mirror of
https://github.com/opensourcepos/opensourcepos.git
synced 2026-03-08 00:59:04 -05:00
690f43578d
Complete Content-Type application/json fix for all AJAX responses - Add missing return statements to all ->response->setJSON() calls - Fix Items.php method calls from JSON() to setJSON() - Convert echo statements to proper JSON responses - Ensure consistent Content-Type headers across all controllers - Fix 46+ instances across 12 controller files - Change Config.php methods to : ResponseInterface (all return setJSON only): - postSaveRewards(), postSaveBarcode(), postSaveReceipt() - postSaveInvoice(), postRemoveLogo() - Update PHPDoc @return tags - Change Receivings.php _reload() to : string (only returns view) - Change Receivings.php methods to : string (all return _reload()): - getIndex(), postSelectSupplier(), postChangeMode(), postAdd() - postEditItem(), getDeleteItem(), getRemoveSupplier() - postComplete(), postRequisitionComplete(), getReceipt(), postCancelReceiving() - Change postSave() to : ResponseInterface (returns setJSON) - Update all PHPDoc @return tags Fix XSS vulnerabilities in sales templates, login, and config pages This commit addresses 5 XSS vulnerabilities by adding proper escaping to all user-controlled configuration values in HTML contexts. Fixed Files: - app/Views/sales/invoice.php: Escaped company_logo (URL context) and company (HTML) - app/Views/sales/work_order.php: Escaped company_logo (URL context) - app/Views/sales/receipt_email.php: Added file path validation and escaping for logo - app/Views/login.php: Escaped all config values in title, logo src, and alt - app/Views/configs/info_config.php: Escaped company_logo (URL context) Security Impact: - Prevents stored XSS attacks if configuration is compromised - Defense-in-depth principle applied to administrative interfaces - Follows OWASP best practices for output encoding Testing: - Verified no script execution with XSS payloads in config values - Confirmed proper escaping in HTML, URL, and file contexts - All templates render correctly with valid configuration Severity: High (4 files), Medium-High (1 file) CVSS Score: ~6.1 CWE: CWE-79 (Improper Neutralization of Input During Web Page Generation) Fix critical password validation bypass and add unit tests This commit addresses a critical security vulnerability where the password minimum length check was performed on the HASHED password (always 60 characters for bcrypt) instead of the actual password before hashing. Vulnerability Details: - Original code: strlen($employee_data['password']) >= 8 - This compared the hash length (always 60) instead of raw password - Impact: Users could set 1-character passwords like "a" - Severity: Critical (enables brute force attacks on weak passwords) - CVE-like issue: CWE-307 (Improper Restriction of Excessive Authentication Attempts) Fix Applied: - Validate password length BEFORE hashing - Clear error message when password is too short - Added unit tests to verify minimum length enforcement - Regression test to prevent future vulnerability re-introduction Test Coverage: - testPasswordMinLength_Rejects7Characters: Verify 7 chars rejected - testPasswordMinLength_Accepts8Characters: Verify 8 chars accepted - testPasswordMinLength_RejectsEmptyString: Verify empty rejected - testPasswordMinLength_RejectsWhitespaceOnly: Verify whitespace rejected - testPasswordMinLength_AcceptsSpecialCharacters: Verify special chars OK - testPasswordMinLength_RejectsPreviousBehavior: Regression test for bug Files Modified: - app/Controllers/Home.php: Fixed password validation logic - tests/Controllers/HomeTest.php: Added comprehensive unit tests Security Impact: - Enforces 8-character minimum password policy - Prevents extremely weak passwords that facilitate brute-force attacks - Critical for credential security and user account protection Breaking Changes: - Users with passwords < 8 characters will need to reset their password - This is the intended security improvement Severity: Critical CVSS Score: ~7.5 CWE: CWE-305 (Authentication Bypass by Primary Weakness), CWE-307 Add GitHub Actions workflow to run PHPUnit tests Move business logic from views to controllers for better separation of concerns - Move logo URL computation from info_config view to Config::getIndex() - Move image base64 encoding from receipt_email view to Sales controller - Improves separation of concerns by keeping business logic in controllers - Simplifies view templates to only handle presentation Fix XSS vulnerabilities in report views - escape user-controllable summary data and labels Fix base64 encoding URL issue in delete payment - properly URL encode base64 string Fix remaining return type declarations for Sales controller Fixed additional methods that call _reload(): - postAdd() - returns _reload($data) - postAddPayment() - returns _reload($data) - postEditItem() - returns _reload($data) - postSuspend() - returns _reload($data) - postSetPaymentType() - returns _reload() All methods now return ResponseInterface|string to match _reload() signature. This resolves PHP TypeError errors.
64 lines
2.5 KiB
XML
64 lines
2.5 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<phpunit
|
|
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
|
xsi:noNamespaceSchemaLocation="https://schema.phpunit.de/10.5/phpunit.xsd"
|
|
bootstrap="vendor/codeigniter4/framework/system/Test/bootstrap.php"
|
|
backupGlobals="false"
|
|
beStrictAboutOutputDuringTests="true"
|
|
colors="true"
|
|
columns="max"
|
|
failOnRisky="true"
|
|
failOnWarning="true"
|
|
cacheDirectory="build/.phpunit.cache">
|
|
<coverage
|
|
includeUncoveredFiles="true"
|
|
pathCoverage="false"
|
|
ignoreDeprecatedCodeUnits="true"
|
|
disableCodeCoverageIgnore="true">
|
|
<report>
|
|
<clover outputFile="build/logs/clover.xml"/>
|
|
<html outputDirectory="build/logs/html"/>
|
|
<php outputFile="build/logs/coverage.serialized"/>
|
|
<text outputFile="php://stdout" showUncoveredFiles="false"/>
|
|
</report>
|
|
</coverage>
|
|
<testsuites>
|
|
<testsuite name="App">
|
|
<directory>./tests</directory>
|
|
</testsuite>
|
|
</testsuites>
|
|
<logging>
|
|
<testdoxHtml outputFile="build/logs/testdox.html"/>
|
|
<testdoxText outputFile="build/logs/testdox.txt"/>
|
|
<junit outputFile="build/logs/logfile.xml"/>
|
|
</logging>
|
|
<source>
|
|
<include>
|
|
<directory suffix=".php">./app</directory>
|
|
</include>
|
|
<exclude>
|
|
<directory suffix=".php">./app/Views</directory>
|
|
<file>./app/Config/Routes.php</file>
|
|
</exclude>
|
|
</source>
|
|
<php>
|
|
<server name="app.baseURL" value="http://example.com/"/>
|
|
<server name="CODEIGNITER_SCREAM_DEPRECATIONS" value="0"/>
|
|
<!-- Directory containing phpunit.xml -->
|
|
<const name="HOMEPATH" value="./"/>
|
|
<!-- Directory containing the Paths config file -->
|
|
<const name="CONFIGPATH" value="./app/Config/"/>
|
|
<!-- Directory containing the front controller (index.php) -->
|
|
<const name="PUBLICPATH" value="./public/"/>
|
|
<!-- Database configuration -->
|
|
<!-- Uncomment to provide your own database for testing
|
|
<env name="database.tests.hostname" value="localhost"/>
|
|
<env name="database.tests.database" value="tests"/>
|
|
<env name="database.tests.username" value="tests_user"/>
|
|
<env name="database.tests.password" value=""/>
|
|
<env name="database.tests.DBDriver" value="MySQLi"/>
|
|
<env name="database.tests.DBPrefix" value="tests_"/>
|
|
-->
|
|
</php>
|
|
</phpunit>
|