Nemcio/Grav
1
0
Fork 0
mirror of https://github.com/getgrav/grav.git synced 2026-03-01 18:11:25 +01:00
Code Issues Packages Projects Releases Activity
8,053 Commits 9 Branches 318 Tags
c191b0b47efb25fe28effe00dcebc623fffa0177
Commit Graph

345 Commits

Author SHA1 Message Date
Andy Miller
9d11094e41 Merge branch 'fix/GHSA-x62q-p736-3997-GHSA-gq3g-666w-7h85-admin-security' into 1.8 2025-11-29 17:52:03 -07:00
Andy Miller
ed640a1314 Merge branch 'fix/GHSA-p4ww-mcp9-j6f2-GHSA-m8vh-v6r6-w7p6-GHSA-j422-qmxp-hv94-file-path-security' into 1.8 2025-11-29 17:45:33 -07:00
Andy Miller
e37259527d Merge branch 'fix/GHSA-662m-56v4-3r8f-GHSA-858q-77wx-hhx6-GHSA-8535-hvm8-2hmv-GHSA-gjc5-8cfh-653x-GHSA-52hh-vxfw-p6rg-ssti-sandbox' into 1.8 2025-11-29 17:30:39 -07:00
Andy Miller
19c2f8da76 Fix path traversal and uniqueness vulnerabilities in username validation 
Security fixes for:
- GHSA-h756-wh59-hhjv: Path traversal via username during account creation
- GHSA-cjcp-qxvg-4rjm: Username uniqueness bypass

Changes:

Framework/Flex/Storage/AbstractFilesystemStorage.php:
- Added validateKey() to check for path traversal attempts
- Blocks: .., /, \, null bytes, control characters
- Added assertValidKey() public method for external validation

Framework/Flex/Storage/FolderStorage.php:
- Key validation now enforced in createRows()

User/DataUser/User.php:
- Added isValidUsername() static method for reusable validation
- Added uniqueness check in save() - blocks if user already exists
- Validation blocks: path traversal, hidden files, dangerous characters

Flex/Types/Users/UserObject.php:
- Validation now blocks hidden files (starting with .)

Added unit tests:
- tests/unit/Grav/Common/Security/UsernameValidationTest.php
- 50 tests covering path traversal, dangerous characters, and valid usernames
 2025-11-29 17:25:02 -07:00
Andy Miller
a161399c84 Fix DoS via cron expressions and password hash exposure 
Security fixes for:
- GHSA-x62q-p736-3997: DoS via invalid cron expression in scheduler
- GHSA-gq3g-666w-7h85: Password hash exposure to frontend

Changes:

Scheduler/Job.php:
- Added try-catch around CronExpression::factory() to prevent DoS
- Added isValidCronExpression() static validation method
- Returns null instead of throwing on invalid expressions

Scheduler/IntervalTrait.php:
- Added try-catch in at() method for graceful handling

Twig/Extension/GravExtension.php:
- Protected cronFunc() from invalid expressions

Console/Cli/SchedulerCommand.php:
- Handle null cron expressions (shows "Invalid cron" error)

Flex/Types/Users/UserObject.php:
- Override jsonSerialize() to filter out hashed_password, secret, twofa_secret
- Prevents sensitive data from being exposed to frontend/HTML

User/DataUser/User.php:
- Same jsonSerialize() override for DataUser implementation

Added unit tests:
- tests/unit/Grav/Common/Security/AdminSecurityTest.php
- 53 tests covering cron validation and password hash protection
 2025-11-29 17:24:41 -07:00
Andy Miller
5f120c328b Fix file read, DoS, and path traversal vulnerabilities 
Security fixes for:
- GHSA-p4ww-mcp9-j6f2: Arbitrary file read via read_file() Twig function
- GHSA-m8vh-v6r6-w7p6: DoS via malformed language code in regex
- GHSA-j422-qmxp-hv94: Path traversal in backup root configuration

Changes:

