mirror of
https://github.com/opensourcepos/opensourcepos.git
synced 2026-03-08 00:59:04 -05:00
690f43578d
Complete Content-Type application/json fix for all AJAX responses - Add missing return statements to all ->response->setJSON() calls - Fix Items.php method calls from JSON() to setJSON() - Convert echo statements to proper JSON responses - Ensure consistent Content-Type headers across all controllers - Fix 46+ instances across 12 controller files - Change Config.php methods to : ResponseInterface (all return setJSON only): - postSaveRewards(), postSaveBarcode(), postSaveReceipt() - postSaveInvoice(), postRemoveLogo() - Update PHPDoc @return tags - Change Receivings.php _reload() to : string (only returns view) - Change Receivings.php methods to : string (all return _reload()): - getIndex(), postSelectSupplier(), postChangeMode(), postAdd() - postEditItem(), getDeleteItem(), getRemoveSupplier() - postComplete(), postRequisitionComplete(), getReceipt(), postCancelReceiving() - Change postSave() to : ResponseInterface (returns setJSON) - Update all PHPDoc @return tags Fix XSS vulnerabilities in sales templates, login, and config pages This commit addresses 5 XSS vulnerabilities by adding proper escaping to all user-controlled configuration values in HTML contexts. Fixed Files: - app/Views/sales/invoice.php: Escaped company_logo (URL context) and company (HTML) - app/Views/sales/work_order.php: Escaped company_logo (URL context) - app/Views/sales/receipt_email.php: Added file path validation and escaping for logo - app/Views/login.php: Escaped all config values in title, logo src, and alt - app/Views/configs/info_config.php: Escaped company_logo (URL context) Security Impact: - Prevents stored XSS attacks if configuration is compromised - Defense-in-depth principle applied to administrative interfaces - Follows OWASP best practices for output encoding Testing: - Verified no script execution with XSS payloads in config values - Confirmed proper escaping in HTML, URL, and file contexts - All templates render correctly with valid configuration Severity: High (4 files), Medium-High (1 file) CVSS Score: ~6.1 CWE: CWE-79 (Improper Neutralization of Input During Web Page Generation) Fix critical password validation bypass and add unit tests This commit addresses a critical security vulnerability where the password minimum length check was performed on the HASHED password (always 60 characters for bcrypt) instead of the actual password before hashing. Vulnerability Details: - Original code: strlen($employee_data['password']) >= 8 - This compared the hash length (always 60) instead of raw password - Impact: Users could set 1-character passwords like "a" - Severity: Critical (enables brute force attacks on weak passwords) - CVE-like issue: CWE-307 (Improper Restriction of Excessive Authentication Attempts) Fix Applied: - Validate password length BEFORE hashing - Clear error message when password is too short - Added unit tests to verify minimum length enforcement - Regression test to prevent future vulnerability re-introduction Test Coverage: - testPasswordMinLength_Rejects7Characters: Verify 7 chars rejected - testPasswordMinLength_Accepts8Characters: Verify 8 chars accepted - testPasswordMinLength_RejectsEmptyString: Verify empty rejected - testPasswordMinLength_RejectsWhitespaceOnly: Verify whitespace rejected - testPasswordMinLength_AcceptsSpecialCharacters: Verify special chars OK - testPasswordMinLength_RejectsPreviousBehavior: Regression test for bug Files Modified: - app/Controllers/Home.php: Fixed password validation logic - tests/Controllers/HomeTest.php: Added comprehensive unit tests Security Impact: - Enforces 8-character minimum password policy - Prevents extremely weak passwords that facilitate brute-force attacks - Critical for credential security and user account protection Breaking Changes: - Users with passwords < 8 characters will need to reset their password - This is the intended security improvement Severity: Critical CVSS Score: ~7.5 CWE: CWE-305 (Authentication Bypass by Primary Weakness), CWE-307 Add GitHub Actions workflow to run PHPUnit tests Move business logic from views to controllers for better separation of concerns - Move logo URL computation from info_config view to Config::getIndex() - Move image base64 encoding from receipt_email view to Sales controller - Improves separation of concerns by keeping business logic in controllers - Simplifies view templates to only handle presentation Fix XSS vulnerabilities in report views - escape user-controllable summary data and labels Fix base64 encoding URL issue in delete payment - properly URL encode base64 string Fix remaining return type declarations for Sales controller Fixed additional methods that call _reload(): - postAdd() - returns _reload($data) - postAddPayment() - returns _reload($data) - postEditItem() - returns _reload($data) - postSuspend() - returns _reload($data) - postSetPaymentType() - returns _reload() All methods now return ResponseInterface|string to match _reload() signature. This resolves PHP TypeError errors.
