Andy Miller
f47feee98d
remove safe-upgrade/snapshots/recover
...
Signed-off-by: Andy Miller <rhuk@mac.com >
2026-04-15 14:03:10 +01:00
Andy Miller
8426e91cac
feat: surface remote next_major hint in Upgrader for cross-major migration notices
...
Reads the new `next_major` block from grav.json (sent by a family-aware
resources server when a 1.x client is served a 1.x release alongside a 2.x
hint) and exposes it via Upgrader::isNextMajorAvailable(),
getNextMajorVersion(), getMigrationUrl(). The admin plugin uses these to
show a dashboard migration banner without implying an automatic upgrade.
isNextMajorAvailable() no longer compares raw remote vs local majors —
under family-aware serving, the remote version is already the client's
family, so the old logic would silently stop firing. It now requires
the server hint and verifies it truly points to a newer major.
Tests updated to inject the hint via an extended TestableUpgrader.
2026-04-13 22:41:39 +01:00
Andy Miller
e83b12d8c4
fix(tests): remove snapshot test and fix CompatibilityTest GRAV_ROOT issue
...
- Delete InstallSnapshotManifestTest: references isSnapshotManifest()
which no longer exists after safe-upgrade removal
- Fix InstallCompatibilityTest: GRAV_ROOT is a PHP constant that cannot
be redefined per-test; add optional $root param to detectIncompatiblePackages,
isPluginEnabled, and isThemeEnabled so tests can pass a tmpDir directly
2026-04-13 19:23:56 +01:00
Andy Miller
dff21f8445
fix(tests): PHP 7.3 compatibility in UpgraderFamilyTest
...
Replace typed class properties with PHPDoc annotations so the test
file passes CI on PHP 7.3 (typed properties require 7.4+).
2026-04-13 19:16:48 +01:00
Andy Miller
98af1cb4e3
Remove SafeUpgradeService, add family-aware GPM upgrade gate
...
- Remove SafeUpgradeService, RollbackCommand, SafeUpgradeRunCommand, and bin/restore
- Simplify Install.php: remove all snapshot logic; keep forceSafeUpgrade() as no-op stub
for backward compat with pre-2.0 upgrade scripts that call it in finally blocks
- Simplify SelfupgradeCommand: remove --safe/--legacy flags, safe-upgrade window tracking,
and manifest block; keep RecoveryManager plugin-disable calls
- Simplify PreflightCommand: use Install::instance()->generatePreflightReport() directly
- Simplify recovery.php: remove auth, rollback, and quarantine sections; keep
clear-flag and disable-recovery actions
- Upgrader::isUpgradable() now returns false when remote is a different major.minor family
(e.g. 1.8.x will not auto-upgrade to 2.0.x)
- Add Upgrader::isNextMajorAvailable() for future informational notices
- Add bin/gpm-cache-inject helper for local E2E testing without a live server
- Add UpgraderFamilyTest covering all cross-family and same-family scenarios (10/10)
2026-04-13 18:45:41 +01:00
Andy Miller
2c517b012e
Add compatibility: blueprint support for major version upgrade gating
...
Adds a new `compatibility:` field to plugin/theme blueprints.yaml that allows
authors to declare which Grav versions they've tested on:
compatibility:
grav: ['1.7', '1.8']
api: ['1.0']
When absent, compatibility is inferred from dependencies (grav >=1.8 means
1.8-only, otherwise assumes 1.7). This gates major upgrades (1.7→1.8) by
blocking if enabled plugins aren't marked as 1.8-compatible.
Core changes:
- Install.php: detectIncompatiblePackages() in preflight checks
- SafeUpgradeService: same detection for admin pre-download checks
- SelfupgradeCommand: interactive handling (disable/continue/abort)
- GPM Local/Package: computed compatibility property from blueprints
- CLI badges: IndexCommand, InfoCommand, UpdateCommand show 1.7/1.8 badges
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com >
2026-04-02 10:22:56 -06:00
Andy Miller
8d0b049993
safe upgrade hardening
...
