "^2.0"
     },
     "autoload": {
diff --git a/composer.lock b/composer.lock
diff --git a/resources/views/livewire/product-details.blade.php b/resources/views/livewire/product-details.blade.php
diff --git a/routes/web.php b/routes/web.php

Original file line number	Diff line number	Diff line change
`@@ -16,7 +16,7 @@ class Admin`
`16`	`16`	`public function handle(Request $request, Closure $next): Response`
`17`	`17`	`{`
`18`	`18`	`if (! $request->user()->hasRole('admin')) {`
`19`		`- abort(404);`
	`19`	`+ return redirect()->back()->with('error', 'شما اجازه دسترسی به این صفحه را ندارید.');`
`20`	`20`	`}`
`21`	`21`
`22`	`22`	`return $next($request);`
Original file line number	Diff line number	Diff line change
`@@ -49,7 +49,7 @@ public function getBreadcrumbAttribute()`
`49`	`49`	`{`
`50`	`50`	`$this->loadMissing('parent');`
`51`	`51`
`52`		`- $url = '<a href="' . url('categories/' . $this->url) . '">' . $this->name . '</a>';`
	`52`	`+ $url = '<a href="' . url('categories/' . $this->url) . '">' . e($this->name) . '</a>';`
`53`	`53`
`54`	`54`	`return $this->parent ? $this->parent->breadcrumb . ' / ' . $url : $url;`
`55`	`55`	`}`