mirror of
https://github.com/InvoiceShelf/InvoiceShelf.git
synced 2026-07-17 06:15:20 +00:00
fix(security): harden public EmailLog token endpoints (GHSA-73q7) (#669)
v3 port. Customer PDF controllers resolved the target document by raw mailable_id ignoring mailable_type, and skipped expiry on the JSON endpoints. - Resolve via $emailLog->mailable + assert the expected type (404) to close cross-type disclosure. - Enforce isExpired() (403) on every public path incl. the JSON endpoints. - Harden EmailLog::isExpired() against a null/unresolvable mailable. Adds tests for cross-type 404, JSON-path expiry 403, and the valid path.
This commit is contained in:
committed by
GitHub
parent
c6a00df120
commit
e56b6b4fe5
@@ -15,46 +15,49 @@ class InvoicePdfController extends Controller
|
||||
{
|
||||
public function getPdf(EmailLog $emailLog, Request $request)
|
||||
{
|
||||
$invoice = Invoice::find($emailLog->mailable_id);
|
||||
// Resolve the document through the morph relation and enforce the
|
||||
// expected type — a token issued for another mailable type (or whose
|
||||
// numeric id collides) must not disclose an invoice.
|
||||
$invoice = $emailLog->mailable;
|
||||
abort_unless($invoice instanceof Invoice, 404);
|
||||
abort_if($emailLog->isExpired(), 403, 'Link Expired.');
|
||||
|
||||
if (! $emailLog->isExpired()) {
|
||||
if ($invoice && ($invoice->status == Invoice::STATUS_SENT || $invoice->status == Invoice::STATUS_DRAFT)) {
|
||||
$invoice->status = Invoice::STATUS_VIEWED;
|
||||
$invoice->viewed = true;
|
||||
$invoice->save();
|
||||
$notifyInvoiceViewed = CompanySetting::getSetting(
|
||||
'notify_invoice_viewed',
|
||||
if ($invoice->status == Invoice::STATUS_SENT || $invoice->status == Invoice::STATUS_DRAFT) {
|
||||
$invoice->status = Invoice::STATUS_VIEWED;
|
||||
$invoice->viewed = true;
|
||||
$invoice->save();
|
||||
$notifyInvoiceViewed = CompanySetting::getSetting(
|
||||
'notify_invoice_viewed',
|
||||
$invoice->company_id
|
||||
);
|
||||
|
||||
if ($notifyInvoiceViewed == 'YES') {
|
||||
$data['invoice'] = Invoice::findOrFail($invoice->id)->toArray();
|
||||
$data['user'] = Customer::find($invoice->customer_id)->toArray();
|
||||
$notificationEmail = CompanySetting::getSetting(
|
||||
'notification_email',
|
||||
$invoice->company_id
|
||||
);
|
||||
|
||||
if ($notifyInvoiceViewed == 'YES') {
|
||||
$data['invoice'] = Invoice::findOrFail($invoice->id)->toArray();
|
||||
$data['user'] = Customer::find($invoice->customer_id)->toArray();
|
||||
$notificationEmail = CompanySetting::getSetting(
|
||||
'notification_email',
|
||||
$invoice->company_id
|
||||
);
|
||||
|
||||
\Mail::to($notificationEmail)->send(new InvoiceViewedMail($data));
|
||||
}
|
||||
\Mail::to($notificationEmail)->send(new InvoiceViewedMail($data));
|
||||
}
|
||||
|
||||
if ($request->has('pdf')) {
|
||||
return $invoice->getGeneratedPDFOrStream('invoice');
|
||||
}
|
||||
|
||||
return view('app')->with([
|
||||
'customer_logo' => get_company_setting('customer_portal_logo', $invoice->company_id),
|
||||
'current_theme' => get_company_setting('customer_portal_theme', $invoice->company_id),
|
||||
]);
|
||||
}
|
||||
|
||||
abort(403, 'Link Expired.');
|
||||
if ($request->has('pdf')) {
|
||||
return $invoice->getGeneratedPDFOrStream('invoice');
|
||||
}
|
||||
|
||||
return view('app')->with([
|
||||
'customer_logo' => get_company_setting('customer_portal_logo', $invoice->company_id),
|
||||
'current_theme' => get_company_setting('customer_portal_theme', $invoice->company_id),
|
||||
]);
|
||||
}
|
||||
|
||||
public function getInvoice(EmailLog $emailLog)
|
||||
{
|
||||
$invoice = Invoice::find($emailLog->mailable_id);
|
||||
$invoice = $emailLog->mailable;
|
||||
abort_unless($invoice instanceof Invoice, 404);
|
||||
abort_if($emailLog->isExpired(), 403, 'Link Expired.');
|
||||
|
||||
return new CustomerInvoiceResource($invoice);
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user