fix(security): fix pervasive IDOR - force JWT user identity in 9 endpoints, fix host injection, exception leaks, wallet auth

2026-06-17 06:22:41 +03:00
parent 4a9e6b22c5
commit d6f29802e0
9 changed files with 67 additions and 33 deletions
--- a/backend/ride/invitor/add.php
+++ b/backend/ride/invitor/add.php
@@ -17,7 +17,12 @@ function generateUniqueCode($con) {
    }
 }

-$driverId = filterRequest("driverId");
+// Force driverId from JWT — only drivers can manage invitations
+if ($role !== 'driver') {
+    jsonError("Only drivers can create invitations");
+    exit;
+}
+$driverId = $user_id;
 $inviterDriverPhone = filterRequest("inviterDriverPhone");

 // 🔐 تشفير رقم الهاتف
@@ -52,7 +57,8 @@ if ($checkStmt->rowCount() > 0) {
                "expirationTime" => $expirationTime
            ]);
        } catch (PDOException $e) {
-            jsonError("Database error: " . $e->getMessage());
+            error_log("[invitor/add] DB Error: " . $e->getMessage());
+            jsonError("Database error occurred");
        }
    }

@@ -83,7 +89,8 @@ if ($checkStmt->rowCount() > 0) {
            jsonError("Failed to save invite data");
        }
    } catch (PDOException $e) {
-        jsonError("Database error: " . $e->getMessage());
+        error_log("[invitor/add] DB Error: " . $e->getMessage());
+        jsonError("Database error occurred");
    }
 }
 ?>
--- a/backend/ride/invitor/claim.php
+++ b/backend/ride/invitor/claim.php
@@ -7,8 +7,17 @@ header('Content-Type: application/json');

 try {
    $inviteId = filterRequest("invite_id");
-    $driverId = filterRequest("driver_id");
-    $passengerId = filterRequest("passenger_id");
+    // Force user ID from JWT based on role
+    if ($role === 'driver') {
+        $driverId = $user_id;
+        $passengerId = null;
+    } elseif ($role === 'passenger') {
+        $passengerId = $user_id;
+        $driverId = null;
+    } else {
+        echo json_encode(["status" => "failure", "message" => "Invalid user role."]);
+        exit;
+    }
    $countryCode = filterRequest("country_code"); // Expected: Jordan, Syria, Egypt
    
    if (empty($inviteId)) {
@@ -88,6 +97,7 @@ try {
 }

 function addWalletBalance($url, $userId, $userType, $amount) {
+    $s2sKey = getenv('S2S_SHARED_KEY');
    $data = [
        "user_id" => $userId,
        "user_type" => $userType,
@@ -100,6 +110,11 @@ function addWalletBalance($url, $userId, $userType, $amount) {
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_POST, true);
    curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($data));
+    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
+    curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
+    if ($s2sKey) {
+        curl_setopt($ch, CURLOPT_HTTPHEADER, ["X-Auth-Token: $s2sKey"]);
+    }
    $response = curl_exec($ch);
    curl_close($ch);
    return $response;