Improve security, validation, and isolation checks

Add multiple security and validation improvements across the app: - Prevent session fixation: regenerate session ID on login and after successful 2FA; tighten session cookie params (Secure, HttpOnly, SameSite=Lax). - Harden installer: add CSRF checks for install/update flows and use PDO::quote when injecting admin credentials into SQL migration to avoid injection; add csrf_field() to installer templates. - Template hardening: add safe_url and safe_mailto Twig filters, escape tag names for JS, and add rel="noopener noreferrer" to external links to mitigate XSS/opener risks. - Domain controller: validate referrer to avoid open redirects, enforce user isolation mode when finding/deleting/updating domains and when assigning notification groups (ensures users only affect their own resources). - Notification groups: verify channel belongs to group before deleting or toggling to prevent unauthorized access. - ErrorLog: whitelist allowed sort columns to avoid arbitrary column injection in ORDER BY. - Routes: move the debug whois route to protected/admin area. These changes collectively reduce attack surface (XSS, open redirect, session fixation, SQL injection) and enforce proper resource isolation and input validation.
2026-03-11 00:03:54 +02:00
parent 36abf58838
commit e3006738a9
19 changed files with 112 additions and 34 deletions
--- a/app/Views/domains/bulk-add.twig
+++ b/app/Views/domains/bulk-add.twig
@@ -74,7 +74,7 @@
                        <p class="text-xs text-gray-600 dark:text-slate-400 mb-1.5">Available Tags:</p>
                        <div class="flex flex-wrap gap-1.5">
                            {% for tag in availableTags %}
-                                <button type="button" onclick="addTag('{{ tag.name }}')" 
+                                <button type="button" onclick="addTag('{{ tag.name|e('js') }}')" 
                                        class="inline-flex items-center px-2 py-1 rounded-md text-xs font-medium border {{ tag.color }} hover:opacity-80 transition-colors">
                                    <i class="fas fa-plus mr-1" style="font-size: 8px;"></i>
                                    {{ tag.name }}
--- a/app/Views/domains/create.twig
+++ b/app/Views/domains/create.twig
@@ -73,7 +73,7 @@
                        <p class="text-xs text-gray-600 dark:text-slate-400 mb-1.5">💡 Available Tags:</p>
                        <div class="flex flex-wrap gap-1.5">
                            {% for tag in availableTags %}
-                                <button type="button" onclick="addTag('{{ tag.name }}')" 
+                                <button type="button" onclick="addTag('{{ tag.name|e('js') }}')" 
                                        class="inline-flex items-center px-2 py-1 rounded-md text-xs font-medium border {{ tag.color }} hover:opacity-80 transition-colors">
                                    <i class="fas fa-plus mr-1" style="font-size: 8px;"></i>
                                    {{ tag.name }}
--- a/app/Views/domains/edit.twig
+++ b/app/Views/domains/edit.twig
@@ -76,7 +76,7 @@
                        <p class="text-xs text-gray-600 dark:text-slate-400 mb-1.5">💡 Available Tags:</p>
                        <div class="flex flex-wrap gap-1.5">
                            {% for tag in availableTags %}
-                                <button type="button" onclick="addTag('{{ tag.name }}')" 
+                                <button type="button" onclick="addTag('{{ tag.name|e('js') }}')" 
                                        class="inline-flex items-center px-2 py-1 rounded-md text-xs font-medium border {{ tag.color }} hover:opacity-80 transition-colors">
                                    <i class="fas fa-plus mr-1" style="font-size: 8px;"></i>
                                    {{ tag.name }}
--- a/app/Views/domains/tabs/overview.twig
+++ b/app/Views/domains/tabs/overview.twig
@@ -21,7 +21,7 @@
                    {% if domain.registrar_url is not empty %}
                    <div class="flex justify-between">
                        <span class="text-gray-500 dark:text-slate-400">Registrar URL:</span>
-                        <a href="{{ domain.registrar_url }}" target="_blank" class="text-blue-600 dark:text-blue-400 hover:text-blue-800 dark:hover:text-blue-300 flex items-center">
+                        <a href="{{ domain.registrar_url|safe_url }}" target="_blank" rel="noopener noreferrer" class="text-blue-600 dark:text-blue-400 hover:text-blue-800 dark:hover:text-blue-300 flex items-center">
                            <i class="fas fa-external-link-alt mr-1" style="font-size: 9px;"></i>
                            Visit
                        </a>
--- a/app/Views/domains/tabs/whois.twig
+++ b/app/Views/domains/tabs/whois.twig
@@ -43,7 +43,7 @@
                <div>
                    <label class="text-gray-500 dark:text-slate-400 font-medium block mb-0.5">Registrar URL</label>
                    {% if domain.registrar_url is defined and domain.registrar_url %}
-                        <a href="{{ domain.registrar_url }}" target="_blank" class="text-blue-600 dark:text-blue-400 hover:text-blue-800 dark:hover:text-blue-300 flex items-center">
+                        <a href="{{ domain.registrar_url|safe_url }}" target="_blank" rel="noopener noreferrer" class="text-blue-600 dark:text-blue-400 hover:text-blue-800 dark:hover:text-blue-300 flex items-center">
                            <i class="fas fa-external-link-alt mr-1" style="font-size: 9px;"></i>
                            Visit Registrar
                        </a>
@@ -58,7 +58,7 @@
                <div>
                    <label class="text-gray-500 dark:text-slate-400 font-medium block mb-0.5">Abuse Contact</label>
                    {% if domain.abuse_email %}
-                        <a href="mailto:{{ domain.abuse_email }}" class="text-blue-600 dark:text-blue-400 hover:text-blue-800 dark:hover:text-blue-300 block break-all">{{ domain.abuse_email }}</a>
+                        <a href="{{ domain.abuse_email|safe_mailto }}" class="text-blue-600 dark:text-blue-400 hover:text-blue-800 dark:hover:text-blue-300 block break-all">{{ domain.abuse_email }}</a>
                    {% else %}
                        <span class="text-gray-400 dark:text-slate-500">-</span>
                    {% endif %}
--- a/app/Views/domains/view.twig
+++ b/app/Views/domains/view.twig
@@ -98,7 +98,7 @@
                    {% if domain.registrar_url is not empty %}
                    <div>
                        <label class="text-gray-500 dark:text-slate-400 font-medium block mb-0.5">Registrar URL</label>
-                        <a href="{{ domain.registrar_url }}" target="_blank" class="text-blue-600 dark:text-blue-400 hover:text-blue-800 dark:hover:text-blue-300 flex items-center">
+                        <a href="{{ domain.registrar_url|safe_url }}" target="_blank" rel="noopener noreferrer" class="text-blue-600 dark:text-blue-400 hover:text-blue-800 dark:hover:text-blue-300 flex items-center">
                            <i class="fas fa-external-link-alt mr-1" style="font-size: 9px;"></i>
                            Visit
                        </a>
@@ -107,7 +107,7 @@
                    {% if domain.abuse_email is not empty %}
                    <div>
                        <label class="text-gray-500 dark:text-slate-400 font-medium block mb-0.5">Abuse Contact</label>
-                        <a href="mailto:{{ domain.abuse_email }}" class="text-blue-600 dark:text-blue-400 hover:text-blue-800 dark:hover:text-blue-300">
+                        <a href="{{ domain.abuse_email|safe_mailto }}" class="text-blue-600 dark:text-blue-400 hover:text-blue-800 dark:hover:text-blue-300">
                            {{ domain.abuse_email }}
                        </a>
                    </div>