mirror of
https://github.com/opensourcepos/opensourcepos.git
synced 2026-03-12 04:02:19 -04:00
1f55d96580
The bulk edit function iterated over all $_POST keys without a whitelist, allowing authenticated users to inject arbitrary database columns (e.g., cost_price, deleted, item_type) into the update query. This bypassed CodeIgniter 4's $allowedFields protection since Query Builder was used directly. Fix: Add ALLOWED_BULK_EDIT_FIELDS constant to Item model defining the explicit whitelist of fields that can be bulk-updated. Use this constant in the controller instead of iterating over $_POST directly. Fields allowed: name, category, supplier_id, cost_price, unit_price, reorder_level, description, allow_alt_description, is_serialized Security impact: High (CVSS 8.1) - Could allow price manipulation and data integrity violations.