mirror of
https://github.com/InvoiceShelf/InvoiceShelf.git
synced 2026-07-17 22:35:19 +00:00
fix(security): harden public EmailLog token endpoints (GHSA-73q7) (#662)
Customer PDF controllers resolved the target document by raw mailable_id, ignoring mailable_type, and skipped the expiry check on the JSON endpoints. - Resolve via the $emailLog->mailable morph relation and assert the expected type (abort 404) so a token issued for one document type can't disclose another whose numeric id collides. - Enforce isExpired() (abort 403) on every public path, including the JSON getInvoice/getEstimate/getPayment endpoints. - Harden EmailLog::isExpired() to treat a null/unresolvable mailable as expired instead of throwing. Adds tests for cross-type 404, JSON-path expiry 403, and the valid path.
This commit is contained in:
committed by
GitHub
parent
e432e4e62f
commit
5839d8385d
@@ -12,16 +12,18 @@ class PaymentPdfController extends Controller
|
||||
{
|
||||
public function getPdf(EmailLog $emailLog, Request $request)
|
||||
{
|
||||
if (! $emailLog->isExpired()) {
|
||||
return $emailLog->mailable->getGeneratedPDFOrStream('payment');
|
||||
}
|
||||
$payment = $emailLog->mailable;
|
||||
abort_unless($payment instanceof Payment, 404);
|
||||
abort_if($emailLog->isExpired(), 403, 'Link Expired.');
|
||||
|
||||
abort(403, 'Link Expired.');
|
||||
return $payment->getGeneratedPDFOrStream('payment');
|
||||
}
|
||||
|
||||
public function getPayment(EmailLog $emailLog)
|
||||
{
|
||||
$payment = Payment::find($emailLog->mailable_id);
|
||||
$payment = $emailLog->mailable;
|
||||
abort_unless($payment instanceof Payment, 404);
|
||||
abort_if($emailLog->isExpired(), 403, 'Link Expired.');
|
||||
|
||||
return new PaymentResource($payment);
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user