Fix security vulnerabilities#532
Conversation
There was a problem hiding this comment.
💡 Codex Review
Removing @NoCSRFRequired here makes this POST require Nextcloud's request token, but the UI caller in src/js/objects/devis.js:50-52 still posts without any requesttoken header, so creating a quote from the normal UI will be rejected by CSRF protection. The same missing-token pattern exists for /insertProduitDevis in src/js/listener/main_listener.js:131-136 and the XHR insert methods for clients, products, and invoices, so please add the token headers or route these calls through the existing token-aware helper before enabling CSRF checks.
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Motivation
Description
@NoCSRFRequiredfrom state-changing controller endpoints such asupdate,insertClient,insertDevis,insertProduit,insertFacture,duplicate,delete,drop,setCurrentCompanyandbackup(changed files:lib/Controller/*.php).htmlspecialcharsbefore rendering and injecting intodata-uidto prevent HTML injection (changed file:templates/content/configuration.php).in_array(..., true)for table/column validation before composing SQL identifiers to reduce type-coercion risks (changed file:lib/Db/Bdd.php).AdminControllerto keep docblocks consistent (changed file:lib/Controller/AdminController.php).Testing
composer validate --no-check-publishcompleted successfully.php -l) passed for all modified PHP files../vendor/bin/phpunit --configuration phpunit.xml.distcould not be run becausevendor/bin/phpunitis not present in this workspace.npm run buildreached webpack but failed due to the build environment blocking access to an external Google Fonts URL (Less loader error), andnpm audit/composer audit --lockedwere blocked by403 Forbiddenresponses from external registries in this environment.Codex Task