mirror of
https://github.com/InvoiceShelf/InvoiceShelf.git
synced 2026-04-09 22:44:48 +00:00
34db4b7897
Closes the residual surface from the three published SSRF advisories (GHSA-pc5v-8xwc-v9xq, GHSA-38hf-fq8x-q49r, GHSA-q9wx-ggwq-mcgh / CVE-2026-34365 to 34367). The original fix in 07757e74 only sanitized the Notes field via Invoice/Estimate/Payment::getNotes(), but the same blade templates also render company/billing/shipping address fields with {!! !!} (Blade unescaped output). Those address strings are produced by getCompanyAddress(), getCustomerBillingAddress(), getCustomerShippingAddress() which feed into GeneratesPdfTrait::getFormattedString() — and that method does not call PdfHtmlSanitizer.
Customer-controlled fields (name, street, phone, custom field values) are substituted into address templates via getFieldsArray() without HTML-escaping. A malicious customer name like "Acme <img src='http://attacker/probe'>" therefore reaches Dompdf as raw HTML through the address path, exactly the same CWE-918 SSRF pattern the advisories describe — only blocked today by the secondary defense of dompdf's enable_remote=false. If a self-hoster sets DOMPDF_ENABLE_REMOTE=true for legitimate remote logos, the address surface immediately re-opens.
Move the PdfHtmlSanitizer::sanitize() call into the chokepoint at GeneratesPdfTrait::getFormattedString(), so all four sinks — notes plus the three address fields, on all three models — get the same treatment via a single call site. The explicit wrapper in each model's getNotes() becomes redundant and is removed (along with the now-unused App\Support\PdfHtmlSanitizer imports). Verified getFormattedString() is only called from PDF code paths (no email body callers, which use strtr() directly) so there is no risk of stripping useful HTML from a non-PDF context.
Extends tests/Unit/PdfHtmlSanitizerTest.php with three new cases covering the address-template scenario, iframe/link tag stripping, and on* event handler removal. All 8 tests pass via vendor/bin/pest tests/Unit/PdfHtmlSanitizerTest.php.
Introduction
InvoiceShelf is an open-source web & mobile app that helps you track expenses, payments & create professional invoices & estimates.
The Web Application is made using Laravel & VueJS while the Mobile Apps are built using React Native.
To get started with InvoiceShelf using Docker Compose, check out the Installation docs.
Table of Contents
Documentation
System Requirements
- Starting from v2.2.0 (Laravel 13 upgrade), InvoiceShelf requires PHP 8.4+.
- Before updating from the app settings, verify your server PHP version and required extensions.
- The in-app updater checks requirements and blocks the update if they are not met.
Download
Mobile Apps
- Andorid - Coming Soon
- IOS - Coming Soon
- Source
Discord
Join the InvoiceShelf discord server to discuss: Invite Link
Roadmap
~~Here's a rough roadmap of things to come (not in any specific order):
- Automatic Update
- Email Configuration
- Installation Wizard
- Address Customisation & Default notes
- Edit Email before Sending Invoice
- Available as a docker image
- Performance Improvements
- Customer View page
- Add and Use Custom Fields on Invoices & Estimates.
- Multiple Companies
- Recurring Invoices
- Customer Portal
- Accept Payments (Stripe Integration)
- Improved template system (invoices and estimate)
- Modules and templates marketplace
Credits
InvoiceShelf is made possible thanks to the contributions and support from many people and projects:
- Crater (project inspiration and code base)
- All contributors who have provided code, translations, reported issues, or supported the project in any way.
Translate
Help us translate on https://crowdin.com/project/invoiceshelf
License
InvoiceShelf is released under the GNU AFFERO GENERAL PUBLIC LICENSE Version 3. See LICENSE for details.