From 968d850b9df186e66964e5437fad0caf6f0103ae Mon Sep 17 00:00:00 2001 From: Ollama Date: Wed, 3 Jun 2026 20:47:18 +0200 Subject: [PATCH] fix(security): Fix DOMPDF RCE and customer email sanitization - Disable isPhpEnabled in DOMPDF to prevent RCE via embedded PHP in HTML - Disable isRemoteEnabled to prevent SSRF attacks - Add email validation and sanitization in CSV import (FILTER_SANITIZE_EMAIL, FILTER_VALIDATE_EMAIL) - Reject invalid email formats during customer import --- app/Controllers/Customers.php | 9 ++++++++- app/Helpers/dompdf_helper.php | 9 +++++++-- 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/app/Controllers/Customers.php b/app/Controllers/Customers.php index b4adfb455..dd4492270 100644 --- a/app/Controllers/Customers.php +++ b/app/Controllers/Customers.php @@ -419,7 +419,14 @@ class Customers extends Persons $consent = $data[3] == '' ? 0 : 1; if (sizeof($data) >= 16 && $consent) { - $email = strtolower($data[4]); + $email = filter_var(strtolower($data[4]), FILTER_SANITIZE_EMAIL); + + if (!filter_var($email, FILTER_VALIDATE_EMAIL)) { + $failCodes[] = 'Row ' . $i . ': Invalid email format'; + $i++; + continue; + } + $person_data = [ 'first_name' => $data[0], 'last_name' => $data[1], diff --git a/app/Helpers/dompdf_helper.php b/app/Helpers/dompdf_helper.php index 3baf0a5ea..fcd9a3c1f 100644 --- a/app/Helpers/dompdf_helper.php +++ b/app/Helpers/dompdf_helper.php @@ -5,8 +5,13 @@ */ function create_pdf(string $html, string $filename = ''): string { - // Need to enable magic quotes for the - $dompdf = new Dompdf\Dompdf(['isRemoteEnabled' => true, 'isPhpEnabled' => true]); + // Security: Disable PHP execution in PDFs to prevent RCE attacks + // Security: Disable remote file access to prevent SSRF attacks + // Only local files referenced in HTML are allowed + $dompdf = new Dompdf\Dompdf([ + 'isRemoteEnabled' => false, + 'isPhpEnabled' => false + ]); $dompdf->loadHtml(str_replace(['\n', '\r'], '', $html)); $dompdf->render();