- SystemFixService: removed ALL shell_exec/sudo calls (30+ instances), replaced with
safe PHP alternatives (mkdir, chmod, disk_total_space, Artisan calls)
- InstallationController: added ALLOWED_SETTINGS whitelist to prevent arbitrary
settings manipulation via request data
- ExceptionHandler: removed dangerous npm run build execution and hardcoded
chown/chmod paths from auto-recovery
- AuthController: fixed user enumeration timing attack by running Hash::make()
even when user doesn't exist (constant-time comparison)
- DDoSDetectionCommand: added IP validation (FILTER_VALIDATE_IP) before blocking
to prevent iptables manipulation with spoofed/malicious IPs
- trackRequest: now validates IP before storing in cache
Added proper return types (View, RedirectResponse, JsonResponse, Collection)
to 40+ controller methods across 16 controllers. Also added missing
imports for Illuminate response types and tightened parameter types
(e.g. InstallationController::showStep now uses int instead of mixed).
root