Hamza/Siro
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
50 Commits 2 Branches 0 Tags
2d607d9e90ca682bf12875b6575cc6fe85fcab69
Commit Graph

50 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Hamza-Ayed
2d607d9e90 Fix #19: Plaintext OTP hashing + hardcoded server paths 
- Changed OTP storage in Admin/auth/login.php from plaintext to sha256 hash
- Updated Admin/auth/verify_login.php to hash user input before comparison
- Replaced hardcoded /home/siro-api/ paths with environment variables:
  - ERROR_LOG_PATH, ENV_FILE_PATH, SECRET_KEY_PAY_PATH, SECRET_KEY_PATH
  - Falls back to __DIR__-relative paths when env vars are unset
 2026-06-17 07:49:46 +03:00
Hamza-Ayed
790d58aaa2 remove temp fix script 2026-06-17 07:48:34 +03:00
Hamza-Ayed
72eeb24cd7 Fix #18: Exception leak remediation across 87 PHP files 
- Replaced all client-facing $e->getMessage() with generic error messages
- Added error_log() with filename prefix to all catch blocks
- Covered jsonError(), echo, and json_encode() response patterns
- Also fixed 2 remaining display_errors=1 and add_invoice.php leak
- Script-assisted fix for 75 files, manual fix for 12 remaining edge cases
 2026-06-17 07:48:31 +03:00
Hamza-Ayed
e51d266a0f Fix #17: SQL injection + mass data exposure (backend) 
- Fixed SQL injection in ride/license/get.php (interpolated variable → parameterized query)
- Added admin role checks to all 3 mass data endpoints (driver tokens, passenger tokens, phones+tokens)
- Added pagination (50/page) to all 4 mass data endpoints
- Fixed LIMIT to use placeholders with type binding
 2026-06-17 07:45:35 +03:00
Hamza-Ayed
f528e1d3c5 Fix #16: SSL pinning in all 4 Flutter apps 
- Created ssl_pinning.dart with SHA-256 DER hash pinning for intaleq.xyz and siromove.com
- Replaced http.post/http.get with pinned client in all CRUD classes
- Added crypto dependency to siro_admin and siro_driver pubspec
 2026-06-17 07:40:43 +03:00
Hamza-Ayed
0e28814e7d Fix #15: PCI-DSS compliance - remove persistent CVV storage from Flutter apps 2026-06-17 07:26:27 +03:00
Hamza-Ayed
16331bd35d Fix #14: Remove unused privateKeyFCM (Firebase service account key) from Flutter apps 2026-06-17 07:21:18 +03:00
Hamza-Ayed
623d66a3d8 Fix #13: Remove hardcoded PII from Flutter apps, enable root detection in siro_admin 2026-06-17 07:13:18 +03:00
Hamza-Ayed
1a9619f9f8 fix(security): fix login AND logic to OR, add signup input validation, separate OTP rate limit keys 2026-06-17 07:05:58 +03:00
Hamza-Ayed
70c06edd71 fix(security): fix host header injection in upload_audio, email header injection, add SSL verify to MTN curl 2026-06-17 06:57:56 +03:00
Hamza-Ayed
75aeb73f27 fix(security): fix openssl_sign key resource in MTN initiate, add google-services.json to gitignore 2026-06-17 06:55:36 +03:00
Hamza-Ayed
1d3ea597f4 fix(security): wallet balance check with FOR UPDATE, remove user-supplied ID in signup, hardcoded IP to env 2026-06-17 06:53:00 +03:00
Hamza-Ayed
3dad979eb5 fix(security): remove JWT role extraction without signature, add OTP replay protection, fix user enumeration 2026-06-17 06:45:53 +03:00
Hamza-Ayed
81376a2245 fix(security): remove SSL bypass + hardcoded creds in face_detect, rider debug CA overrides, fix siro_service manifest 2026-06-17 06:36:26 +03:00
Hamza-Ayed
