mirror of
https://github.com/InvoiceShelf/InvoiceShelf.git
synced 2026-07-16 22:05:20 +00:00
The AI chat assistant scoped tool queries by company but ignored the per-user Bouncer abilities the rest of the app enforces, so any `use ai` holder could read customers, invoices, payments, and company financials their role couldn't otherwise see. Each AiTool now declares a required ability (entity-aligned); the registry hides unauthorized tools from the model and refuses to execute them as a backstop. Separately, admin/owner-supplied URLs were fetched server-side with no guard against private/reserved targets (SSRF): the AI base URL, the CurrencyConverter "DEDICATED" exchange-rate URL, and S3/Spaces file-disk endpoints. A shared PrivateNetworkGuard now backs a PublicHttpUrl validation rule (save-time) and runtime guards in each driver. - AiTool::requiredAbility() + mapping across all 12 tools - AiToolRegistry filters schemas() by ability and re-checks in execute() - PrivateNetworkGuard / BlockedUrlException / PublicHttpUrl rule (new) - Rule wired into AI config (service + 3 controllers), exchange-rate, and file-disk endpoints; runtime guards in OpenRouterDriver, CurrencyConverterDriver, and FileDiskService - Tests for ability filtering, the guard, the rule, and 422 rejections
69 lines
2.1 KiB
PHP
69 lines
2.1 KiB
PHP
<?php
|
|
|
|
namespace App\Support\ExchangeRate;
|
|
|
|
use App\Support\Net\BlockedUrlException;
|
|
use App\Support\Net\PrivateNetworkGuard;
|
|
use Illuminate\Support\Facades\Http;
|
|
|
|
class CurrencyConverterDriver extends ExchangeRateDriver
|
|
{
|
|
public function getExchangeRate(string $baseCurrency, string $targetCurrency): array
|
|
{
|
|
$baseUrl = $this->getBaseUrl();
|
|
$query = "{$baseCurrency}_{$targetCurrency}";
|
|
$url = "{$baseUrl}/api/v7/convert?apiKey={$this->apiKey}&q={$query}&compact=y";
|
|
$response = Http::get($url)->json();
|
|
|
|
return array_values($response[$query]);
|
|
}
|
|
|
|
public function getSupportedCurrencies(): array
|
|
{
|
|
$baseUrl = $this->getBaseUrl();
|
|
$url = "{$baseUrl}/api/v7/currencies?apiKey={$this->apiKey}";
|
|
$response = Http::get($url)->json();
|
|
|
|
if ($response == null) {
|
|
throw new ExchangeRateException('Server not responding', 'server_error');
|
|
}
|
|
|
|
if (array_key_exists('results', $response)) {
|
|
return array_keys($response['results']);
|
|
}
|
|
|
|
throw new ExchangeRateException('Please Enter Valid Provider Key.', 'invalid_key');
|
|
}
|
|
|
|
public function validateConnection(): array
|
|
{
|
|
$baseUrl = $this->getBaseUrl();
|
|
$query = 'INR_USD';
|
|
$url = "{$baseUrl}/api/v7/convert?apiKey={$this->apiKey}&q={$query}&compact=y";
|
|
$response = Http::get($url)->json();
|
|
|
|
return array_values($response[$query]);
|
|
}
|
|
|
|
private function getBaseUrl(): string
|
|
{
|
|
$type = $this->config['type'] ?? 'FREE';
|
|
|
|
$url = match ($type) {
|
|
'PREMIUM' => 'https://api.currconv.com',
|
|
'PREPAID' => 'https://prepaid.currconv.com',
|
|
'FREE' => 'https://free.currconv.com',
|
|
'DEDICATED' => $this->config['url'] ?? 'https://free.currconv.com',
|
|
};
|
|
|
|
// SSRF guard: the DEDICATED plan lets the user supply this URL.
|
|
try {
|
|
PrivateNetworkGuard::assertAllowed($url);
|
|
} catch (BlockedUrlException $e) {
|
|
throw new ExchangeRateException('Invalid provider URL: '.$e->getMessage(), 'invalid_url');
|
|
}
|
|
|
|
return $url;
|
|
}
|
|
}
|