fix(security): comprehensive security audit remediations#12
Merged
DavidLambauer merged 18 commits intomainfrom Apr 14, 2026
Merged
fix(security): comprehensive security audit remediations#12DavidLambauer merged 18 commits intomainfrom
DavidLambauer merged 18 commits intomainfrom
Conversation
- Replace str_contains keyword blocking with word-boundary regex - Block UNION, INTO, OUTFILE, DUMPFILE, LOAD_FILE, CALL, SET, PREPARE, EXECUTE - Block SQL comments (/**/, --, #) - Resolve table prefixes via ResourceConnection::getTableName() - Expand blocked columns: token, secret, api_key, passphrase, private_key - Expand blocked tables: integration, email_template, vault_payment_token - Block string extraction functions (SUBSTR, HEX, etc) on core_config_data - Sanitize SQL error messages: return generic errors, don't leak schema info - Add comprehensive tests for all new bypass protections Fixes #2, Fixes #5, Fixes #6, Fixes #10
- 100 requests per hour per admin user - Uses Magento cache with TTL-based sliding window - Logs rate limit violations with admin ID Fixes #4
Add sha384 integrity hash and crossorigin="anonymous" to all Typesense JS CDN script tags across results, autocomplete, category listing, and recommendations templates. Fixes #7
- Log all SQL queries before execution (info level) - Log blocked queries with reason (warning level) - Log execution errors with query context (error level) - All logs truncated to 500 chars for safety Fixes #8
Prevents resource exhaustion from expensive queries. Logs timeout events with elapsed time and iteration count. Fixes #9
…r Save Save controller should only handle POST requests. GET functionality is already provided by the Load controller. Removing dual interface ensures proper CSRF protection for all Save requests. Fixes #11
…tructor - Replace nullsafe ?-> with explicit null check for _auth->getUser() - Pass ResourceConnection mock to SqlSandbox in DescribeDatabaseToolTest
DavidLambauer
force-pushed
the
fix/security-audit-remediations
branch
from
e78fcc4 to
2e576d5
Compare
CacheInterface::load() PHPDoc return type makes ?: operator unreachable. Use explicit false check instead.
PHPStan fixes (3 errors): - Use array condition for addFieldToFilter in CustomerDataBuilder and OrderDataBuilder - Remove stale @param $entityIds PHPDoc in SystemConfigDataBuilder Unit test error fixes (18 errors): - CustomerDataBuilderTest: use getMockBuilder with addMethods for magic __call getters - CustomerDataBuilderTest: return plain string from getRegion instead of RegionInterface mock - OrderDataBuilderTest: use getMockBuilder with addMethods for methods not on OrderInterface Unit test failure fixes (32 failures): - Fix int vs float assertSame across 16 tool test files (JSON roundtrip makes whole floats into ints) - Fix AdminConversationModelManagerTest max_bytes: 16384 -> 65536 to match implementation
- CustomerDataBuilderTest: move getId and getAddresses to onlyMethods (exist on Customer) - OrderDataBuilderTest: move interface-declared methods to onlyMethods, keep magic methods in addMethods
…on OrderInterface
… 274 abstract methods
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Comprehensive security audit and remediation of the TypeSense Magento 2 extension, addressing 11 vulnerabilities across 3 severity levels.
Critical Fixes
userandassistantroles allowed,tool_calls/systemmessages strippedstr_containskeyword blocking with word-boundary regex; blocked UNION, INTO OUTFILE, CALL, SET, LOAD_FILE, SQL comments; added table prefix resolutionHigh Fixes
token,secret,api_key,passphrase,private_keycolumns;integration,email_template,vault_payment_tokentablesSUBSTR,HEX, etc.) now blocked oncore_config_dataat validation timeintegrityandcrossoriginattributes to all Typesense CDN script tagsMedium Fixes
HttpGetActionInterfacefrom CategoryMerchandiser Save controllerTest plan
SELECT 1 UNION SELECT * FROM admin_user,SELECT * INTO OUTFILE...,SELECT SUBSTR(value,1,1) FROM core_config_data