Hamza/Siro
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
58 Commits 2 Branches 0 Tags
b67417eb981d82af1b843e5ffc09515199ff7e3e
Commit Graph

15 Commits

Author SHA1 Message Date
Hamza-Ayed
264e005a7b fix: PHP syntax errors in upload files and composer config 
- Fix PHP 8.x string interpolation syntax in upload log calls
- Fix const getenv() -> runtime variable in uploadSyrianDocs.php
- Add composer security advisory ignore for firebase/php-jwt
- Run composer update to sync lock file
 2026-06-17 08:41:16 +03:00
Hamza-Ayed
a8748cf4c9 Fix #22: Medium-severity fixes (M-01 through M-07) 
M-01: Host header injection - replaced HTTP_HOST with APP_DOMAIN
M-02: Unauthenticated CRUD - ownership checks on carDrivers add/delete
M-03: MD5 tracking token - replaced md5() with hash_hmac sha256
M-04: Webhook SMS - absolute log path instead of relative
M-05: Weak 3-digit OTP - already noted as requirement (Fix #5)
M-06: Redis without auth - added password + prefix to cancel_ride_by_driver
M-07: SSRF bypass - str_ends_with -> strict equality in allowlist
 2026-06-17 07:58:21 +03:00
Hamza-Ayed
72eeb24cd7 Fix #18: Exception leak remediation across 87 PHP files 
- Replaced all client-facing $e->getMessage() with generic error messages
- Added error_log() with filename prefix to all catch blocks
- Covered jsonError(), echo, and json_encode() response patterns
- Also fixed 2 remaining display_errors=1 and add_invoice.php leak
- Script-assisted fix for 75 files, manual fix for 12 remaining edge cases
 2026-06-17 07:48:31 +03:00
Hamza-Ayed
1a9619f9f8 fix(security): fix login AND logic to OR, add signup input validation, separate OTP rate limit keys 2026-06-17 07:05:58 +03:00
Hamza-Ayed
1d3ea597f4 fix(security): wallet balance check with FOR UPDATE, remove user-supplied ID in signup, hardcoded IP to env 2026-06-17 06:53:00 +03:00
Hamza-Ayed
3dad979eb5 fix(security): remove JWT role extraction without signature, add OTP replay protection, fix user enumeration 2026-06-17 06:45:53 +03:00
Hamza-Ayed
0ceb67ee56 fix(security): fix SQL injection in updatePaymetToPaid, OTP random_int, static IV encryption, storage mismatch 2026-06-17 06:31:13 +03:00
Hamza-Ayed
b516fbc4ed Update: 2026-06-16 17:47:17 2026-06-16 17:47:19 +03:00
Hamza-Ayed
fc58529b09 Update: 2026-06-16 01:17:28 2026-06-16 01:17:29 +03:00
Hamza-Ayed
2321b78244 Update: 2026-06-15 01:37:40 2026-06-15 01:37:41 +03:00
Hamza-Ayed
0ae368dbc8 Update: 2026-06-12 22:40:40 2026-06-12 22:40:40 +03:00
Hamza-Ayed
f907212c57 Update: 2026-06-12 20:40:40 2026-06-12 20:40:40 +03:00
Hamza-Ayed
ef6b52d2e3 Update: 2026-06-12 01:23:54 2026-06-12 01:23:54 +03:00
Hamza-Ayed
c5170a88d2 Update: 2026-06-11 13:47:39 2026-06-11 13:47:40 +03:00
Hamza-Ayed
d8901e1a87 first commit 2026-06-09 08:40:31 +03:00