Files
InvoiceShelf/app/Models/EmailLog.php
Darko Gjorgjijoski 5839d8385d fix(security): harden public EmailLog token endpoints (GHSA-73q7) (#662)
Customer PDF controllers resolved the target document by raw mailable_id,
ignoring mailable_type, and skipped the expiry check on the JSON endpoints.

- Resolve via the $emailLog->mailable morph relation and assert the expected
  type (abort 404) so a token issued for one document type can't disclose
  another whose numeric id collides.
- Enforce isExpired() (abort 403) on every public path, including the JSON
  getInvoice/getEstimate/getPayment endpoints.
- Harden EmailLog::isExpired() to treat a null/unresolvable mailable as
  expired instead of throwing.

Adds tests for cross-type 404, JSON-path expiry 403, and the valid path.
2026-06-12 09:18:16 +02:00

43 lines
1.1 KiB
PHP

<?php
namespace App\Models;
use Carbon\Carbon;
use Illuminate\Database\Eloquent\Factories\HasFactory;
use Illuminate\Database\Eloquent\Model;
use Illuminate\Database\Eloquent\Relations\MorphTo;
class EmailLog extends Model
{
use HasFactory;
protected $guarded = ['id'];
public function mailable(): MorphTo
{
return $this->morphTo();
}
public function isExpired()
{
$mailable = $this->mailable;
// A token whose target document no longer resolves is treated as
// expired/invalid rather than throwing.
if (! $mailable) {
return true;
}
$linkExpiryDays = (int) CompanySetting::getSetting('link_expiry_days', $mailable->company_id);
$checkExpiryLinks = CompanySetting::getSetting('automatically_expire_public_links', $mailable->company_id);
$expiryDate = $this->created_at->addDays($linkExpiryDays);
if ($checkExpiryLinks == 'YES' && Carbon::now()->format('Y-m-d') > $expiryDate->format('Y-m-d')) {
return true;
}
return false;
}
}