Skip to content
This repository was archived by the owner on May 29, 2026. It is now read-only.

fix(security): M3 FilesWidget upload hardening + M4 ADR-023 comments/reactions wiring#351

Merged
rubenvdlinde merged 1 commit into
developmentfrom
fix/fileswidget-adr023
May 28, 2026
Merged

fix(security): M3 FilesWidget upload hardening + M4 ADR-023 comments/reactions wiring#351
rubenvdlinde merged 1 commit into
developmentfrom
fix/fileswidget-adr023

Conversation

@rubenvdlinde

Copy link
Copy Markdown
Contributor

Summary

  • M3 FilesWidgetService upload hardening: reject non-PHP-uploaded tmp_name paths via is_uploaded_file (prevents local-file-inclusion via crafted requests), enforce 50 MiB hard size cap, enforce mimeTypeFilter on the write path (previously filter was read-only), stream-write via fopen/stream_copy_to_stream to avoid loading whole file into memory.
  • M4 DashboardCommentsApiController + DashboardReactionApiController: wire all 8 endpoints through ActionAuthService::requireAction per ADR-023; add action seeds to actions.seed.json; replace $userId null-check with IUserSession::getUser() for consistency.
  • Pre-existing test fixes: DemoShowcasesServiceTest missing ILockingProvider arg; DashboardMetadataControllerTest using removed IGroupManager dep (now PermissionService); FeedRefreshServiceTest failing against SSRF guard DNS resolution — refactored FeedRefreshService to inject UrlSafetyValidator (consistent with CalendarWidgetService/NewsWidgetService pattern).

Test plan

  • php vendor/bin/phpunit --no-coverage — 1085/1085 pass, 0 failures, 0 errors
  • php vendor/bin/phpstan analyse — no errors
  • php vendor/bin/phpcs --standard=phpcs.xml — 0 errors on modified files (warnings are pre-existing @SPEC tags)
  • 9 new tests for M4 comments ADR-023 wiring
  • 9 new tests for M4 reactions ADR-023 wiring
  • 3 new tests for M3 upload hardening (is_uploaded_file guard, UPLOAD_ERR_* rejection, MAX_UPLOAD_BYTES constant)

…r comments/reactions

M3 (FilesWidgetService): reject non-PHP-uploaded tmp_names via is_uploaded_file,
enforce 50 MiB hard cap, apply mimeTypeFilter on write path (previously read-only),
stream-write to avoid full-file memory load.

M4 (DashboardCommentsApiController, DashboardReactionApiController): wire all eight
endpoints through ActionAuthService.requireAction via the ADR-023 action matrix;
add corresponding seeds to actions.seed.json; inject IUserSession instead of
relying solely on the userId string param.

Also fixes pre-existing test breakages: DemoShowcasesServiceTest missing
ILockingProvider, DashboardMetadataControllerTest using removed IGroupManager
dependency (replaced with PermissionService), FeedRefreshServiceTest failures
caused by DNS resolution of mock URLs against the SSRF guard (now delegates to
injectable UrlSafetyValidator, consistent with CalendarWidgetService pattern).
@rubenvdlinde rubenvdlinde merged commit f4ec74a into development May 28, 2026
@rubenvdlinde rubenvdlinde deleted the fix/fileswidget-adr023 branch May 28, 2026 04:50
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant