mirror of
https://github.com/opensourcepos/opensourcepos.git
synced 2026-03-07 16:47:03 -05:00
690f43578d
Complete Content-Type application/json fix for all AJAX responses - Add missing return statements to all ->response->setJSON() calls - Fix Items.php method calls from JSON() to setJSON() - Convert echo statements to proper JSON responses - Ensure consistent Content-Type headers across all controllers - Fix 46+ instances across 12 controller files - Change Config.php methods to : ResponseInterface (all return setJSON only): - postSaveRewards(), postSaveBarcode(), postSaveReceipt() - postSaveInvoice(), postRemoveLogo() - Update PHPDoc @return tags - Change Receivings.php _reload() to : string (only returns view) - Change Receivings.php methods to : string (all return _reload()): - getIndex(), postSelectSupplier(), postChangeMode(), postAdd() - postEditItem(), getDeleteItem(), getRemoveSupplier() - postComplete(), postRequisitionComplete(), getReceipt(), postCancelReceiving() - Change postSave() to : ResponseInterface (returns setJSON) - Update all PHPDoc @return tags Fix XSS vulnerabilities in sales templates, login, and config pages This commit addresses 5 XSS vulnerabilities by adding proper escaping to all user-controlled configuration values in HTML contexts. Fixed Files: - app/Views/sales/invoice.php: Escaped company_logo (URL context) and company (HTML) - app/Views/sales/work_order.php: Escaped company_logo (URL context) - app/Views/sales/receipt_email.php: Added file path validation and escaping for logo - app/Views/login.php: Escaped all config values in title, logo src, and alt - app/Views/configs/info_config.php: Escaped company_logo (URL context) Security Impact: - Prevents stored XSS attacks if configuration is compromised - Defense-in-depth principle applied to administrative interfaces - Follows OWASP best practices for output encoding Testing: - Verified no script execution with XSS payloads in config values - Confirmed proper escaping in HTML, URL, and file contexts - All templates render correctly with valid configuration Severity: High (4 files), Medium-High (1 file) CVSS Score: ~6.1 CWE: CWE-79 (Improper Neutralization of Input During Web Page Generation) Fix critical password validation bypass and add unit tests This commit addresses a critical security vulnerability where the password minimum length check was performed on the HASHED password (always 60 characters for bcrypt) instead of the actual password before hashing. Vulnerability Details: - Original code: strlen($employee_data['password']) >= 8 - This compared the hash length (always 60) instead of raw password - Impact: Users could set 1-character passwords like "a" - Severity: Critical (enables brute force attacks on weak passwords) - CVE-like issue: CWE-307 (Improper Restriction of Excessive Authentication Attempts) Fix Applied: - Validate password length BEFORE hashing - Clear error message when password is too short - Added unit tests to verify minimum length enforcement - Regression test to prevent future vulnerability re-introduction Test Coverage: - testPasswordMinLength_Rejects7Characters: Verify 7 chars rejected - testPasswordMinLength_Accepts8Characters: Verify 8 chars accepted - testPasswordMinLength_RejectsEmptyString: Verify empty rejected - testPasswordMinLength_RejectsWhitespaceOnly: Verify whitespace rejected - testPasswordMinLength_AcceptsSpecialCharacters: Verify special chars OK - testPasswordMinLength_RejectsPreviousBehavior: Regression test for bug Files Modified: - app/Controllers/Home.php: Fixed password validation logic - tests/Controllers/HomeTest.php: Added comprehensive unit tests Security Impact: - Enforces 8-character minimum password policy - Prevents extremely weak passwords that facilitate brute-force attacks - Critical for credential security and user account protection Breaking Changes: - Users with passwords < 8 characters will need to reset their password - This is the intended security improvement Severity: Critical CVSS Score: ~7.5 CWE: CWE-305 (Authentication Bypass by Primary Weakness), CWE-307 Add GitHub Actions workflow to run PHPUnit tests Move business logic from views to controllers for better separation of concerns - Move logo URL computation from info_config view to Config::getIndex() - Move image base64 encoding from receipt_email view to Sales controller - Improves separation of concerns by keeping business logic in controllers - Simplifies view templates to only handle presentation Fix XSS vulnerabilities in report views - escape user-controllable summary data and labels Fix base64 encoding URL issue in delete payment - properly URL encode base64 string Fix remaining return type declarations for Sales controller Fixed additional methods that call _reload(): - postAdd() - returns _reload($data) - postAddPayment() - returns _reload($data) - postEditItem() - returns _reload($data) - postSuspend() - returns _reload($data) - postSetPaymentType() - returns _reload() All methods now return ResponseInterface|string to match _reload() signature. This resolves PHP TypeError errors.
