Nemcio/Grav
1
0
Fork 0
mirror of https://github.com/getgrav/grav.git synced 2026-03-01 18:11:25 +01:00
Code Issues Packages Projects Releases Activity
8,053 Commits 9 Branches 318 Tags
c191b0b47efb25fe28effe00dcebc623fffa0177
Commit Graph

8053 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Andy Miller
c191b0b47e impoved yaml linter to be more use built-in grav for more detail 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2026-02-05 12:16:42 -07:00
Andy Miller
dfdd3786cb update vendor libs 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2026-02-04 12:34:26 -07:00
Andy Miller
db852f3a47 trigger docker workflow on release 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2026-02-04 12:34:17 -07:00
Andy Miller
13a2093726 Merge branch '1.8' of github.com:getgrav/grav into 1.8 2026-02-04 12:34:03 -07:00
Andy Miller
b85e87ae3f Added -v for YamlLinter 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2026-02-04 12:33:32 -07:00
Andy Miller
e0f5db7c8c Add claude GitHub actions 1770170196497 (#4028) 
* checkout correct version

Signed-off-by: Andy Miller <rhuk@mac.com>

* cache-cleanup command

Signed-off-by: Andy Miller <rhuk@mac.com>

* remove standlone binary

Signed-off-by: Andy Miller <rhuk@mac.com>

* "Claude PR Assistant workflow"

* "Claude Code Review workflow"

---------

Signed-off-by: Andy Miller <rhuk@mac.com>
 2026-02-03 18:58:34 -07:00
Andy Miller
4a76ba18b6 remove standlone binary 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2026-01-30 09:54:58 -07:00
Andy Miller
607ef2797c cache-cleanup command 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2026-01-30 09:48:38 -07:00
Andy Miller
07de0cb4e6 prepare for beta release 
Signed-off-by: Andy Miller <rhuk@mac.com>
1.8.0-beta.29 		2025-12-27 19:52:39 -07:00
Andy Miller
007b168ad9 don’t do internal gzip, rely on webserver 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-12-25 21:41:20 -07:00
Andy Miller
952830b529 fix gzip encoding issue with newer PHP 8 versions 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-12-25 21:17:22 -07:00
Andy Miller
dbd80799fe update vendor libs 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-12-25 20:49:22 -07:00
Andy Miller
853ccb6464 fix for broken symlinks 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-12-25 16:32:20 -07:00
Andy Miller
4774622d26 minor tweak for api script 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-12-23 21:54:28 -07:00
Andy Miller
0e4f37eca7 fix of setEscaper move in Twig 3.9+ 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-12-22 21:43:10 -07:00
Andy Miller
6b54b32140 fix for user editing causing hashed_password to be removed 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-12-17 14:36:53 -07:00
Andy Miller
368982cb46 fix for nested config changes 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-12-17 12:06:59 -07:00
Andy Miller
b086561160 fix for unusual format SVGs 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-12-15 15:08:15 -07:00
Andy Miller
15cb068f95 fix for grav not picking up config + page changes 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-12-12 16:29:43 -07:00
Andy Miller
d34213232b avoid mail in twig content trigger security error 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-12-12 16:20:35 -07:00
Andy Miller
7a6b8a90d4 prepare for beta release 
Signed-off-by: Andy Miller <rhuk@mac.com>
1.8.0-beta.28 		2025-12-08 20:46:53 -07:00
Andy Miller
306f33f4ae fixes for twig3 loader + improve recovery mode 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-12-08 18:07:32 -07:00
Andy Miller
6cb8229806 fix for missing file 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-12-08 10:58:46 -07:00
Andy Miller
95e285efa4 Merge branch 'performance-part-3' into 1.8 2025-12-05 21:00:33 -07:00
Andy Miller
80410dae13 opcache fix in CompiledFile 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-12-05 20:59:46 -07:00
Andy Miller
fae70e5fc9 fixes #4002 - Backups blocking /var/www 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-12-03 19:30:32 -07:00
Andy Miller
9d9247a32f fix false positives in Security with on_events 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-12-03 14:17:17 -07:00
Andy Miller
94d85cd873 add support for environment in grav scheduler 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-12-03 10:41:29 -07:00
Andy Miller
0f879bd1d4 prepare for beta.27 release 
Signed-off-by: Andy Miller <rhuk@mac.com>
1.8.0-beta.27 		2025-11-30 16:17:37 -07:00
Andy Miller
fd828d452e trim down default user/config/system.yaml 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-11-30 16:14:35 -07:00
Andy Miller
63bbc1cac6 flex-objects caching fix 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-11-30 16:06:31 -07:00
Andy Miller
528032b11a update changelog 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-11-29 21:18:57 -07:00
Andy Miller
a4c3a3af6d Add isindex to XSS dangerous tags (CVE-2023-31506 / GHSA-h85h-xm8x-vfw7) 
The original CVE-2023-31506 fix missed the deprecated <isindex> HTML tag,
which can still be used for XSS via event handlers like onmouseover.

