Update: 2026-06-16 01:17:28

2026-06-16 01:17:29 +03:00
parent 04943e3d52
commit fc58529b09
56 changed files with 1149 additions and 1314 deletions
--- a/backend/auth/syria/driver/register_driver_and_car.php
+++ b/backend/auth/syria/driver/register_driver_and_car.php
@@ -219,8 +219,32 @@ Therefore, do NOT assume a specific field is on the front or the back of a card.
            ["role" => "user", "parts" => [["text" => $promptBase]]]
        ];

+        // ✅ SSRF Protection: Allowlist for document URLs
+        $allowedHosts = array_filter([
+            parse_url($PUBLIC_BASE, PHP_URL_HOST),
+            getenv('ALLOWED_UPLOAD_HOST'),
+        ]);
+        $maxFileSize = 10 * 1024 * 1024; // 10MB max per image
+
        foreach ($docUrls as $key => $url) {
-            $imgData = @file_get_contents($url);
+            $urlHost = parse_url($url, PHP_URL_HOST);
+            $allowed = false;
+            foreach ($allowedHosts as $host) {
+                if ($host && str_ends_with($urlHost, $host)) {
+                    $allowed = true;
+                    break;
+                }
+            }
+            if (!$allowed) {
+                error_log("[SSRF_BLOCKED] Doc URL not in allowlist: $urlHost ($key)");
+                continue;
+            }
+
+            $ctx = stream_context_create(['http' => [
+                'timeout' => 10,
+                'ignore_errors' => true,
+            ]]);
+            $imgData = @file_get_contents($url, false, $ctx, 0, $maxFileSize);
            if ($imgData !== false) {
                $base64 = base64_encode($imgData);
                $ext = strtolower(pathinfo(parse_url($url, PHP_URL_PATH), PATHINFO_EXTENSION));
@@ -528,8 +552,8 @@ $pwdHashed = password_hash($rawSecret, PASSWORD_DEFAULT);
        curl_setopt($ch, CURLOPT_POSTFIELDS, $notificationPayload);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($ch, CURLOPT_TIMEOUT, 5);
-        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
-        curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
+        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
+        curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
        
        curl_exec($ch);
        curl_close($ch);
--- a/backend/auth/syria/uploadSyrianDocs.php
+++ b/backend/auth/syria/uploadSyrianDocs.php
@@ -108,8 +108,13 @@ if (!is_dir($destDir)) { @mkdir($destDir, 0700, true); }
 $serverName = "{$driverIdSafe}__{$docType}{$ext}";
 $destPath   = $destDir . '/' . $serverName;

-// استبدال أي نسخة قديمة عن قصد (overwrite)
-if (is_file($destPath)) { @unlink($destPath); }
+// استبدال أي نسخة قديمة عن قصد (overwrite) - مع حماية ضد path traversal
+$resolvedDest = realpath($destPath) ?: $destPath;
+$resolvedRoot = realpath(UPLOAD_ROOT) ?: UPLOAD_ROOT;
+
+if (is_file($destPath) && str_starts_with($resolvedDest, $resolvedRoot)) {
+    @unlink($destPath);
+}

 // نقل الملف
 if (!move_uploaded_file($tmpPath, $destPath)) {