GravExtension.php - readFileFunc():
- Added realpath validation to prevent path traversal
- Blocked reading files outside GRAV_ROOT
- Blocked sensitive files: accounts/*.yaml, .env, .git, logs, backups, vendor

Language.php:
- Fixed regex delimiter in setActiveFromUri() to properly escape language codes
- Added validation in setLanguages() to only allow valid language codes
- Pattern: /^[a-zA-Z]{2,3}(?:[-_][a-zA-Z0-9]{2,8})?$/

Backups.php:
- Added path traversal protection with realpath validation
- Blocked access to system directories: /etc, /root, /home, /var, etc.

Added unit tests:
- tests/unit/Grav/Common/Security/FilePathSecurityTest.php
- 55 tests covering language code validation and regex injection prevention
 2025-11-29 17:24:22 -07:00
Andy Miller
db924c4a26 Expand SSTI sandbox blacklist to block known attack vectors 
Security fixes for:
- GHSA-662m-56v4-3r8f: SSTI sandbox bypass via nested evaluate_twig
- GHSA-858q-77wx-hhx6: Privilege escalation via grav.user/scheduler
- GHSA-8535-hvm8-2hmv: Context leak via Forms _context access
- GHSA-gjc5-8cfh-653x: Sandbox bypass via grav.config.set
- GHSA-52hh-vxfw-p6rg: CVE-2024-28116 bypass via string concatenation

Changes to cleanDangerousTwig():
- Added 150+ dangerous PHP functions to blacklist
- Blocked access to grav.scheduler, grav.twig.twig, grav.backups, grav.gpm
- Blocked config modification via config.set()
- Blocked user modification via grav.user.update()/save()
- Blocked context/internal access via _context, _self, twig_vars
- Blocked evaluate_twig/evaluate to prevent nested bypass
- Added string concatenation pattern detection for bypass attempts
- Blocked SSRF vectors (curl, fsockopen, stream_socket)
- Blocked file operations, serialization, reflection classes

Performance optimizations:
- Early exit if string has no Twig blocks ({{ or {%})
- Static caching of compiled regex patterns (built once, reused)
- Combined all patterns into 4 single regex operations instead of ~190 loops
- Consolidated property patterns using regex alternation groups