The <isindex> tag is deprecated in HTML5 and has no legitimate modern use.
 2025-11-29 21:07:23 -07:00
Andy Miller
b7e1958a6e Merge branch 'fix/GHSA-4cwq-j7jv-qmwg-title-email-leak' into 1.8 2025-11-29 18:29:39 -07:00
Andy Miller
0c38968c58 Fix email disclosure in user edit page title (GHSA-4cwq-j7jv-qmwg) 
Security fix for IDOR-style information disclosure where the admin
email address was leaked in the <title> tag even on 403 Forbidden
responses.

The edit view title template previously included the email:
  {{ fullname ?? username }} <{{ email }}>

Now shows only the name/username without email:
  {{ fullname ?? username }}

This prevents low-privilege users from enumerating admin email
addresses by accessing /admin/accounts/users/{username} URLs.
 2025-11-29 18:27:08 -07:00
Andy Miller
9d11094e41 Merge branch 'fix/GHSA-x62q-p736-3997-GHSA-gq3g-666w-7h85-admin-security' into 1.8 2025-11-29 17:52:03 -07:00
Andy Miller
ed640a1314 Merge branch 'fix/GHSA-p4ww-mcp9-j6f2-GHSA-m8vh-v6r6-w7p6-GHSA-j422-qmxp-hv94-file-path-security' into 1.8 2025-11-29 17:45:33 -07:00
Andy Miller
e37259527d Merge branch 'fix/GHSA-662m-56v4-3r8f-GHSA-858q-77wx-hhx6-GHSA-8535-hvm8-2hmv-GHSA-gjc5-8cfh-653x-GHSA-52hh-vxfw-p6rg-ssti-sandbox' into 1.8 2025-11-29 17:30:39 -07:00
Andy Miller
3462d94d57 Merge branch 'fix/GHSA-h756-wh59-hhjv-GHSA-cjcp-qxvg-4rjm-username-validation' into 1.8 2025-11-29 17:29:15 -07:00
Andy Miller
19c2f8da76 Fix path traversal and uniqueness vulnerabilities in username validation 
Security fixes for:
- GHSA-h756-wh59-hhjv: Path traversal via username during account creation
- GHSA-cjcp-qxvg-4rjm: Username uniqueness bypass

Changes:

Framework/Flex/Storage/AbstractFilesystemStorage.php:
- Added validateKey() to check for path traversal attempts
- Blocks: .., /, \, null bytes, control characters
- Added assertValidKey() public method for external validation

Framework/Flex/Storage/FolderStorage.php:
- Key validation now enforced in createRows()

User/DataUser/User.php:
- Added isValidUsername() static method for reusable validation
- Added uniqueness check in save() - blocks if user already exists
- Validation blocks: path traversal, hidden files, dangerous characters

Flex/Types/Users/UserObject.php:
- Validation now blocks hidden files (starting with .)

Added unit tests:
- tests/unit/Grav/Common/Security/UsernameValidationTest.php
- 50 tests covering path traversal, dangerous characters, and valid usernames
 2025-11-29 17:25:02 -07:00
Andy Miller
a161399c84 Fix DoS via cron expressions and password hash exposure 
Security fixes for:
- GHSA-x62q-p736-3997: DoS via invalid cron expression in scheduler
- GHSA-gq3g-666w-7h85: Password hash exposure to frontend

Changes:

Scheduler/Job.php:
- Added try-catch around CronExpression::factory() to prevent DoS
- Added isValidCronExpression() static validation method
- Returns null instead of throwing on invalid expressions

Scheduler/IntervalTrait.php:
- Added try-catch in at() method for graceful handling

Twig/Extension/GravExtension.php:
- Protected cronFunc() from invalid expressions

