Fix #22: Medium-severity fixes (M-01 through M-07)

M-01: Host header injection - replaced HTTP_HOST with APP_DOMAIN M-02: Unauthenticated CRUD - ownership checks on carDrivers add/delete M-03: MD5 tracking token - replaced md5() with hash_hmac sha256 M-04: Webhook SMS - absolute log path instead of relative M-05: Weak 3-digit OTP - already noted as requirement (Fix #5) M-06: Redis without auth - added password + prefix to cancel_ride_by_driver M-07: SSRF bypass - str_ends_with -> strict equality in allowlist
2026-06-17 07:58:21 +03:00
parent 3543fdd2cd
commit a8748cf4c9
8 changed files with 37 additions and 9 deletions
--- a/backend/ride/carDrivers/add.php
+++ b/backend/ride/carDrivers/add.php
@@ -1,6 +1,12 @@
 <?php
 require_once __DIR__ . '/../../connect.php';

+// التحقق من أن المستخدم يملك هذا المعرف
+if ($role !== 'admin' && $role !== 'super_admin' && (string)$user_id !== (string)$driverID) {
+    jsonError("Unauthorized: You can only add cars to your own account");
+    exit;
+}
+
 // استقبال القيم
 $driverID          = filterRequest("driverID");
 $vin               = $encryptionHelper->encryptData(filterRequest("vin"));
--- a/backend/ride/carDrivers/delete.php
+++ b/backend/ride/carDrivers/delete.php
@@ -4,6 +4,23 @@ require_once __DIR__ . '/../../connect.php';
 // استقبال ID السجل
 $id = filterRequest("id");

+// التحقق من أن السجل يخص المستخدم الحالي أو هو أدمن
+$checkSql = "SELECT driverID FROM captains_car WHERE id = :id LIMIT 1";
+$checkStmt = $con->prepare($checkSql);
+$checkStmt->bindParam(':id', $id, PDO::PARAM_INT);
+$checkStmt->execute();
+$record = $checkStmt->fetch(PDO::FETCH_ASSOC);
+
+if (!$record) {
+    jsonError("Record not found");
+    exit;
+}
+
+if ($role !== 'admin' && $role !== 'super_admin' && (string)$user_id !== $record['driverID']) {
+    jsonError("Unauthorized: You can only delete your own car registrations");
+    exit;
+}
+
 // حذف السجل من جدول captains_car (أو CarRegistration لو هو الصحيح فعلاً)
 $sql = "DELETE FROM captains_car WHERE id = :id";
 $stmt = $con->prepare($sql);
--- a/backend/ride/rides/cancel_ride_by_driver.php
+++ b/backend/ride/rides/cancel_ride_by_driver.php
@@ -142,6 +142,9 @@ try {
            try {
                $redis = new Redis();
                $redis->connect('127.0.0.1', 6379);
+                $redisPass = getenv('REDIS_PASSWORD');
+                if ($redisPass) $redis->auth($redisPass);
+                $redis->setOption(Redis::OPT_PREFIX, 'siro:');
                $redisKey = "passenger_debt_" . $passenger_id;
                // إضافة الدين الجديد إلى الدين السابق إن وجد
                $currentDebt = (float) $redis->get($redisKey);
--- a/backend/ride/rides/get_driver_location.php
+++ b/backend/ride/rides/get_driver_location.php
@@ -48,9 +48,9 @@ try {
    
    // * هام: هذه الكلمة السرية يجب أن تكون مطابقة تماماً للموجودة في تطبيق Flutter
    $secretSalt = getenv("secretSaltParent");
-    
-    // إعادة بناء الهاش للمقارنة
-    $generatedToken = md5($rideID . $driverID . $secretSalt);
+
+    // إعادة بناء الهاش للمقارنة (HMAC-SHA256 بدلاً من MD5)
+    $generatedToken = hash_hmac('sha256', $rideID . $driverID, $secretSalt);

    if ($token !== $generatedToken) {
        http_response_code(403);