fix(security): add .gitignore, remove PEM keys and debug endpoints from tracking

2026-06-17 06:17:03 +03:00
parent 28d30e3359
commit 9bbda24d4a
15 changed files with 96 additions and 282 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -0,0 +1,96 @@
 # ============================================================
 # Siro Project - .gitignore
 # ============================================================
 # --- Environment & Secrets ---
 .env
 .env.*
 !.env.example
 **/*.env
 **/private_key.pem
 **/public_key.pem
 *.pem
 service-account.json
 **/service-account.json
 # --- IDE & OS ---
 .DS_Store
 Thumbs.db
 *.swp
 *.swo
 *~
 .vscode/
 .idea/
 *.iml
 .ruby-lsp/
 .kilo/
 # --- Build Artifacts ---
 node_modules/
 vendor/
 **/vendor/
 build/
 dist/
 *.js.map
 *.css.map
 # --- Flutter/Dart ---
 .dart_tool/
 .packages
 .pub-cache/
 pubspec.lock
 *.g.dart
 **/env.g.dart
 *.freezed.dart
 *.config.dart
 # --- Android ---
 *.apk
 *.aab
 *.dex
 *.class
 *.keystore
 local.properties
 android/.gradle/
 android/captures/
 # --- iOS ---
 *.ipa
 *.dSYM.zip
 *.dSYM
 Pods/
 DerivedData/
 *.xcworkspace
 xcuserdata/
 # --- Composer / PHP ---
 /composer.lock
 **/composer.lock
 # --- Logs ---
 *.log
 logs/
 **/logs/
 # --- Uploads ---
 uploads/
 **/uploads/
 portrate_captain_image/
 card_image/
 imageForUsingApp/
 new_driver_car/
 upload_audio/
 # --- Python ---
 __pycache__/
 *.pyc
 .venv/
 venv/
 # --- Firebase ---
 .google-services.json
 GoogleService-Info.plist
 # --- Audit/Scan Output ---
 semgrep_*.json
 nuclei_results.txt
--- a/backend/Admin/debug/.htaccess
+++ b/backend/Admin/debug/.htaccess
@@ -1,10 +0,0 @@
 # 🔒 SECURITY: Block all access to debug files
 # This directory contains sensitive debugging scripts
 # DO NOT remove this file in production
 <RequireAll>
    Require all denied
 </RequireAll>
 # Alternative for older Apache:
 # Deny from all
--- a/backend/Admin/debug/check_driver_phones.php
+++ b/backend/Admin/debug/check_driver_phones.php
@@ -1,13 +0,0 @@
 <?php
 require_once 'connect.php';
 try {
    $stmt = $con->query("SELECT phone FROM driver LIMIT 10");
    $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
    foreach ($rows as $row) {
        echo "Raw: " . $row['phone'] . " | Decrypted: " . $encryptionHelper->decryptData($row['phone']) . "\n";
    }
 } catch (Exception $e) {
    echo "An error occurred.";
 }
 ?>
--- a/backend/Admin/debug/check_users_cols.php
+++ b/backend/Admin/debug/check_users_cols.php
@@ -1,11 +0,0 @@
 <?php
 require_once 'connect.php';
 try {
    $stmt = $con->query("DESCRIBE users");
    $cols = $stmt->fetchAll(PDO::FETCH_ASSOC);
    echo json_encode($cols, JSON_PRETTY_PRINT);
 } catch (Exception $e) {
    echo "An error occurred.";
 }
 ?>
--- a/backend/Admin/debug/debug_phone.php
+++ b/backend/Admin/debug/debug_phone.php
@@ -1,23 +0,0 @@
 <?php
 require_once __DIR__ . '/connect.php';
 $searchPhone = '0992952235';
 echo "Searching for: $searchPhone\n";
 $variants = [$searchPhone, '963' . substr($searchPhone, 1), '+963' . substr($searchPhone, 1)];
 foreach ($variants as $v) {
    echo "Checking variant: $v\n";
    $enc = $encryptionHelper->encryptData($v);
    $stmt = $con->prepare("SELECT id, phone, first_name FROM driver WHERE phone = ? OR phone = ?");
    $stmt->execute([$v, $enc]);
    $res = $stmt->fetch();
    if ($res) {
        echo "FOUND! ID: {$res['id']}, Name: {$res['first_name']}, Phone in DB: {$res['phone']}\n";
        exit;
    }
 }
 echo "NOT FOUND in driver table.\n";
--- a/backend/Admin/debug/env_test.php
+++ b/backend/Admin/debug/env_test.php
@@ -1,57 +0,0 @@
 <?php
 // env_test.php - أداة مخصصة لاختبار جميع متغيرات البيئة
 require_once __DIR__ . '/core/bootstrap.php'; // لتحميل الـ .env
 header('Content-Type: text/plain; charset=utf-8');
 echo "=== فحص متغيرات البيئة (Environment Variables) ===\n\n";
 $keysToCheck = [
    'PASSENGER_SOCKET_URL',
    'LOCATION_SOCKET_URL',
    'INTERNAL_SOCKET_KEY_PATH',
    'SECRET_KEY_PAY_PATH',
    'SECRET_KEY_HMAC',
    'allowed1',
    'allowed2',
    'passwordnewpassenger',
    'FP_PEPPER'
 ];
 foreach ($keysToCheck as $key) {
    $val = getenv($key);
    if ($val !== false && $val !== '') {
        // إخفاء جزء من القيم الحساسة مثل كلمات المرور
        if (strpos(strtolower($key), 'password') !== false || strpos(strtolower($key), 'secret') !== false || strpos(strtolower($key), 'hmac') !== false) {
            $hiddenVal = substr($val, 0, 3) . '***' . substr($val, -3);
            echo "[OK] $key = $hiddenVal\n";
        } else {
            echo "[OK] $key = $val\n";
        }
    } else {
        echo "[ERROR] $key = (مفقود أو فارغ!)\n";
    }
 }
 echo "\n\n=== فحص الملفات المباشرة ===\n\n";
 $filesToCheck = [
    '/home/siro-api/.internal_socket_key',
    '/home/siro-api/.secret_key_pay'
 ];
 foreach ($filesToCheck as $file) {
    if (file_exists($file)) {
        $content = trim(file_get_contents($file));
        if (!empty($content)) {
            $hidden = substr($content, 0, 3) . '***' . substr($content, -3);
            echo "[OK] File ($file) exists and has content: $hidden\n";
        } else {
            echo "[WARNING] File ($file) exists but is EMPTY!\n";
        }
    } else {
        echo "[ERROR] File ($file) DOES NOT EXIST!\n";
    }
 }
 echo "\n=== انتهى الفحص ===\n";
--- a/backend/Admin/debug/ggg.php
+++ b/backend/Admin/debug/ggg.php
@@ -1,78 +0,0 @@
 <?php
 include 'connect.php';
 // نضمن أن الرد دائماً JSON
 header('Content-Type: application/json; charset=utf-8');
 // 1) قراءة الـ body كـ JSON (من Flutter)
 $raw  = file_get_contents('php://input');
 $data = json_decode($raw, true);
 if (!is_array($data)) {
    // fallback لو أرسلت form-data أو x-www-form-urlencoded
    $data = $_POST;
 }
 // 2) التحقق من رقم هاتف الأدمن المصرّح له
 // قراءة الأرقام المسموح لها من الـ ENV
 $phonesRaw = getenv('ADMIN_PHONE_NUMBERS') ?: '';
 $ALLOWED_TOOL_PHONES = array_values(
    array_filter(
        array_map(function ($p) {
            // إزالة أي رموز غير رقمية (مسافات، +، - إلخ)
            return preg_replace('/\D+/', '', $p);
        }, explode(',', $phonesRaw))
    )
 );
 // رقم الهاتف القادم من Flutter (parameter جديد)
 $adminPhoneParam = isset($data['admin_phone'])
    ? preg_replace('/\D+/', '', $data['admin_phone'])
    : '';
 // إذا لم يُرسل رقم أو لم يكن ضمن القائمة → منع الوصول
 if ($adminPhoneParam === '' || !in_array($adminPhoneParam, $ALLOWED_TOOL_PHONES, true)) {
    http_response_code(403);
    echo json_encode([
        'status'  => 'error',
        'message' => 'Access denied for this admin phone.',
    ]);
    exit;
 }
 // 3) التحقق من بقية المدخلات (action + text)
 $action = $data['action'] ?? '';
 $text   = trim($data['text'] ?? '');
 if ($text === '' || ($action !== 'encrypt' && $action !== 'decrypt')) {
    http_response_code(400);
    echo json_encode([
        'status'  => 'error',
        'message' => 'Invalid input: need action=encrypt|decrypt and non-empty text.',
    ]);
    exit;
 }
 // 4) تنفيذ التشفير / الفك
 try {
   // require_once __DIR__ . '/encrypt_decrypt.php';
    if ($action === 'encrypt') {
        $result = $encryptionHelper->encryptData($text);
    } else { // decrypt
        $result = $encryptionHelper->decryptData($text);
    }
    echo json_encode([
        'status' => 'success',
        'action' => $action,
        'result' => (string) $result,
    ]);
 } catch (Exception $e) {
    http_response_code(500);
    echo json_encode([
        'status'  => 'error',
        'message' => 'Operation failed.',
    ]);
 }
--- a/backend/Admin/debug/scratch_db_check.php
+++ b/backend/Admin/debug/scratch_db_check.php
@@ -1,23 +0,0 @@
 <?php
 require_once 'connect.php';
 echo "--- ADMIN TABLE ---\n";
 try {
    $stmt = $con->prepare("SELECT id, name, role FROM admin");
    $stmt->execute();
    $admins = $stmt->fetchAll(PDO::FETCH_ASSOC);
    print_r($admins);
 } catch (Exception $e) {
    echo "Error: " . $e->getMessage() . "\n";
 }
 echo "\n--- DATABASES ---\n";
 try {
    $stmt = $con->prepare("SHOW DATABASES");
    $stmt->execute();
    $dbs = $stmt->fetchAll(PDO::FETCH_COLUMN);
    print_r($dbs);
 } catch (Exception $e) {
    echo "Error: " . $e->getMessage() . "\n";
 }
 ?>
--- a/backend/Admin/debug/scratch_log_path.php
+++ b/backend/Admin/debug/scratch_log_path.php
@@ -1,2 +0,0 @@
 <?php
 echo ini_get('error_log');
--- a/backend/Admin/debug/scratch_test_find.php
+++ b/backend/Admin/debug/scratch_test_find.php
@@ -1,13 +0,0 @@
 <?php
 require_once __DIR__ . '/../core/bootstrap.php';
 require_once __DIR__ . '/../functions.php';
 $con = Database::get('main');
 $lat = 32.11171;
 $lng = 36.06737;
 $carType = 'Fixed Price';
 echo "Testing findBestDrivers...\n";
 $drivers = findBestDrivers($con, $lat, $lng, $carType);
 print_r($drivers);
 echo "Done.\n";
--- a/backend/Admin/debug/scratch_test_redis.php
+++ b/backend/Admin/debug/scratch_test_redis.php
@@ -1,10 +0,0 @@
 <?php
 require_once __DIR__ . '/../core/bootstrap.php';
 $redis = getRedis(); // or however it's connected in bootstrap
 if (!$redis) {
    echo "No redis\n"; exit;
 }
 $redis->geoadd('geo:rides:waiting', 36.0, 32.0, 'test_ride');
 $res = $redis->georadius('geo:rides:waiting', 36.0, 32.0, 10, 'km', ['WITHDIST' => true]);
 print_r($res);
 echo json_encode($res) . "\n";
--- a/walletintaleq.intaleq.xyz/v2/main/ride/mtn/driver/private_key.pem
+++ b/walletintaleq.intaleq.xyz/v2/main/ride/mtn/driver/private_key.pem
@@ -1,15 +0,0 @@
 -----BEGIN RSA PRIVATE KEY-----
 MIICXwIBAAKBgQDOhVAdUyxFpVNSyjRndMWEPAN9vJEetMzLbjF9DTn2lPVuRj/M
 kwq9wCNhy+tdeX2lIn4K3EkONBvYJubBhxnYOoQuMchPW5vG7VnmpLjZ7TkpM2n9
 fcMu8u1GkLatLblDI4LTfvn3851+nhpnYlUVkjw5GAhH4XnEpveIjqDhzQIDAQAB
 AoGBALRcAvqJT8nHN7y+8QNFHNZ+XwIpc4egmJY1Ny0iJvPtZWaYHVG5PRE4Qu4+
 29+3oX5dYDx146tu4L5mQvLS3ULBsvxaUZt2lT/vxkQzI9pNfXw584WvIrbtxQod
 ILvBcnamwQa9hEOIFZVyZ/hzkzUcMO6cAXqvsfqqPgJhm7PBAkEA+xgE9CUOLDFl
 vLePQKGcHIUOsPLr16qNEgGhTW7Km3OMMqoB2f7t67xOHGqK6tnANRM4Sk6IModI
 wbZuVh4jMQJBANKOVmIdDLNffZVHp90SDRG7/YdK2R5ob361CIkcUzjh927Wfs5W
 A/WroB7eJ7pWiq2BMaj/xq65nYaCOldvaV0CQQDm12c+eY61DFjnDa6ykaEvCxi9
 jydJp+93vW3o/VFhZvJeZbO8EcX0MrNxJnY+gSBW6yuWDOrj4UH/bVO08pIRAkEA
 lH3TiBAqo9nlTEEjrnILi4VD0IVFx/8pGnf71A6I1qXuBVn6RfQ9iKWIIBzWccCU
 vrZNWn1AFntLD9CJ6p3k9QJBAMbSQ9CoXWlOLJRduV15ER1ZyE/inVd4jIvtjAgz
 b7QaM62Ecxl3D8EI/LTSZV9Oa8D/62cJeMsflVa7gpavL70=
 -----END RSA PRIVATE KEY-----
--- a/walletintaleq.intaleq.xyz/v2/main/ride/mtn/driver/public_key.pem
+++ b/walletintaleq.intaleq.xyz/v2/main/ride/mtn/driver/public_key.pem
@@ -1,6 +0,0 @@
 -----BEGIN PUBLIC KEY-----
 MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDqBQZEJXWCQwPsPzBM70M3TjyU
 5vwCZWoEtUomR9Qu+dEQaa0Hniz6JY8+goCxfMYuZQw6+kimctA2KqzT2pCsJufN
 b92pSAMZgb0RSTl2y62oJkJd2WY7dj36AvPEyw6DxCFItvFOu7HGl3LlHQBriiw3
 jwtuS6DO7gbmAJPU8wIDAQAB
 -----END PUBLIC KEY-----
--- a/walletintaleq.intaleq.xyz/v2/main/ride/mtn/passenger/private_key.pem
+++ b/walletintaleq.intaleq.xyz/v2/main/ride/mtn/passenger/private_key.pem
@@ -1,15 +0,0 @@
 -----BEGIN RSA PRIVATE KEY-----
 MIICXwIBAAKBgQDOhVAdUyxFpVNSyjRndMWEPAN9vJEetMzLbjF9DTn2lPVuRj/M
 kwq9wCNhy+tdeX2lIn4K3EkONBvYJubBhxnYOoQuMchPW5vG7VnmpLjZ7TkpM2n9
 fcMu8u1GkLatLblDI4LTfvn3851+nhpnYlUVkjw5GAhH4XnEpveIjqDhzQIDAQAB
 AoGBALRcAvqJT8nHN7y+8QNFHNZ+XwIpc4egmJY1Ny0iJvPtZWaYHVG5PRE4Qu4+
 29+3oX5dYDx146tu4L5mQvLS3ULBsvxaUZt2lT/vxkQzI9pNfXw584WvIrbtxQod
 ILvBcnamwQa9hEOIFZVyZ/hzkzUcMO6cAXqvsfqqPgJhm7PBAkEA+xgE9CUOLDFl
 vLePQKGcHIUOsPLr16qNEgGhTW7Km3OMMqoB2f7t67xOHGqK6tnANRM4Sk6IModI
 wbZuVh4jMQJBANKOVmIdDLNffZVHp90SDRG7/YdK2R5ob361CIkcUzjh927Wfs5W
 A/WroB7eJ7pWiq2BMaj/xq65nYaCOldvaV0CQQDm12c+eY61DFjnDa6ykaEvCxi9
 jydJp+93vW3o/VFhZvJeZbO8EcX0MrNxJnY+gSBW6yuWDOrj4UH/bVO08pIRAkEA
 lH3TiBAqo9nlTEEjrnILi4VD0IVFx/8pGnf71A6I1qXuBVn6RfQ9iKWIIBzWccCU
 vrZNWn1AFntLD9CJ6p3k9QJBAMbSQ9CoXWlOLJRduV15ER1ZyE/inVd4jIvtjAgz
 b7QaM62Ecxl3D8EI/LTSZV9Oa8D/62cJeMsflVa7gpavL70=
 -----END RSA PRIVATE KEY-----
--- a/walletintaleq.intaleq.xyz/v2/main/ride/mtn/passenger/public_key.pem
+++ b/walletintaleq.intaleq.xyz/v2/main/ride/mtn/passenger/public_key.pem
@@ -1,6 +0,0 @@
 -----BEGIN PUBLIC KEY-----
 MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDqBQZEJXWCQwPsPzBM70M3TjyU
 5vwCZWoEtUomR9Qu+dEQaa0Hniz6JY8+goCxfMYuZQw6+kimctA2KqzT2pCsJufN
 b92pSAMZgb0RSTl2y62oJkJd2WY7dj36AvPEyw6DxCFItvFOu7HGl3LlHQBriiw3
 jwtuS6DO7gbmAJPU8wIDAQAB
 -----END PUBLIC KEY-----