f29ba72591
Fix security, performance, and code quality issues across CMS
...
Security:
- Replace unescaped {!! !!} with Purify::clean() in 15+ Blade templates (XSS)
- Add rate limiting to register (3/hr), upload (10/min), SSE (6/min)
- Add max:5000 validation on article comments
- Remove duplicate exception handler callback
Hardcoded paths:
- Replace ~44 /var/www/ hardcoded paths with env() configs
- CatalogService (13), AutoDetectService (18), Commandocentrum (11), AppServiceProvider (2)
Performance:
- Add 10 missing database indexes (radio_song_requests, help_center_tickets, etc.)
- Replace Cache::flush() with targeted Cache::forget() in RadioSettings
- Cache getCachedCategories() in TicketController (N+1 fix)
- Remove redundant top-3 leaderboard query
Bug fixes:
- Fix undefined $enabled variable → $isOnline in radio index view
- Add getAvatarAttribute() accessor for non-existent avatar column
- Fix User::guilds() from wrong HasMany to HasManyThrough
Code quality:
- Replace file_get_contents with Http::timeout(10) in TraxService
- Remove commented Echo/Pusher boilerplate in bootstrap.js
- Remove TODO/FIXME comments from logo-generator templates
- Replace hardcoded Turnstile CDN URL with config()
- Restore QUEUE_CONNECTION=redis in .env.example files
2026-06-29 18:28:19 +02:00
0b6f14d5bf
Fix remaining issues: CDN config, min_staff_rank defaults, blade views
...
- Centralize all CDN URLs in config('habbo.cdn.*') with env overrides
- Replace hardcoded CDN URLs in 12+ blade views (fancybox, sweetalert2,
alpinejs, fontsource, fontawesome, html2canvas)
- Fix font-awesome 7.0.0 (non-existent) -> config with 6.7.0 default
- Centralize all hardcoded min_staff_rank defaults (3 and 7) to config
- Add MIN_STAFF_RANK and MIN_STAFF_RANK_LOGIN env variables
2026-06-08 19:11:28 +02:00
6eeb85fcf2
Improvements: fix duplicate seeder, add missing seeders, remove redundant $with, add migration down(), optimize queries
2026-06-08 18:33:24 +02:00
f7fe86efeb
Refactor HotelApiController into 6 focused controllers + FurniEditorController Eloquent migration
2026-06-04 20:32:15 +02:00
b2bb1811d0
Medium priority fixes: CORS from env, shared HasRadioSettings trait, lazy RconService, validated() fixes, LogoGenerator hardening, DB indexes, user profile consistency, radio rank N+1 fix
2026-06-04 20:05:36 +02:00
4b6872e5e0
Low priority fixes: debug comments, Fortify cleanup, badge cost setting, profile query merge, User model fixes, VPN constructor cleanup, PayPal POST, PII removal, Dutch→English translations, duplicate rank check, CHANGELOG
2026-06-04 19:57:01 +02:00
2d8beaa531
chore: fix code style with Laravel Pint
2026-05-23 19:05:37 +02:00
75b78c17fa
refactor: improve security, split routes, add API resources and FormRequests
...
- Fix timing attack vulnerability in AuthController
- Split web.php (316 lines) into 7 focused route files
- Add 8 API Resources for consistent response formatting
- Add 8 FormRequest classes for centralized validation
- Use Resources instead of manual array mapping in controllers
2026-05-20 23:03:16 +02:00
b1739cabbf
fix(security): eliminate remaining critical vulnerabilities
...
- SystemFixService: removed ALL shell_exec/sudo calls (30+ instances), replaced with
safe PHP alternatives (mkdir, chmod, disk_total_space, Artisan calls)
- InstallationController: added ALLOWED_SETTINGS whitelist to prevent arbitrary
settings manipulation via request data
- ExceptionHandler: removed dangerous npm run build execution and hardcoded
chown/chmod paths from auto-recovery
- AuthController: fixed user enumeration timing attack by running Hash::make()
even when user doesn't exist (constant-time comparison)
- DDoSDetectionCommand: added IP validation (FILTER_VALIDATE_IP) before blocking
to prevent iptables manipulation with spoofed/malicious IPs
- trackRequest: now validates IP before storing in cache
2026-05-19 19:46:38 +02:00
81e99933e4
refactor: improve code quality across controllers and services
...
- DRY FurniEditorController: extract duplicate try/catch blocks into handleApiError(),
formatItemData(), buildUpdateData(), buildInsertData(), castValue() methods
- ProfileController: replace 45 lines of manual date formatting with Carbon's diffForHumans()
- Replace custom Password rule (180 lines) with Laravel's built-in Password::min() rule
- RadioController: extract RadioStreamService and RadioScheduleService, reducing from 608 to 323 lines
- Add RadioSettings enum to replace magic strings throughout radio feature
- Add CurrencyTypes::columnName() helper method
- Add consistent return types (JsonResponse, View, RedirectResponse) to all controller methods
2026-05-19 19:16:59 +02:00
9d73f82529
Initial commit
2026-05-09 17:32:17 +02:00
root