227 lines
7.9 KiB
PHP
227 lines
7.9 KiB
PHP
<?php
|
|
|
|
namespace App\Libraries;
|
|
|
|
use Config\OSPOS;
|
|
use Exception;
|
|
use Picqer\Barcode\BarcodeGeneratorSVG;
|
|
|
|
/**
|
|
* Barcode library
|
|
*
|
|
* Library with utilities to manage barcodes
|
|
*/
|
|
class Barcode_lib
|
|
{
|
|
/**
|
|
* @var array Values from Picqer\Barcode\BarcodeGenerator class. If that class changes, this array will need to be updated.
|
|
*/
|
|
private array $supported_barcodes = [
|
|
'C32' => 'Code 32',
|
|
'C39' => 'Code 39',
|
|
'C39+' => 'Code 39 Checksum',
|
|
'C39E' => 'Code 39E',
|
|
'C39E+' => 'Code 39E Checksum',
|
|
'C93' => 'Code 93',
|
|
'S25' => 'Standard 2 5',
|
|
'S25+' => 'Standard 2 5 Checksum',
|
|
'I25' => 'Interleaved 2 5',
|
|
'I25+' => 'Interleaved 2 5 Checksum',
|
|
'C128' => 'Code 128',
|
|
'C128A' => 'Code 128 A',
|
|
'C128B' => 'Code 128 B',
|
|
'C128C' => 'Code 128 C',
|
|
'EAN2' => 'EAN 2',
|
|
'EAN5' => 'EAN 5',
|
|
'EAN8' => 'EAN 8',
|
|
'EAN13' => 'EAN 13',
|
|
'ITF14' => 'ITF14',
|
|
'UPCA' => 'UPC A',
|
|
'UPCE' => 'UPC E',
|
|
'MSI' => 'Msi',
|
|
'MSI+' => 'MSI Checksum',
|
|
'POSTNET' => 'Postnet',
|
|
'PLANET' => 'Planet',
|
|
'RMS4CC' => 'RMS4CC',
|
|
'KIX' => 'KIX',
|
|
'IMB' => 'IMB',
|
|
'CODABAR' => 'Codabar',
|
|
'CODE11' => 'Code 11',
|
|
'PHARMA' => 'Pharma Code',
|
|
'PHARMA2T' => 'Pharma Code Two Tracks',
|
|
];
|
|
|
|
/**
|
|
* @return array
|
|
*/
|
|
public function get_list_barcodes(): array
|
|
{
|
|
return $this->supported_barcodes;
|
|
}
|
|
|
|
/**
|
|
* @return array
|
|
*/
|
|
public function get_barcode_config(): array
|
|
{
|
|
$config = config(OSPOS::class)->settings;
|
|
|
|
$data['company'] = $config['company'];
|
|
$data['barcode_content'] = $config['barcode_content'];
|
|
$data['barcode_type'] = $config['barcode_type'];
|
|
$data['barcode_font'] = $config['barcode_font'];
|
|
$data['barcode_font_size'] = $config['barcode_font_size'];
|
|
$data['barcode_height'] = $config['barcode_height'];
|
|
$data['barcode_width'] = $config['barcode_width'];
|
|
$data['barcode_first_row'] = $config['barcode_first_row'];
|
|
$data['barcode_second_row'] = $config['barcode_second_row'];
|
|
$data['barcode_third_row'] = $config['barcode_third_row'];
|
|
$data['barcode_num_in_row'] = $config['barcode_num_in_row'];
|
|
$data['barcode_page_width'] = $config['barcode_page_width'];
|
|
$data['barcode_page_cellspacing'] = $config['barcode_page_cellspacing'];
|
|
$data['barcode_generate_if_empty'] = $config['barcode_generate_if_empty'];
|
|
$data['barcode_formats'] = $config['barcode_formats'] !== 'null' ? $config['barcode_formats'] : [];
|
|
|
|
return $data;
|
|
}
|
|
|
|
/**
|
|
* Returns the value to be used in the barcode.