c82b0071bb fix(security): wallet race conditions - FOR UPDATE + atomic claims on payments, webhooks, bonuses 2026-06-17 06:34:51 +03:00
Hamza-Ayed
0ceb67ee56 fix(security): fix SQL injection in updatePaymetToPaid, OTP random_int, static IV encryption, storage mismatch 2026-06-17 06:31:13 +03:00
Hamza-Ayed
8c6dea5d96 fix(security): add auth to FCM relay, HMAC to shamcash webhook, fix jwtconnect webhook bypass 2026-06-17 06:27:07 +03:00
Hamza-Ayed
d6f29802e0 fix(security): fix pervasive IDOR - force JWT user identity in 9 endpoints, fix host injection, exception leaks, wallet auth 2026-06-17 06:22:41 +03:00
Hamza-Ayed
4a9e6b22c5 fix(security): add role checks to 7 admin endpoints, fix undefined vars in admin_update_passenger, add input validation to send_whatsapp 2026-06-17 06:19:47 +03:00
Hamza-Ayed
9bbda24d4a fix(security): add .gitignore, remove PEM keys and debug endpoints from tracking 2026-06-17 06:17:03 +03:00
Hamza-Ayed
28d30e3359 Update: 2026-06-17 03:24:05 2026-06-17 03:24:05 +03:00
Hamza-Ayed
fd30b9f6fa feat: add generate_study script for automated study content creation 2026-06-16 22:44:47 +03:00
Hamza-Ayed
2c3816badb Update: 2026-06-16 22:44:11 2026-06-16 22:44:11 +03:00
Hamza-Ayed
b516fbc4ed Update: 2026-06-16 17:47:17 2026-06-16 17:47:19 +03:00
Hamza-Ayed
49899da6b2 Update: 2026-06-16 04:29:16 2026-06-16 04:29:16 +03:00
Hamza-Ayed
c0fe990ebe Update: 2026-06-16 02:52:06 2026-06-16 02:52:06 +03:00
Hamza-Ayed
2c657fa0b4 Update: 2026-06-16 02:14:34 2026-06-16 02:14:35 +03:00
Hamza-Ayed
fc58529b09 Update: 2026-06-16 01:17:28 2026-06-16 01:17:29 +03:00
Hamza-Ayed
04943e3d52 Update: 2026-06-15 19:39:21 2026-06-15 19:39:21 +03:00
Hamza-Ayed
c472a78416 Update: 2026-06-15 01:38:09 2026-06-15 01:38:10 +03:00
Hamza-Ayed
2321b78244 Update: 2026-06-15 01:37:40 2026-06-15 01:37:41 +03:00
Hamza-Ayed
f021ba5a35 Update: 2026-06-14 22:10:07 2026-06-14 22:10:08 +03:00
Hamza-Ayed
8e3b9eca4d Update: 2026-06-14 05:48:58 2026-06-14 05:48:58 +03:00
Hamza-Ayed
2645ed0cf1 Update: 2026-06-14 04:27:17 2026-06-14 04:27:17 +03:00
Hamza-Ayed
55970712cc Update: 2026-06-13 15:43:50 2026-06-13 15:43:50 +03:00
Hamza-Ayed
bfc530b013 Update: 2026-06-13 01:32:15 2026-06-13 01:32:15 +03:00
Hamza-Ayed
cb1b2d01df Update: 2026-06-13 00:57:17 2026-06-13 00:57:17 +03:00
Hamza-Ayed
7893b2dc07 Update: 2026-06-13 00:08:00 2026-06-13 00:08:00 +03:00
Hamza-Ayed
0ae368dbc8 Update: 2026-06-12 22:40:40 2026-06-12 22:40:40 +03:00
Hamza-Ayed
f907212c57 Update: 2026-06-12 20:40:40 2026-06-12 20:40:40 +03:00
Hamza-Ayed
305ae01d52 Update: 2026-06-12 01:34:30 2026-06-12 01:34:30 +03:00
Hamza-Ayed
ef6b52d2e3 Update: 2026-06-12 01:23:54 2026-06-12 01:23:54 +03:00
Hamza-Ayed
7049c7468c Update: 2026-06-11 21:53:27 2026-06-11 21:53:27 +03:00
Hamza-Ayed
b87477bec4 Update: 2026-06-11 19:26:42 2026-06-11 19:26:42 +03:00
Hamza-Ayed
727068b668 Update: 2026-06-11 18:22:57 2026-06-11 18:22:59 +03:00
Hamza-Ayed
c5170a88d2 Update: 2026-06-11 13:47:39 2026-06-11 13:47:40 +03:00
Hamza-Ayed
977adfe99d Update: 2026-06-10 18:11:50 2026-06-10 18:11:50 +03:00
Hamza-Ayed
a0473a8b0f Update: 2026-06-10 02:44:54 2026-06-10 02:44:55 +03:00
Hamza-Ayed
9bc7a31c94 Push remaining files and update README 2026-06-09 08:44:23 +03:00
Hamza-Ayed
d8901e1a87 first commit 2026-06-09 08:40:31 +03:00