Commit Graph

16 Commits

Author SHA1 Message Date
Darko Gjorgjijoski
ac2a8ca939 fix(security): gate AI tools by user ability and block admin-URL SSRF
The AI chat assistant scoped tool queries by company but ignored the
per-user Bouncer abilities the rest of the app enforces, so any `use ai`
holder could read customers, invoices, payments, and company financials
their role couldn't otherwise see. Each AiTool now declares a required
ability (entity-aligned); the registry hides unauthorized tools from the
model and refuses to execute them as a backstop.

Separately, admin/owner-supplied URLs were fetched server-side with no
guard against private/reserved targets (SSRF): the AI base URL, the
CurrencyConverter "DEDICATED" exchange-rate URL, and S3/Spaces file-disk
endpoints. A shared PrivateNetworkGuard now backs a PublicHttpUrl
validation rule (save-time) and runtime guards in each driver.

- AiTool::requiredAbility() + mapping across all 12 tools
- AiToolRegistry filters schemas() by ability and re-checks in execute()
- PrivateNetworkGuard / BlockedUrlException / PublicHttpUrl rule (new)
- Rule wired into AI config (service + 3 controllers), exchange-rate,
  and file-disk endpoints; runtime guards in OpenRouterDriver,
  CurrencyConverterDriver, and FileDiskService
- Tests for ability filtering, the guard, the rule, and 422 rejections
2026-06-05 00:01:09 +02:00
Darko Gjorgjijoski
39c9179888 Support internationalized domain names (IDN) in email validation
Add IdnEmail validation rule that converts IDN domains to Punycode
via idn_to_ascii() before validating with FILTER_VALIDATE_EMAIL.
Applied to all email fields: customers, members, profiles, admin
users, customer portal profiles, and mail configuration.

Includes unit tests for standard emails, IDN emails, and invalid
inputs.

Fixes #388
2026-04-06 23:55:29 +02:00
Darko Gjorgjijoski
12d9d6c801 Regenerate IDE Helper Assets (#274)
* Add back laravel/ui package

* Fix wrong Closure import

* Regenerate ide-helper files
2025-01-12 20:48:06 +01:00
mchev
3259173066 Laravel 11 (#84)
* Convert string references to `::class`

PHP 5.5.9 adds the new static `class` property which provides the fully qualified class name. This is preferred over using strings for class names since the `class` property references are checked by PHP.

* Use Faker methods

Accessing Faker properties was deprecated in Faker 1.14.

* Convert route options to fluent methods

Laravel 8 adopts the tuple syntax for controller actions. Since the old options array is incompatible with this syntax, Shift converted them to use modern, fluent methods.

* Adopt class based routes

* Remove default `app` files

* Shift core files

* Streamline config files

* Set new `ENV` variables

* Default new `bootstrap/app.php`

* Re-register HTTP middleware

* Consolidate service providers

* Re-register service providers

* Re-register routes

* Re-register scheduled commands

* Bump Composer dependencies

* Use `<env>` tags for configuration

`<env>` tags have a lower precedence than system environment variables making it easier to overwrite PHPUnit configuration values in additional environments, such a CI.

Review this blog post for more details on configuration precedence when testing Laravel: https://jasonmccreary.me/articles/laravel-testing-configuration-precedence/

* Adopt anonymous migrations

* Rename `password_resets` table

* Convert `$casts` property to method

* Adopt Laravel type hints

* Mark base controller as `abstract`

* Remove `CreatesApplication` testing trait

* Shift cleanup

* Fix shift first issues

* Updating Rules for laravel 11, sanctum config and pint

* Fix Carbon issue on dashboard

* Temporary fix for tests while migration is issue fixed on laravel side

* Carbon needs numerical values, not strings

* Minimum php version

* Fix domain installation step not fetching the correct company_id

* Fix Role Policy wasn't properly registered

---------
2024-06-05 11:33:52 +02:00
gdarko
b85538dbc0 Fix code style 2024-02-10 01:36:53 +01:00
gdarko
8918ea5124 Fix image extension validation
Issue #21
2024-02-10 01:31:44 +01:00
gdarko
4ab92473e9 Setup pint & run code style fix 2024-01-29 04:46:01 -06:00
Darko Gjorgjijoski
6b80b5f48d Change namespace 2024-01-27 23:53:20 +01:00
Mohit Panjwani
bdea879273 v6 update 2022-01-10 16:06:17 +05:30
Mohit Panjwani
082d5cacf2 v5.0.0 update 2021-11-30 18:58:19 +05:30
Mohit Panjwani
f5c23b33da fix code style 2021-06-24 14:21:43 +05:30
jayvirsinh_gohil
6fcddd6feb refactor message 2021-06-17 18:58:08 +05:30
jayvirsinh_gohil
43c871f374 refactor unique number message 2021-06-17 18:57:17 +05:30
jayvirsinh_gohil
4ec9b2e817 change message for number validation 2021-06-17 16:23:06 +05:30
Mwikala Kangwa
9e98a96d61 Implement PHP CS Fixer and a coding standard to follow (#471)
* Create PHP CS Fixer config and add to CI workflow

* Run php cs fixer on project

* Add newline at end of file

* Update to use PHP CS Fixer v3

* Run v3 config on project

* Run seperate config in CI
2021-05-21 17:27:51 +05:30
Mohit Panjwani
89ee58590c build version 400 2020-12-02 17:54:08 +05:30