|
|
*
|
|
* @param array $item Contains item data
|
|
* @param array $barcode_config Contains barcode configuration
|
|
* @return string Barcode value
|
|
*/
|
|
private function get_barcode_value(array $item, array $barcode_config): string
|
|
{
|
|
return $barcode_config['barcode_content'] !== 'id'
|
|
? ($item['item_number'] ?? $item['name'])
|
|
: $item['item_id'];
|
|
}
|
|
|
|
/**
|
|
* @param array $item
|
|
* @param array $barcode_config
|
|
* @return string
|
|
*/
|
|
private function generate_barcode(array $item, array $barcode_config): string
|
|
{
|
|
try {
|
|
$generator = new BarcodeGeneratorSVG();
|
|
$barcode_value = $this->get_barcode_value($item, $barcode_config);
|
|
|
|
return $generator->getBarcode($barcode_value, $barcode_config['barcode_type'], 2, $barcode_config['barcode_height']);
|
|
} catch (Exception $e) {
|
|
echo 'Caught exception: ', $e->getMessage(), "\n";
|
|
echo 'Stack trace: ', $e->getTraceAsString();
|
|
|
|
return '';
|
|
}
|
|
}
|
|
|
|
/**
|
|
* @param $barcode_content
|
|
* @return string
|
|
*/
|
|
public function generate_receipt_barcode($barcode_content): string
|
|
{
|
|
try {
|
|
$generator = new BarcodeGeneratorSVG();
|
|
return $generator->getBarcode($barcode_content, $generator::TYPE_CODE_128);
|
|
} catch (Exception $e) {
|
|
echo 'Caught exception: ', $e->getMessage(), "\n";
|
|
return '';
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Displays the barcode. Called in a View.
|
|
*
|
|
* @param array $item
|
|
* @param array $barcode_config
|
|
* @return string
|
|
*/
|
|
public function display_barcode(array $item, array $barcode_config): string
|
|
{
|
|
if ((isset($item['item_number']) || isset($item['name'])) && isset($item['item_id'])) {
|
|
$barcode = $this->generate_barcode($item, $barcode_config);
|
|
$display_table = '<table>';
|
|
$display_table .= '<tr><td style="text-align: center;">' . $this->manage_display_layout($barcode_config['barcode_first_row'], $item, $barcode_config) . '</td></tr>';
|
|
$display_table .= '<tr><td style="text-align: center;"><div class="barcode">'.$barcode.'</div></td></tr>';
|
|
$display_table .= '<tr><td style="text-align: center;">' . $this->manage_display_layout($barcode_config['barcode_second_row'], $item, $barcode_config) . '</td></tr>';
|
|
$display_table .= '<tr><td style="text-align: center;">' . $this->manage_display_layout($barcode_config['barcode_third_row'], $item, $barcode_config) . '</td></tr>';
|
|
$display_table .= '</table>';
|
|
|
|
return $display_table;
|
|
}
|
|
|
|
return "Item number or Item ID not found in the item array."; // TODO: this needs to be run through the translation engine.
|
|
}
|
|
|
|
/**
|
|
* @param $layout_type
|
|
* @param array $item
|
|
* @param array $barcode_config
|
|
* @return string
|
|
*/
|
|
private function manage_display_layout($layout_type, array $item, array $barcode_config): string
|
|
{
|
|
$result = '';
|
|
helper('text');
|
|
|
|
if ($layout_type == 'name') {
|
|
$result = $item['name'];
|
|
} elseif ($layout_type == 'category' && isset($item['category'])) {
|
|
$result = lang('Items.category') . " " . esc($item['category']);
|
|
} elseif ($layout_type == 'cost_price' && isset($item['cost_price'])) {
|
|
$result = lang('Items.cost_price') . " " . to_currency($item['cost_price']);
|
|
} elseif ($layout_type == 'unit_price' && isset($item['unit_price'])) {
|
|
$result = lang('Items.unit_price') . " " . to_currency($item['unit_price']);
|
|
} elseif ($layout_type == 'company_name') {
|
|
$result = $barcode_config['company'];
|
|
} elseif ($layout_type == 'item_code') {
|
|
$result = $barcode_config['barcode_content'] !== "id" && isset($item['item_number'])
|
|
? $item['item_number']
|
|
: $item['item_id'];
|
|
}
|
|
|
|
return character_limiter($result, 40);
|
|
}
|
|
|
|
/**
|
|
* Finds all acceptable fonts to be used. Called in a View.
|
|
*
|
|
* @param string $folder
|
|
* @return array
|
|
*/
|
|
public function listfonts(string $folder): array // TODO: This function does not follow naming conventions.
|
|
{
|
|
$array = []; // TODO: Naming of this variable should be changed. The variable should never be named the data type. $fonts would be a better name.
|
|
|
|
if (($handle = opendir($folder)) !== false) {
|
|
while (($file = readdir($handle)) !== false) {
|
|
if (str_ends_with($file, '.ttf')) {
|
|
$array[$file] = $file;
|
|
}
|
|
}
|
|
}
|
|
|
|
closedir($handle);
|
|
|
|
array_unshift($array, lang('Config.none'));
|
|
|
|
return $array;
|
|
}
|
|
|
|
/**
|
|
* Returns the name of the font from the file name. Called in a View.
|
|
*
|
|
* @param string $font_file_name
|
|
* @return string
|
|
*/
|
|
public function get_font_name(string $font_file_name): string
|
|
{
|
|
return substr($font_file_name, 0, -4);
|
|
}
|
|
}
|