fix(security): harden public EmailLog token endpoints (GHSA-73q7) (#669)

v3 port. Customer PDF controllers resolved the target document by raw
mailable_id ignoring mailable_type, and skipped expiry on the JSON endpoints.

- Resolve via $emailLog->mailable + assert the expected type (404) to close
  cross-type disclosure.
- Enforce isExpired() (403) on every public path incl. the JSON endpoints.
- Harden EmailLog::isExpired() against a null/unresolvable mailable.

Adds tests for cross-type 404, JSON-path expiry 403, and the valid path.
This commit is contained in:
Darko Gjorgjijoski
2026-06-12 11:02:11 +02:00
committed by GitHub
parent c6a00df120
commit e56b6b4fe5
5 changed files with 131 additions and 57 deletions

View File

@@ -24,8 +24,16 @@ class EmailLog extends Model
*/
public function isExpired(): bool
{
$linkExpiryDays = (int) CompanySetting::getSetting('link_expiry_days', $this->mailable()->get()->toArray()[0]['company_id']);
$checkExpiryLinks = CompanySetting::getSetting('automatically_expire_public_links', $this->mailable()->get()->toArray()[0]['company_id']);
$mailable = $this->mailable;
// A token whose target document no longer resolves is treated as
// expired/invalid rather than throwing.
if (! $mailable) {
return true;
}
$linkExpiryDays = (int) CompanySetting::getSetting('link_expiry_days', $mailable->company_id);
$checkExpiryLinks = CompanySetting::getSetting('automatically_expire_public_links', $mailable->company_id);
$expiryDate = $this->created_at->addDays($linkExpiryDays);