Signed-off-by: Andy Miller <rhuk@mac.com >
2026-02-25 13:28:09 -07:00
Andy Miller
9d11094e41
Merge branch 'fix/GHSA-x62q-p736-3997-GHSA-gq3g-666w-7h85-admin-security' into 1.8
2025-11-29 17:52:03 -07:00
Andy Miller
ed640a1314
Merge branch 'fix/GHSA-p4ww-mcp9-j6f2-GHSA-m8vh-v6r6-w7p6-GHSA-j422-qmxp-hv94-file-path-security' into 1.8
2025-11-29 17:45:33 -07:00
Andy Miller
e37259527d
Merge branch 'fix/GHSA-662m-56v4-3r8f-GHSA-858q-77wx-hhx6-GHSA-8535-hvm8-2hmv-GHSA-gjc5-8cfh-653x-GHSA-52hh-vxfw-p6rg-ssti-sandbox' into 1.8
2025-11-29 17:30:39 -07:00
Andy Miller
19c2f8da76
Fix path traversal and uniqueness vulnerabilities in username validation
...
Security fixes for:
- GHSA-h756-wh59-hhjv: Path traversal via username during account creation
- GHSA-cjcp-qxvg-4rjm: Username uniqueness bypass
Changes:
Framework/Flex/Storage/AbstractFilesystemStorage.php:
- Added validateKey() to check for path traversal attempts
- Blocks: .., /, \, null bytes, control characters
- Added assertValidKey() public method for external validation
Framework/Flex/Storage/FolderStorage.php:
- Key validation now enforced in createRows()
User/DataUser/User.php:
- Added isValidUsername() static method for reusable validation
- Added uniqueness check in save() - blocks if user already exists
- Validation blocks: path traversal, hidden files, dangerous characters
Flex/Types/Users/UserObject.php:
- Validation now blocks hidden files (starting with .)
Added unit tests:
- tests/unit/Grav/Common/Security/UsernameValidationTest.php
- 50 tests covering path traversal, dangerous characters, and valid usernames
2025-11-29 17:25:02 -07:00
Andy Miller
a161399c84
Fix DoS via cron expressions and password hash exposure
...
Security fixes for:
- GHSA-x62q-p736-3997: DoS via invalid cron expression in scheduler
- GHSA-gq3g-666w-7h85: Password hash exposure to frontend
Changes:
Scheduler/Job.php:
- Added try-catch around CronExpression::factory() to prevent DoS
- Added isValidCronExpression() static validation method
- Returns null instead of throwing on invalid expressions
Scheduler/IntervalTrait.php:
- Added try-catch in at() method for graceful handling
Twig/Extension/GravExtension.php:
- Protected cronFunc() from invalid expressions
Console/Cli/SchedulerCommand.php:
- Handle null cron expressions (shows "Invalid cron" error)
Flex/Types/Users/UserObject.php:
- Override jsonSerialize() to filter out hashed_password, secret, twofa_secret
- Prevents sensitive data from being exposed to frontend/HTML
User/DataUser/User.php:
- Same jsonSerialize() override for DataUser implementation
Added unit tests:
- tests/unit/Grav/Common/Security/AdminSecurityTest.php
- 53 tests covering cron validation and password hash protection
2025-11-29 17:24:41 -07:00
Andy Miller
5f120c328b
Fix file read, DoS, and path traversal vulnerabilities
...
Security fixes for:
- GHSA-p4ww-mcp9-j6f2: Arbitrary file read via read_file() Twig function
- GHSA-m8vh-v6r6-w7p6: DoS via malformed language code in regex
- GHSA-j422-qmxp-hv94: Path traversal in backup root configuration
Changes:
GravExtension.php - readFileFunc():
- Added realpath validation to prevent path traversal
- Blocked reading files outside GRAV_ROOT
- Blocked sensitive files: accounts/*.yaml, .env, .git, logs, backups, vendor
Language.php:
- Fixed regex delimiter in setActiveFromUri() to properly escape language codes
- Added validation in setLanguages() to only allow valid language codes
- Pattern: /^[a-zA-Z]{2,3}(?:[-_][a-zA-Z0-9]{2,8})?$/
Backups.php:
- Added path traversal protection with realpath validation
- Blocked access to system directories: /etc, /root, /home, /var, etc.