162 lines
4.2 KiB
PHP
162 lines
4.2 KiB
PHP
<?php
|
|
|
|
namespace App\Controllers;
|
|
|
|
use App\Models\Employee;
|
|
use App\Models\Module;
|
|
use CodeIgniter\HTTP\ResponseInterface;
|
|
use CodeIgniter\Model;
|
|
use CodeIgniter\Session\Session;
|
|
use Config\OSPOS;
|
|
use Config\Services;
|
|
|
|
/**
|
|
* Controllers that are considered secure extend Secure_Controller, optionally a $module_id can
|
|
* be set to also check if a user can access a particular module in the system.
|
|
*
|
|
* @property employee employee
|
|
* @property module module
|
|
* @property array global_view_data
|
|
* @property session session
|
|
*
|
|
*/
|
|
class Secure_Controller extends BaseController
|
|
{
|
|
public array $global_view_data;
|
|
protected Employee $employee;
|
|
protected Module $module;
|
|
protected Session $session;
|
|
|
|
/**
|
|
* @param string $module_id
|
|
* @param string|null $submodule_id
|
|
* @param string|null $menu_group
|
|
*/
|
|
public function __construct(string $module_id = '', ?string $submodule_id = null, ?string $menu_group = null)
|
|
{
|
|
$this->employee = model(Employee::class);
|
|
$this->module = model(Module::class);
|
|
$config = config(OSPOS::class)->settings;
|
|
$validation = Services::validation();
|
|
|
|
if (!$this->employee->is_logged_in()) {
|
|
header("Location:" . base_url('login'));
|
|
exit();
|
|
}
|
|
|
|
$logged_in_employee_info = $this->employee->get_logged_in_employee_info();
|
|
if (
|
|
!$this->employee->has_module_grant($module_id, $logged_in_employee_info->person_id)
|
|
|| (isset($submodule_id) && !$this->employee->has_module_grant($submodule_id, $logged_in_employee_info->person_id))
|
|
) {
|
|
header("Location:" . base_url("no_access/$module_id/$submodule_id"));
|
|
exit();
|
|
}
|
|
|
|
// Load up global global_view_data visible to all the loaded views
|
|
$this->session = session();
|
|
if ($menu_group == null) {
|
|
$menu_group = $this->session->get('menu_group');
|
|
} else {
|
|
$this->session->set('menu_group', $menu_group);
|
|
}
|
|
|
|
$allowed_modules = $menu_group == 'home'
|
|
? $this->module->get_allowed_home_modules($logged_in_employee_info->person_id)
|
|
: $this->module->get_allowed_office_modules($logged_in_employee_info->person_id);
|
|
|
|
$this->global_view_data = [];
|
|
foreach ($allowed_modules->getResult() as $module) {
|
|
$this->global_view_data['allowed_modules'][] = $module;
|
|
}
|
|
|
|
$this->global_view_data += [
|
|
'user_info' => $logged_in_employee_info,
|
|
'controller_name' => $module_id,
|
|
'config' => $config
|
|
];
|
|
view('viewData', $this->global_view_data);
|
|
}
|
|
|
|
public function sanitizeSortColumn($headers, $field, $default): string
|
|
{
|
|
return $field != null && in_array($field, array_keys(array_merge(...$headers))) ? $field : $default;
|
|
}
|
|
|
|
/**
|
|
* AJAX function used to confirm whether values sent in the request are numeric
|
|
* @return ResponseInterface
|
|
* @noinspection PhpUnused
|
|
*/
|
|
public function getCheckNumeric(): ResponseInterface
|
|
{
|
|
foreach ($this->request->getGet() as $value) {
|
|
if (parse_decimals($value) === false) {
|
|
return $this->response->setJSON('false');
|
|
}
|
|
}
|
|
return $this->response->setJSON('true');
|
|
}
|
|
|
|
/**
|
|
* @param $key
|
|
* @return mixed|void
|
|
*/
|
|
public function getConfig($key)
|
|
{
|
|
if (isset($config[$key])) {
|
|
return $config[$key];
|
|
}
|
|
}
|
|
|
|
/**
|
|
* @return false
|
|
*/
|
|
public function getIndex()
|
|
{
|
|
return false;
|
|
}
|
|
|
|
/**
|
|
* @return false
|
|
*/
|
|
public function getSearch()
|
|
{
|
|
return false;
|
|
}
|
|
|
|
/**
|
|
* @return false
|
|
*/
|
|
public function suggest_search()
|
|
{
|
|
return false;
|
|
}
|
|
|
|
/**
|
|
* @param int $data_item_id
|
|
* @return false
|
|
*/
|
|
public function getView(int $data_item_id = -1)
|
|
{
|
|
return false;
|
|
}
|
|
|
|
/**
|
|
* @param int $data_item_id
|
|
* @return false
|
|
*/
|
|
public function postSave(int $data_item_id = -1)
|
|
{
|
|
return false;
|
|
}
|
|
|
|
/**
|
|
* @return false
|
|
*/
|
|
public function postDelete()
|
|
{
|
|
return false;
|
|
}
|
|
}
|