Skip to content

Fix security vulnerabilities#532

Merged
baimard merged 1 commit into
masterfrom
codex/corrige-les-vulnerabilites-de-securite
Jun 30, 2026
Merged

Fix security vulnerabilities#532
baimard merged 1 commit into
masterfrom
codex/corrige-les-vulnerabilites-de-securite

Conversation

@baimard

@baimard baimard commented Jun 30, 2026

Copy link
Copy Markdown
Owner

Motivation

  • Address application-level security issues found during static review and dependency scans by hardening request handling and output encoding.
  • Prevent CSRF on state-changing endpoints while keeping read-only endpoints functional.
  • Eliminate simple stored/reflected XSS in the configuration UI and reduce risk of SQL identifier manipulation via stricter allow-list checks.

Description

  • Re-enabled Nextcloud CSRF protection by removing @NoCSRFRequired from state-changing controller endpoints such as update, insertClient, insertDevis, insertProduit, insertFacture, duplicate, delete, drop, setCurrentCompany and backup (changed files: lib/Controller/*.php).
  • Escaped shared-user display names and UIDs in the configuration template using htmlspecialchars before rendering and injecting into data-uid to prevent HTML injection (changed file: templates/content/configuration.php).
  • Made allow-list checks strict by using in_array(..., true) for table/column validation before composing SQL identifiers to reduce type-coercion risks (changed file: lib/Db/Bdd.php).
  • Minor code tidy: removed an empty docblock in AdminController to keep docblocks consistent (changed file: lib/Controller/AdminController.php).

Testing

  • composer validate --no-check-publish completed successfully.
  • PHP syntax checks (php -l) passed for all modified PHP files.
  • ./vendor/bin/phpunit --configuration phpunit.xml.dist could not be run because vendor/bin/phpunit is not present in this workspace.
  • npm run build reached webpack but failed due to the build environment blocking access to an external Google Fonts URL (Less loader error), and npm audit / composer audit --locked were blocked by 403 Forbidden responses from external registries in this environment.

Codex Task

@baimard baimard merged commit eece614 into master Jun 30, 2026
2 checks passed

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

public function insertDevis() {

P1 Badge Add request tokens to protected add calls

Removing @NoCSRFRequired here makes this POST require Nextcloud's request token, but the UI caller in src/js/objects/devis.js:50-52 still posts without any requesttoken header, so creating a quote from the normal UI will be rejected by CSRF protection. The same missing-token pattern exists for /insertProduitDevis in src/js/listener/main_listener.js:131-136 and the XHR insert methods for clients, products, and invoices, so please add the token headers or route these calls through the existing token-aware helper before enabling CSRF checks.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant