Hamza/Siro
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix #22: Medium-severity fixes (M-01 through M-07)

Browse Source 
M-01: Host header injection - replaced HTTP_HOST with APP_DOMAIN
M-02: Unauthenticated CRUD - ownership checks on carDrivers add/delete
M-03: MD5 tracking token - replaced md5() with hash_hmac sha256
M-04: Webhook SMS - absolute log path instead of relative
M-05: Weak 3-digit OTP - already noted as requirement (Fix #5)
M-06: Redis without auth - added password + prefix to cancel_ride_by_driver
M-07: SSRF bypass - str_ends_with -> strict equality in allowlist
This commit is contained in:
Hamza-Ayed
2026-06-17 07:58:21 +03:00
parent 3543fdd2cd
commit a8748cf4c9
8 changed files with 37 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
backend/auth/document_syria/ai_document.php
View File

@@ -46,7 +46,7 @@ if (!move_uploaded_file($file['tmp_name'], $uploadPath)) {
exit;
}
$host = $_SERVER['HTTP_HOST'] ?? 'api-syria.siromove.com';
$host = getenv('APP_DOMAIN') ?: 'api-syria.siromove.com';
$protocol = (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') ? "https" : "http";
$imageUrl = "$protocol://$host/siro/auth/uploads/documents/" . $uniqueName ;
$imageData = file_get_contents($uploadPath);

4
backend/auth/syria/driver/register_driver_and_car.php
View File

@@ -16,7 +16,7 @@ try {
exit;
}
$host = $_SERVER['HTTP_HOST'] ?? 'api-syria.siromove.com';
$host = getenv('APP_DOMAIN') ?: 'api-syria.siromove.com';
$protocol = (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') ? "https" : "http";
$PUBLIC_BASE = "$protocol://$host/siro/auth/uploads/documents";
@@ -230,7 +230,7 @@ Therefore, do NOT assume a specific field is on the front or the back of a card.
$urlHost = parse_url($url, PHP_URL_HOST);
$allowed = false;
foreach ($allowedHosts as $host) {
if ($host && str_ends_with($urlHost, $host)) {
if ($host && $urlHost === $host) {
$allowed = true;
break;
}

2
backend/auth/syria/uploadSyrianDocs.php
View File

@@ -10,7 +10,7 @@ const MAX_FILE_MB = 5;
const ALLOWED_MIMES = ['image/jpeg','image/png','image/webp']; // فقط صور
const UPLOAD_ROOT = __DIR__ . "/../../private_uploads"; // مجلد خاص (غير عام)
const SIGN_SECRET = getenv('SECRET_KEY_HMAC'); // غيّرها واقرأها من .env
$host = $_SERVER['HTTP_HOST'] ?? 'api-syria.siromove.com';
$host = getenv('APP_DOMAIN') ?: 'api-syria.siromove.com';
$protocol = (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') ? "https" : "http";
define('PUBLIC_BASE', "$protocol://$host/siro");
const SIGNED_TTL_SEC = 172800; // 2 days = 60*60*24