Improve security, validation, and isolation checks

Add multiple security and validation improvements across the app: - Prevent session fixation: regenerate session ID on login and after successful 2FA; tighten session cookie params (Secure, HttpOnly, SameSite=Lax). - Harden installer: add CSRF checks for install/update flows and use PDO::quote when injecting admin credentials into SQL migration to avoid injection; add csrf_field() to installer templates. - Template hardening: add safe_url and safe_mailto Twig filters, escape tag names for JS, and add rel="noopener noreferrer" to external links to mitigate XSS/opener risks. - Domain controller: validate referrer to avoid open redirects, enforce user isolation mode when finding/deleting/updating domains and when assigning notification groups (ensures users only affect their own resources). - Notification groups: verify channel belongs to group before deleting or toggling to prevent unauthorized access. - ErrorLog: whitelist allowed sort columns to avoid arbitrary column injection in ORDER BY. - Routes: move the debug whois route to protected/admin area. These changes collectively reduce attack surface (XSS, open redirect, session fixation, SQL injection) and enforce proper resource isolation and input validation.
2026-03-11 00:03:54 +02:00
parent 36abf58838
commit e3006738a9
19 changed files with 112 additions and 34 deletions
--- a/core/SessionConfig.php
+++ b/core/SessionConfig.php
@@ -69,6 +69,15 @@ class SessionConfig
     */
    public static function start(): void
    {
+        session_set_cookie_params([
+            'lifetime' => 0,
+            'path' => '/',
+            'domain' => '',
+            'secure' => !empty($_SERVER['HTTPS']),
+            'httponly' => true,
+            'samesite' => 'Lax',
+        ]);
+
        session_start();
        
        // Validate session exists in database (for database-backed sessions)
--- a/core/TwigService.php
+++ b/core/TwigService.php
@@ -239,6 +239,26 @@ class TwigService
            return \App\Helpers\ViewHelper::formatBytes($bytes, $precision);
        }));

+        $this->twig->addFilter(new TwigFilter('safe_url', function (?string $url): string {
+            if ($url === null || $url === '') {
+                return '#';
+            }
+            if (preg_match('#^https?://#i', $url)) {
+                return $url;
+            }
+            return '#';
+        }));
+
+        $this->twig->addFilter(new TwigFilter('safe_mailto', function (?string $email): string {
+            if ($email === null || $email === '') {
+                return '#';
+            }
+            if (filter_var($email, FILTER_VALIDATE_EMAIL)) {
+                return 'mailto:' . $email;
+            }
+            return '#';
+        }));
+
        $this->twig->addFilter(new TwigFilter('from_json', function ($value) {
            if ($value === null || $value === '') {
                return [];