Added unit tests:
- tests/unit/Grav/Common/Security/FilePathSecurityTest.php
- 55 tests covering language code validation and regex injection prevention
2025-11-29 17:24:22 -07:00
Andy Miller
db924c4a26
Expand SSTI sandbox blacklist to block known attack vectors
...
Security fixes for:
- GHSA-662m-56v4-3r8f: SSTI sandbox bypass via nested evaluate_twig
- GHSA-858q-77wx-hhx6: Privilege escalation via grav.user/scheduler
- GHSA-8535-hvm8-2hmv: Context leak via Forms _context access
- GHSA-gjc5-8cfh-653x: Sandbox bypass via grav.config.set
- GHSA-52hh-vxfw-p6rg: CVE-2024-28116 bypass via string concatenation
Changes to cleanDangerousTwig():
- Added 150+ dangerous PHP functions to blacklist
- Blocked access to grav.scheduler, grav.twig.twig, grav.backups, grav.gpm
- Blocked config modification via config.set()
- Blocked user modification via grav.user.update()/save()
- Blocked context/internal access via _context, _self, twig_vars
- Blocked evaluate_twig/evaluate to prevent nested bypass
- Added string concatenation pattern detection for bypass attempts
- Blocked SSRF vectors (curl, fsockopen, stream_socket)
- Blocked file operations, serialization, reflection classes
Performance optimizations:
- Early exit if string has no Twig blocks ({{ or {%})
- Static caching of compiled regex patterns (built once, reused)
- Combined all patterns into 4 single regex operations instead of ~190 loops
- Consolidated property patterns using regex alternation groups
Added unit tests:
- tests/unit/Grav/Common/Security/CleanDangerousTwigTest.php
- 104 tests covering all GHSA advisories and dangerous patterns
2025-11-29 17:24:06 -07:00
Andy Miller
4e11ca7c8e
Fix slow SafeUpgradeServiceTest by optimizing snapshot pruning
2025-11-20 10:51:45 +00:00
Andy Miller
3b1c332932
Fix safe-upgrade snapshot creation (copy vs move) and implement pruning
2025-11-18 18:21:34 +00:00
Andy Miller
7fd614f8b6
Add Twig 3 compatibility transformations for raw, divisibleby, and none
2025-11-18 17:46:20 +00:00
Andy Miller
5567a5a1cd
twig3 compatibility fixes + tests
...
Signed-off-by: Andy Miller <rhuk@mac.com >
2025-11-18 17:25:07 +00:00
Andy Miller
cbf5ec57c6
test fixes + major/minor plugin warnings
...
Signed-off-by: Andy Miller <rhuk@mac.com >
2025-11-14 11:33:24 +00:00
Andy Miller
73d3a90c0b
test fixes
...
Signed-off-by: Andy Miller <rhuk@mac.com >
2025-11-09 13:11:17 +00:00
Andy Miller
b2f2e7bd45
more recovery manage fixes
...
Signed-off-by: Andy Miller <rhuk@mac.com >
2025-10-19 18:37:12 -06:00
Andy Miller
3fbd6771e9
more recovery fixes
...
Signed-off-by: Andy Miller <rhuk@mac.com >
2025-10-19 18:18:20 -06:00
Andy Miller
348fa04c47
recovery/command fixes
...
Signed-off-by: Andy Miller <rhuk@mac.com >
2025-10-19 17:59:17 -06:00
Andy Miller
e30245789c
move recover.flag
...
Signed-off-by: Andy Miller <rhuk@mac.com >
2025-10-19 16:02:51 -06:00
Andy Miller
942f523f18
fix test
...
