fix(security): fix SQL injection in updatePaymetToPaid, OTP random_int, static IV encryption, storage mismatch

2026-06-17 06:31:13 +03:00
parent 8c6dea5d96
commit 0ceb67ee56
7 changed files with 100 additions and 33 deletions
--- a/backend/auth/token_passenger/driver/send_otp_driver.php
+++ b/backend/auth/token_passenger/driver/send_otp_driver.php
@@ -3,7 +3,7 @@
 require_once __DIR__ . '/../../../connect.php';

 /* 1) توليد رمز التحقق (3 خانات) --------------------------------------------------- */
-$otp      = (string)rand(100, 999);
+$otp      = (string)random_int(100, 999);
 $receiver = filterRequest("receiver");

 if (empty($receiver)) {
@@ -69,6 +69,11 @@ if ($sentOK) {
        ");
        $stmt->execute([$receiver_enc, $otp_enc, $exp, $now]);

+        // Also save to Redis for verify_otp compatibility
+        if ($redis) {
+            $redis->setex("otp:driver:$receiver", 300, $otp);
+        }
+
        jsonSuccess(null, 'OTP sent and saved successfully');

    } catch (PDOException $e) {
@@ -76,12 +81,6 @@ if ($sentOK) {
    }

 } else {
-    $errMsg = $decoded['message'] ?? 'Unknown error';
-    jsonError('Failed to send OTP: ' . $errMsg);
+    jsonError('Failed to send OTP');
 }
-
-/* -----------------------------------------------------------------------
- * أبقينا callAPI() فقط إذا كان يُستخدم في ملفات أخرى – احذفه إن شئت.
- * --------------------------------------------------------------------- */
-function callAPI($method, $url, $data) { /* … */ }
 ?>
--- a/backend/auth/token_passenger/send_otp.php
+++ b/backend/auth/token_passenger/send_otp.php
@@ -3,7 +3,7 @@
 require_once __DIR__ . '/../../connect.php';

 /* 1) توليد رمز التحقق (3 خانات) */
-$otp      = (string)rand(100, 999);
+$otp      = (string)random_int(100, 999);
 $receiver = filterRequest("receiver");

 if (empty($receiver)) {
@@ -50,7 +50,7 @@ $decoded = json_decode((string)$res, true);
 $sentOK = ($httpCode === 200 && ($decoded['success'] ?? false));

 if ($sentOK) {
-    /* 3) تشفير البيانات وحفظ الرمز في قاعدة البيانات */
+    /* 3) حفظ الرمز في Redis + قاعدة البيانات */
    $receiver_enc = $encryptionHelper->encryptData($receiver);
    $otp_enc      = $encryptionHelper->encryptData($otp);

@@ -58,6 +58,7 @@ if ($sentOK) {
    $now = date('Y-m-d H:i:s');

    try {
+        // Save to MySQL
        $con->prepare("DELETE FROM token_verification WHERE phone_number = ?")
            ->execute([$receiver_enc]);

@@ -68,6 +69,11 @@ if ($sentOK) {
        ");
        $stmt->execute([$receiver_enc, $otp_enc, $exp, $now]);

+        // Also save to Redis for verify_otp.php compatibility
+        if ($redis) {
+            $redis->setex("otp:passenger:$receiver", 300, $otp);
+        }
+
        jsonSuccess(null, 'OTP sent and saved successfully');

    } catch (PDOException $e) {
@@ -76,11 +82,6 @@ if ($sentOK) {

 } else {
    $errMsg = $decoded['message'] ?? 'Unknown error';
-    jsonError('Failed to send OTP: ' . $errMsg);
+    jsonError('Failed to send OTP');
 }
-
-/* -----------------------------------------------------------------
- * يمكن حذف callAPI() تمامًا إن لم يعد مستخدمًا في أي ملف آخر.
- * ---------------------------------------------------------------- */
-function callAPI($method, $url, $data) { /* … (أبقِها أو احذفها) */ }
 ?>
--- a/backend/auth/token_passenger/verify_otp.php
+++ b/backend/auth/token_passenger/verify_otp.php
@@ -30,7 +30,7 @@ try {

    $cachedOtp = $redis->get("otp:passenger:$phoneNumber");

-    if ($cachedOtp && $cachedOtp == $otp) {
+    if ($cachedOtp && $cachedOtp === $otp) {
        // ننجح في التحقق ونحذف المفتاح من Redis لمنع استخدامه مرة أخرى (One-time use)
        $redis->del("otp:passenger:$phoneNumber");
        
--- a/backend/core/Security/EncryptionHelper.php
+++ b/backend/core/Security/EncryptionHelper.php
@@ -64,14 +64,25 @@ class EncryptionHelper
    }

