mirror/opensourcepos
1
0
Fork 0
mirror of https://github.com/opensourcepos/opensourcepos.git synced 2026-05-18 13:28:32 -04:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): whitelist and validate invoice template types (#4393)

Browse Source 
- Add whitelist validation for invoice_type to prevent path traversal and LFI
- Validate invoice_type against allowed values in Sale_lib
- Sanitize invoice_type input in Config controller before saving
- Default to 'invoice' template for invalid types

Security: Prevents arbitrary file inclusion via user-controlled invoice_type config
This commit is contained in:
jekkos
2026-03-06 13:18:47 +01:00
committed by GitHub
parent b1819b3b36
commit 31d25e06dc
3 changed files with 23 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
app/Controllers/Config.php
View File

@@ -942,7 +942,9 @@ class Config extends Secure_Controller
'work_order_enable' => $this->request->getPost('work_order_enable') != null, 'work_order_enable' => $this->request->getPost('work_order_enable') != null,
'work_order_format' => $this->request->getPost('work_order_format'), 'work_order_format' => $this->request->getPost('work_order_format'),
'last_used_work_order_number' => $this->request->getPost('last_used_work_order_number', FILTER_SANITIZE_NUMBER_INT), 'last_used_work_order_number' => $this->request->getPost('last_used_work_order_number', FILTER_SANITIZE_NUMBER_INT),
'invoice_type' => $this->request->getPost('invoice_type') 'invoice_type' => Sale_lib::isValidInvoiceType($this->request->getPost('invoice_type'))
? $this->request->getPost('invoice_type')
: 'invoice'
]; ];
$success = $this->appconfig->batch_save($batch_save_data); $success = $this->appconfig->batch_save($batch_save_data);

10
app/Controllers/Sales.php
View File

@@ -755,8 +755,11 @@ class Sales extends Secure_Controller
$data['sale_status'] = COMPLETED; $data['sale_status'] = COMPLETED;
$sale_type = SALE_TYPE_INVOICE; $sale_type = SALE_TYPE_INVOICE;
// The PHP file name is the same as the invoice_type key $invoice_type = $this->config['invoice_type'];
$invoice_view = $this->config['invoice_type']; if (!Sale_lib::isValidInvoiceType($invoice_type)) {
$invoice_type = 'invoice';
}
$invoice_view = $invoice_type;
// Save the data to the sales table // Save the data to the sales table
$data['sale_id_num'] = $this->sale->save_value($sale_id, $data['sale_status'], $data['cart'], $customer_id, $employee_id, $data['comments'], $invoice_number, $work_order_number, $quote_number, $sale_type, $data['payments'], $data['dinner_table'], $tax_details); $data['sale_id_num'] = $this->sale->save_value($sale_id, $data['sale_status'], $data['cart'], $customer_id, $employee_id, $data['comments'], $invoice_number, $work_order_number, $quote_number, $sale_type, $data['payments'], $data['dinner_table'], $tax_details);
@@ -1107,6 +1110,9 @@ class Sales extends Secure_Controller
} }
$invoice_type = $this->config['invoice_type']; $invoice_type = $this->config['invoice_type'];
if (!Sale_lib::isValidInvoiceType($invoice_type)) {
$invoice_type = 'invoice';
}
$data['invoice_view'] = $invoice_type; $data['invoice_view'] = $invoice_type;
return $data; return $data;

15
app/Libraries/Sale_lib.php
View File

@@ -88,9 +88,13 @@ class Sale_lib
return $register_modes; return $register_modes;
} }
/** private const ALLOWED_INVOICE_TYPES = [
* @return array 'invoice',
*/ 'tax_invoice',
'custom_invoice',
'custom_tax_invoice'
];
public function get_invoice_type_options(): array public function get_invoice_type_options(): array
{ {
$invoice_types = []; $invoice_types = [];
@@ -101,6 +105,11 @@ class Sale_lib
return $invoice_types; return $invoice_types;
} }
public static function isValidInvoiceType(string $invoice_type): bool
{
return in_array($invoice_type, self::ALLOWED_INVOICE_TYPES, true);
}
/** /**
* @return array * @return array
*/ */