Signed-off-by: Andy Miller <rhuk@mac.com >
2025-10-18 19:09:59 -06:00
Andy Miller
f9348a4d9d
Merge branch 'develop' into 1.8
...
Signed-off-by: Andy Miller <rhuk@mac.com >
2025-10-17 18:35:14 -06:00
Andy Miller
44fd1172b8
more granular install for self upgrade
...
Signed-off-by: Andy Miller <rhuk@mac.com >
2025-10-17 18:18:53 -06:00
Andy Miller
920642411c
move back to cp instead of mv for snapshots
...
Signed-off-by: Andy Miller <rhuk@mac.com >
2025-10-17 17:53:48 -06:00
Andy Miller
2999c06a3a
change snapshot storage
2025-10-17 16:49:42 -06:00
Andy Miller
c56d24c0d7
timelimt on recovery status
...
Signed-off-by: Andy Miller <rhuk@mac.com >
2025-10-16 09:08:53 -06:00
Andy Miller
ee49305053
timelimit on recovery status
...
Signed-off-by: Andy Miller <rhuk@mac.com >
2025-10-16 09:08:32 -06:00
Andy Miller
a3da588829
should fix tests this time
...
Signed-off-by: Andy Miller <rhuk@mac.com >
2025-10-16 07:54:44 -06:00
Andy Miller
a3387c106b
more test fixes
...
Signed-off-by: Andy Miller <rhuk@mac.com >
2025-10-16 07:50:24 -06:00
Andy Miller
d9d241d806
fix for RecoveryManagerTest
...
Signed-off-by: Andy Miller <rhuk@mac.com >
2025-10-16 07:47:50 -06:00
Andy Miller
44f90cbce0
Merge branch 'develop' into 1.8
...
Signed-off-by: Andy Miller <rhuk@mac.com >
2025-10-15 20:22:14 -06:00
Andy Miller
57212ec9a5
better plugin checks
...
Signed-off-by: Andy Miller <rhuk@mac.com >
2025-10-15 11:24:50 -06:00
Andy Miller
b55e86a8ba
force upgrades before updating
...
Signed-off-by: Andy Miller <rhuk@mac.com >
2025-10-15 11:00:54 -06:00
Andy Miller
250568bae5
initial safeupgrade work
2025-10-15 10:29:26 -06:00
Andy Miller
eb985e875d
vendor updates and some fixes
...
Signed-off-by: Andy Miller <rhuk@mac.com >
2025-10-03 18:16:40 -06:00
Andy Miller
22de638e52
composer updates + php fixes
...
Signed-off-by: Andy Miller <rhuk@mac.com >
2025-09-20 22:33:56 -06:00
Andy Miller
365ab93e7e
PHP 8.2+ fixes
...
Signed-off-by: Andy Miller <rhuk@mac.com >
2025-09-20 22:12:55 -06:00
Andy Miller
3bebfc6dac
fixed for tests
...
Signed-off-by: Andy Miller <rhuk@mac.com >
2025-04-01 17:03:42 -06:00
Andy Miller
b96483c49a
Fix tests for latest Codeception version
2024-10-22 13:24:35 +01:00
Andy Miller
51623ee0da
Added custom_base test
2024-05-08 12:35:16 +01:00
Andy Miller
ee8d783d05
better support for external urls in Utils::url()
2024-04-20 15:42:42 +01:00
Andy Miller
0b16401a91
fix special-chars in titleize - fixes #732
2024-01-19 12:39:24 +00:00
Andy Miller
6df03063c8
remove test
2024-01-05 12:34:59 +00:00
Andy Miller
e5990f431d
Revert "Added 'outdated' option to scheduler command ( #3771 )"
...
This reverts commit a71403f158 .
# Conflicts:
# tests/unit/Grav/Common/Scheduler/SchedulerTest.php
2024-01-05 12:31:53 +00:00
Andy Miller
b3d55ca81a
remove a debug
2024-01-05 12:26:08 +00:00
maelanleborgne
a71403f158
Added 'outdated' option to scheduler command ( #3771 )
2024-01-05 11:46:14 +00:00