    // ─── تشفير/فك تشفير Binary (صور، ملفات) ───────────────
+    // تُستخدم الـ GCM مع IV عشوائي (كما في encryptData)
    public function encryptBinary(string $data): string
    {
-        return openssl_encrypt($data, self::ALGO_CBC, $this->key, OPENSSL_RAW_DATA, $this->cbcIv);
+        $iv = random_bytes(self::IV_LEN_GCM);
+        $tag = '';
+        $encrypted = openssl_encrypt($data, self::ALGO_GCM, $this->key, OPENSSL_RAW_DATA, $iv, $tag, "", self::TAG_LEN);
+        return base64_encode($iv . $tag . $encrypted);
    }

    public function decryptBinary(string $data): string|false
    {
-        return openssl_decrypt($data, self::ALGO_CBC, $this->key, OPENSSL_RAW_DATA, $this->cbcIv);
+        $raw = base64_decode($data, true);
+        if ($raw === false || strlen($raw) < self::IV_LEN_GCM + self::TAG_LEN) return false;
+
+        $iv     = substr($raw, 0, self::IV_LEN_GCM);
+        $tag    = substr($raw, self::IV_LEN_GCM, self::TAG_LEN);
+        $cipher = substr($raw, self::IV_LEN_GCM + self::TAG_LEN);
+
+        return openssl_decrypt($cipher, self::ALGO_GCM, $this->key, OPENSSL_RAW_DATA, $iv, $tag);
    }

    // --------- دوال الـ Padding للـ CBC ----------
--- a/backend/encrypt_decrypt.php
+++ b/backend/encrypt_decrypt.php
@@ -49,8 +49,9 @@ class EncryptionHelper {
    public function encryptData($plainText) {
        $plainText = mb_convert_encoding($plainText, 'UTF-8');
        $paddedText = $this->addPadding($plainText);
-        $encrypted = openssl_encrypt($paddedText, 'AES-256-CBC', $this->key, OPENSSL_RAW_DATA, $this->iv);
-        return base64_encode($encrypted);
+        $iv = random_bytes(16);
+        $encrypted = openssl_encrypt($paddedText, 'AES-256-CBC', $this->key, OPENSSL_RAW_DATA, $iv);
+        return base64_encode($iv . $encrypted);
    }

    public function decryptData($encryptedText) {
@@ -61,6 +62,22 @@ class EncryptionHelper {
        return false;
    }

+    // محاولة أولى: استخراج IV عشوائي من أول 16 بايت
+    if (strlen($decoded) >= 16) {
+        $iv = substr($decoded, 0, 16);
+        $payload = substr($decoded, 16);
+
+        $decrypted = openssl_decrypt($payload, 'AES-256-CBC', $this->key, OPENSSL_RAW_DATA, $iv);
+
+        if ($decrypted !== false) {
+            $pad = ord($decrypted[strlen($decrypted) - 1]);
+            if ($pad >= 1 && $pad <= 16) {
+                return substr($decrypted, 0, -$pad);
+            }
+        }
+    }
+
+    // محاولة ثانية: IV ثابت (للبيانات القديمة)
    $decrypted = openssl_decrypt($decoded, 'AES-256-CBC', $this->key, OPENSSL_RAW_DATA, $this->iv);

    if ($decrypted === false) {
@@ -68,7 +85,6 @@ class EncryptionHelper {
        return false;
    }

-    // Verify padding is valid before removal
    $pad = ord($decrypted[strlen($decrypted) - 1]);
    if ($pad < 1 || $pad > 16) {
        error_log("[ERROR] Invalid padding value ($pad) for decrypted input: $encryptedText");
@@ -95,13 +111,23 @@ class EncryptionHelper {
        return true;
    }
  public function encryptBinary($data) {
-    $encrypted = openssl_encrypt($data, 'AES-256-CBC', $this->key, OPENSSL_RAW_DATA, $this->iv);
-    return $encrypted;
+    $iv = random_bytes(16);
+    $encrypted = openssl_encrypt($data, 'AES-256-CBC', $this->key, OPENSSL_RAW_DATA, $iv);
+    return $iv . $encrypted;
 	}

 	public function decryptBinary($data) {
+    if (strlen($data) >= 16) {
+        $iv = substr($data, 0, 16);
+        $payload = substr($data, 16);
+        $decrypted = openssl_decrypt($payload, 'AES-256-CBC', $this->key, OPENSSL_RAW_DATA, $iv);
+        if ($decrypted !== false) {
+            return $decrypted;
+        }
+    }
+
+    // للبيانات القديمة ذات IV الثابت
    $decrypted = openssl_decrypt($data, 'AES-256-CBC', $this->key, OPENSSL_RAW_DATA, $this->iv);
-    // CRIT-07 FIX: التحقق من فشل openssl_decrypt
    if ($decrypted === false) {
        error_log('[CRIT-07] openssl_decrypt failed in decryptBinary');
        throw new Exception('Decryption failed');