Console/Cli/SchedulerCommand.php:
- Handle null cron expressions (shows "Invalid cron" error)

Flex/Types/Users/UserObject.php:
- Override jsonSerialize() to filter out hashed_password, secret, twofa_secret
- Prevents sensitive data from being exposed to frontend/HTML

User/DataUser/User.php:
- Same jsonSerialize() override for DataUser implementation

Added unit tests:
- tests/unit/Grav/Common/Security/AdminSecurityTest.php
- 53 tests covering cron validation and password hash protection
 2025-11-29 17:24:41 -07:00
Andy Miller
5f120c328b Fix file read, DoS, and path traversal vulnerabilities 
Security fixes for:
- GHSA-p4ww-mcp9-j6f2: Arbitrary file read via read_file() Twig function
- GHSA-m8vh-v6r6-w7p6: DoS via malformed language code in regex
- GHSA-j422-qmxp-hv94: Path traversal in backup root configuration

Changes:

GravExtension.php - readFileFunc():
- Added realpath validation to prevent path traversal
- Blocked reading files outside GRAV_ROOT
- Blocked sensitive files: accounts/*.yaml, .env, .git, logs, backups, vendor

Language.php:
- Fixed regex delimiter in setActiveFromUri() to properly escape language codes
- Added validation in setLanguages() to only allow valid language codes
- Pattern: /^[a-zA-Z]{2,3}(?:[-_][a-zA-Z0-9]{2,8})?$/

Backups.php:
- Added path traversal protection with realpath validation
- Blocked access to system directories: /etc, /root, /home, /var, etc.

Added unit tests:
- tests/unit/Grav/Common/Security/FilePathSecurityTest.php
- 55 tests covering language code validation and regex injection prevention
 2025-11-29 17:24:22 -07:00
Andy Miller
db924c4a26 Expand SSTI sandbox blacklist to block known attack vectors 
Security fixes for:
- GHSA-662m-56v4-3r8f: SSTI sandbox bypass via nested evaluate_twig
- GHSA-858q-77wx-hhx6: Privilege escalation via grav.user/scheduler
- GHSA-8535-hvm8-2hmv: Context leak via Forms _context access
- GHSA-gjc5-8cfh-653x: Sandbox bypass via grav.config.set
- GHSA-52hh-vxfw-p6rg: CVE-2024-28116 bypass via string concatenation

Changes to cleanDangerousTwig():
- Added 150+ dangerous PHP functions to blacklist
- Blocked access to grav.scheduler, grav.twig.twig, grav.backups, grav.gpm
- Blocked config modification via config.set()
- Blocked user modification via grav.user.update()/save()
- Blocked context/internal access via _context, _self, twig_vars
- Blocked evaluate_twig/evaluate to prevent nested bypass
- Added string concatenation pattern detection for bypass attempts
- Blocked SSRF vectors (curl, fsockopen, stream_socket)
- Blocked file operations, serialization, reflection classes

Performance optimizations:
- Early exit if string has no Twig blocks ({{ or {%})
- Static caching of compiled regex patterns (built once, reused)
- Combined all patterns into 4 single regex operations instead of ~190 loops
- Consolidated property patterns using regex alternation groups

Added unit tests:
- tests/unit/Grav/Common/Security/CleanDangerousTwigTest.php
- 104 tests covering all GHSA advisories and dangerous patterns
 2025-11-29 17:24:06 -07:00
Andy Miller
9fc1b42d59 prepare beta release 
Signed-off-by: Andy Miller <rhuk@mac.com>
1.8.0-beta.26 		2025-11-29 11:02:20 -07:00
Andy Miller
c8878dfc80 upgrade to symfony 7.4 stable 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-11-29 10:58:03 -07:00
Andy Miller
779661ab8a more improvements for JS minification and now pulls any broken JS out of pipeline 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-11-27 20:56:07 +00:00
Andy Miller
3985638a8f more debug in the Pipeline.php to identify issues 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-11-27 19:19:02 +00:00
Andy Miller
a78789b291 upgrade compoer libs 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-11-24 21:05:46 +00:00
Andy Miller
caa127cd53 disallow xref/xhref in SVGs 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-11-24 21:04:44 +00:00
Andy Miller
5f087d3a43 fix range requests for partial content in Utils::downloads() - Fixes #3990 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-11-23 17:55:28 +00:00