fix(security): harden public EmailLog token endpoints (GHSA-73q7) (#669)

v3 port. Customer PDF controllers resolved the target document by raw
mailable_id ignoring mailable_type, and skipped expiry on the JSON endpoints.

- Resolve via $emailLog->mailable + assert the expected type (404) to close
  cross-type disclosure.
- Enforce isExpired() (403) on every public path incl. the JSON endpoints.
- Harden EmailLog::isExpired() against a null/unresolvable mailable.

Adds tests for cross-type 404, JSON-path expiry 403, and the valid path.
This commit is contained in:
Darko Gjorgjijoski
2026-06-12 11:02:11 +02:00
committed by GitHub
parent c6a00df120
commit e56b6b4fe5
5 changed files with 131 additions and 57 deletions

View File

@@ -15,46 +15,49 @@ class InvoicePdfController extends Controller
{
public function getPdf(EmailLog $emailLog, Request $request)
{
$invoice = Invoice::find($emailLog->mailable_id);
// Resolve the document through the morph relation and enforce the
// expected type — a token issued for another mailable type (or whose
// numeric id collides) must not disclose an invoice.
$invoice = $emailLog->mailable;
abort_unless($invoice instanceof Invoice, 404);
abort_if($emailLog->isExpired(), 403, 'Link Expired.');
if (! $emailLog->isExpired()) {
if ($invoice && ($invoice->status == Invoice::STATUS_SENT || $invoice->status == Invoice::STATUS_DRAFT)) {
$invoice->status = Invoice::STATUS_VIEWED;
$invoice->viewed = true;
$invoice->save();
$notifyInvoiceViewed = CompanySetting::getSetting(
'notify_invoice_viewed',
if ($invoice->status == Invoice::STATUS_SENT || $invoice->status == Invoice::STATUS_DRAFT) {
$invoice->status = Invoice::STATUS_VIEWED;
$invoice->viewed = true;
$invoice->save();
$notifyInvoiceViewed = CompanySetting::getSetting(
'notify_invoice_viewed',
$invoice->company_id
);
if ($notifyInvoiceViewed == 'YES') {
$data['invoice'] = Invoice::findOrFail($invoice->id)->toArray();
$data['user'] = Customer::find($invoice->customer_id)->toArray();
$notificationEmail = CompanySetting::getSetting(
'notification_email',
$invoice->company_id
);
if ($notifyInvoiceViewed == 'YES') {
$data['invoice'] = Invoice::findOrFail($invoice->id)->toArray();
$data['user'] = Customer::find($invoice->customer_id)->toArray();
$notificationEmail = CompanySetting::getSetting(
'notification_email',
$invoice->company_id
);
\Mail::to($notificationEmail)->send(new InvoiceViewedMail($data));
}
\Mail::to($notificationEmail)->send(new InvoiceViewedMail($data));
}
if ($request->has('pdf')) {
return $invoice->getGeneratedPDFOrStream('invoice');
}
return view('app')->with([
'customer_logo' => get_company_setting('customer_portal_logo', $invoice->company_id),
'current_theme' => get_company_setting('customer_portal_theme', $invoice->company_id),
]);
}
abort(403, 'Link Expired.');
if ($request->has('pdf')) {
return $invoice->getGeneratedPDFOrStream('invoice');
}
return view('app')->with([
'customer_logo' => get_company_setting('customer_portal_logo', $invoice->company_id),
'current_theme' => get_company_setting('customer_portal_theme', $invoice->company_id),
]);
}
public function getInvoice(EmailLog $emailLog)
{
$invoice = Invoice::find($emailLog->mailable_id);
$invoice = $emailLog->mailable;
abort_unless($invoice instanceof Invoice, 404);
abort_if($emailLog->isExpired(), 403, 'Link Expired.');
return new CustomerInvoiceResource($invoice);
}