From 1f55d96580ef9294a09b71bdbcf995f93f8f3008 Mon Sep 17 00:00:00 2001
From: Ollama <ollama@steganos.dev>
Date: Sat, 7 Mar 2026 20:09:12 +0000
Subject: [PATCH] Fix mass assignment vulnerability in bulk edit
 (GHSA-49mq-h2g4-grr9)

The bulk edit function iterated over all $_POST keys without a whitelist,
allowing authenticated users to inject arbitrary database columns (e.g.,
cost_price, deleted, item_type) into the update query. This bypassed
CodeIgniter 4's $allowedFields protection since Query Builder was used
directly.

Fix: Add ALLOWED_BULK_EDIT_FIELDS constant to Item model defining the
explicit whitelist of fields that can be bulk-updated. Use this constant
in the controller instead of iterating over $_POST directly.

Fields allowed: name, category, supplier_id, cost_price, unit_price,
reorder_level, description, allow_alt_description, is_serialized

Security impact: High (CVSS 8.1) - Could allow price manipulation and
data integrity violations.
---
 app/Controllers/Items.php | 12 ++++++------
 app/Models/Item.php       | 12 ++++++++++++
 2 files changed, 18 insertions(+), 6 deletions(-)

diff --git a/app/Controllers/Items.php b/app/Controllers/Items.php
index 5d9088b99..8bf7914cb 100644
--- a/app/Controllers/Items.php
+++ b/app/Controllers/Items.php
@@ -876,12 +876,12 @@ class Items extends Secure_Controller
         $items_to_update = $this->request->getPost('item_ids');
         $item_data = [];
 
-        foreach ($_POST as $key => $value) {
-            // This field is nullable, so treat it differently
-            if ($key === 'supplier_id' && $value !== '') {
-                $item_data[$key] = $value;
-            } elseif ($value !== '' && !(in_array($key, ['item_ids', 'tax_names', 'tax_percents']))) {
-                $item_data[$key] = $value;
+        foreach (Item::ALLOWED_BULK_EDIT_FIELDS as $field) {
+            $value = $this->request->getPost($field);
+            if ($field === 'supplier_id' && $value !== '') {
+                $item_data[$field] = $value;
+            } elseif ($value !== null && $value !== '') {
+                $item_data[$field] = $value;
             }
         }
 
diff --git a/app/Models/Item.php b/app/Models/Item.php
index adeabfb01..0d21edaaa 100644
--- a/app/Models/Item.php
+++ b/app/Models/Item.php
@@ -16,6 +16,18 @@ use stdClass;
  */
 class Item extends Model
 {
+    public const ALLOWED_BULK_EDIT_FIELDS = [
+        'name',
+        'category',
+        'supplier_id',
+        'cost_price',
+        'unit_price',
+        'reorder_level',
+        'description',
+        'allow_alt_description',
+        'is_serialized'
+    ];
+
     protected $table = 'items';
     protected $primaryKey = 'item_id';
     protected $useAutoIncrement = true;