Hamza/Siro
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(security): fix pervasive IDOR - force JWT user identity in 9 endpoints, fix host injection, exception leaks, wallet auth

Browse Source
This commit is contained in:
Hamza-Ayed
2026-06-17 06:22:41 +03:00
parent 4a9e6b22c5
commit d6f29802e0
9 changed files with 67 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
backend/ride/invitor/claim.php
View File

@@ -7,8 +7,17 @@ header('Content-Type: application/json');
try {
$inviteId = filterRequest("invite_id");
$driverId = filterRequest("driver_id");
$passengerId = filterRequest("passenger_id");
// Force user ID from JWT based on role
if ($role === 'driver') {
$driverId = $user_id;
$passengerId = null;
} elseif ($role === 'passenger') {
$passengerId = $user_id;
$driverId = null;
} else {
echo json_encode(["status" => "failure", "message" => "Invalid user role."]);
exit;
}
$countryCode = filterRequest("country_code"); // Expected: Jordan, Syria, Egypt
if (empty($inviteId)) {
@@ -88,6 +97,7 @@ try {
}
function addWalletBalance($url, $userId, $userType, $amount) {
$s2sKey = getenv('S2S_SHARED_KEY');
$data = [
"user_id" => $userId,
"user_type" => $userType,
@@ -100,6 +110,11 @@ function addWalletBalance($url, $userId, $userType, $amount) {
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($data));
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
if ($s2sKey) {
curl_setopt($ch, CURLOPT_HTTPHEADER, ["X-Auth-Token: $s2sKey"]);
}
$response = curl_exec($ch);
curl_close($ch);
return $response;