mirror of
https://github.com/InvoiceShelf/InvoiceShelf.git
synced 2026-07-18 14:55:21 +00:00
fix(security): harden public EmailLog token endpoints (GHSA-73q7) (#669)
v3 port. Customer PDF controllers resolved the target document by raw mailable_id ignoring mailable_type, and skipped expiry on the JSON endpoints. - Resolve via $emailLog->mailable + assert the expected type (404) to close cross-type disclosure. - Enforce isExpired() (403) on every public path incl. the JSON endpoints. - Harden EmailLog::isExpired() against a null/unresolvable mailable. Adds tests for cross-type 404, JSON-path expiry 403, and the valid path.
This commit is contained in:
committed by
GitHub
parent
c6a00df120
commit
e56b6b4fe5
@@ -24,8 +24,16 @@ class EmailLog extends Model
|
||||
*/
|
||||
public function isExpired(): bool
|
||||
{
|
||||
$linkExpiryDays = (int) CompanySetting::getSetting('link_expiry_days', $this->mailable()->get()->toArray()[0]['company_id']);
|
||||
$checkExpiryLinks = CompanySetting::getSetting('automatically_expire_public_links', $this->mailable()->get()->toArray()[0]['company_id']);
|
||||
$mailable = $this->mailable;
|
||||
|
||||
// A token whose target document no longer resolves is treated as
|
||||
// expired/invalid rather than throwing.
|
||||
if (! $mailable) {
|
||||
return true;
|
||||
}
|
||||
|
||||
$linkExpiryDays = (int) CompanySetting::getSetting('link_expiry_days', $mailable->company_id);
|
||||
$checkExpiryLinks = CompanySetting::getSetting('automatically_expire_public_links', $mailable->company_id);
|
||||
|
||||
$expiryDate = $this->created_at->addDays($linkExpiryDays);
|
||||
|
||||
|
||||
Reference in New Issue
Block a user