Added unit tests:
- tests/unit/Grav/Common/Security/CleanDangerousTwigTest.php
- 104 tests covering all GHSA advisories and dangerous patterns
 2025-11-29 17:24:06 -07:00
Andy Miller
4e11ca7c8e Fix slow SafeUpgradeServiceTest by optimizing snapshot pruning 2025-11-20 10:51:45 +00:00
Andy Miller
3b1c332932 Fix safe-upgrade snapshot creation (copy vs move) and implement pruning 2025-11-18 18:21:34 +00:00
Andy Miller
7fd614f8b6 Add Twig 3 compatibility transformations for raw, divisibleby, and none 2025-11-18 17:46:20 +00:00
Andy Miller
5567a5a1cd twig3 compatibility fixes + tests 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-11-18 17:25:07 +00:00
Andy Miller
cbf5ec57c6 test fixes + major/minor plugin warnings 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-11-14 11:33:24 +00:00
Andy Miller
73d3a90c0b test fixes 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-11-09 13:11:17 +00:00
Andy Miller
b2f2e7bd45 more recovery manage fixes 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-10-19 18:37:12 -06:00
Andy Miller
3fbd6771e9 more recovery fixes 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-10-19 18:18:20 -06:00
Andy Miller
348fa04c47 recovery/command fixes 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-10-19 17:59:17 -06:00
Andy Miller
e30245789c move recover.flag 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-10-19 16:02:51 -06:00
Andy Miller
942f523f18 fix test 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-10-18 19:09:59 -06:00
Andy Miller
f9348a4d9d Merge branch 'develop' into 1.8 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-10-17 18:35:14 -06:00
Andy Miller
44fd1172b8 more granular install for self upgrade 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-10-17 18:18:53 -06:00
Andy Miller
920642411c move back to cp instead of mv for snapshots 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-10-17 17:53:48 -06:00
Andy Miller
2999c06a3a change snapshot storage 2025-10-17 16:49:42 -06:00
Andy Miller
c56d24c0d7 timelimt on recovery status 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-10-16 09:08:53 -06:00
Andy Miller
ee49305053 timelimit on recovery status 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-10-16 09:08:32 -06:00
Andy Miller
a3da588829 should fix tests this time 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-10-16 07:54:44 -06:00
Andy Miller
a3387c106b more test fixes 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-10-16 07:50:24 -06:00
Andy Miller
d9d241d806 fix for RecoveryManagerTest 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-10-16 07:47:50 -06:00
Andy Miller
44f90cbce0 Merge branch 'develop' into 1.8 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-10-15 20:22:14 -06:00
Andy Miller
57212ec9a5 better plugin checks 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-10-15 11:24:50 -06:00
Andy Miller
b55e86a8ba force upgrades before updating 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-10-15 11:00:54 -06:00
Andy Miller
250568bae5 initial safeupgrade work 2025-10-15 10:29:26 -06:00
Andy Miller
eb985e875d vendor updates and some fixes 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-10-03 18:16:40 -06:00
Andy Miller
22de638e52 composer updates + php fixes 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-09-20 22:33:56 -06:00
Andy Miller
365ab93e7e PHP 8.2+ fixes 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-09-20 22:12:55 -06:00
Andy Miller
3bebfc6dac fixed for tests 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-04-01 17:03:42 -06:00
Andy Miller
b96483c49a Fix tests for latest Codeception version 2024-10-22 13:24:35 +01:00
Andy Miller
4f1f9a7755 Merge branch 'develop' into feature/v1.8 
# Conflicts:
#	CHANGELOG.md
#	composer.lock
 2024-10-14 19:25:17 +01:00
Andy Miller
51623ee0da Added custom_base test 2024-05-08 12:35:16 +01:00
Andy Miller
ee8d783d05 better support for external urls in Utils::url() 2024-04-20 15:42:42 +01:00
Andy Miller
0b16401a91 fix special-chars in titleize - fixes #732 2024-01-19 12:39:24 +00:00
Andy Miller
6df03063c8 remove test 2024-01-05 12:34:59 +00:00
Andy Miller
e5990f431d Revert "Added 'outdated' option to scheduler command (#3771)" 
This reverts commit a71403f158.

# Conflicts:
#	tests/unit/Grav/Common/Scheduler/SchedulerTest.php
 2024-01-05 12:31:53 +00:00
Andy Miller
b3d55ca81a remove a debug 2024-01-05 12:26:08 +00:00
maelanleborgne
a71403f158 Added 'outdated' option to scheduler command (#3771) 2024-01-05 11:46:14 +00:00
Jeremy Angele
80ce87e4a9 Update dangerous extensions (#3756) 
Thanks for this!
 2023-10-24 10:20:22 +01:00
Andy Miller
7a393101ee Merge branch 'develop' into feature/v1.8 
# Conflicts:
#	CHANGELOG.md
#	composer.json
#	composer.lock
#	system/blueprints/config/system.yaml
#	system/src/Grav/Common/Twig/WriteCacheFileTrait.php
 2023-05-12 13:44:07 -06:00
Andy Miller
93755c7329 fix UtilsTest for PHPUnit 10 2023-02-19 13:48:13 -07:00
Matias Griese
2aff274c31 Merge branch 'develop' of github.com:getgrav/grav into feature/v1.8 
 Conflicts:
	composer.lock
	system/src/Grav/Common/GPM/Remote/AbstractPackageCollection.php
 2022-06-15 14:39:38 +03:00
Matias Griese
62c4f3c768 Ignore phpstan error 2022-06-14 20:08:04 +03:00
Matias Griese
f31541250f Fixed broken phpstan tests 2022-06-13 19:29:42 +03:00