remco/Atomcms-edit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(security): patch critical security vulnerabilities

Browse Source 
- Remove User::$guarded = [] to prevent mass assignment attacks
- Enable SQL strict mode and disable emulated prepares (SQL injection prevention)
- Switch password hashing from bcrypt to argon2id (stronger algorithm)
- Enable session encryption to protect session data at rest
- Restrict TrustProxies to localhost only (prevent IP spoofing)
- Restrict CORS allowed_methods via env variable instead of wildcard
- Add PayPal amount mismatch detection to prevent payment manipulation
- Add double-capture prevention (idempotency check)
- Add expected_amount column to transactions table for verification
This commit is contained in:
root
2026-05-19 19:37:15 +02:00
parent 05fc7b04bc
commit 7f59024bef
8 changed files with 56 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files
config/cors.php
+1 -1
View File
@@ -19,7 +19,7 @@ return [
'paths' => ['api/*', 'sanctum/csrf-cookie'],
'allowed_methods' => ['*'],
'allowed_methods' => array_filter(array_map(trim(...), explode(',', (string) env('CORS_ALLOWED_METHODS', 'GET,POST,PUT,PATCH,DELETE,OPTIONS'))), fn ($v) => $v !== ''),
'allowed_origins' => array_filter(array_map(trim(...), explode(',', (string) env('CORS_ALLOWED_ORIGINS', ''))), fn ($v) => $v !== ''),
config/database.php
+1 -2
View File
@@ -53,13 +53,12 @@ return [
'collation' => env('DB_COLLATION', 'utf8mb4_unicode_ci'),
'prefix' => '',
'prefix_indexes' => true,
'strict' => false,
'strict' => true,
'engine' => 'InnoDB',
'sticky' => true,
'options' => extension_loaded('pdo_mysql') ? array_filter([
Mysql::ATTR_SSL_CA => env('MYSQL_ATTR_SSL_CA'),
Mysql::ATTR_INIT_COMMAND => 'SET SESSION sql_mode=(SELECT REPLACE(@@sql_mode,"ONLY_FULL_GROUP_BY",""))',
Mysql::ATTR_EMULATE_PREPARES => true,
]) : [],
],
config/hashing.php
+1 -1
View File
@@ -17,7 +17,7 @@ return [
|
*/
'driver' => 'bcrypt',
'driver' => 'argon2id',
/*
|--------------------------------------------------------------------------
config/session.php
+1 -1
View File
@@ -46,7 +46,7 @@ return [
|
*/
'encrypt' => false,
'encrypt' => env('SESSION_ENCRYPT', true),
/*
|--------------------------------------------------------------------------