This repository was archived by the owner on May 29, 2026. It is now read-only.
Commit 7196784
committed
fix(security): PdfReportWriter — strip stylesheet/font hooks + assert sandbox flags
Dompdf 3.1 has a history of SSRF / file-disclosure CVEs
(CVE-2022-41343, CVE-2023-23924). The current writer correctly sets
`isRemoteEnabled=false` and `isPhpEnabled=false`, but two gaps
remained:
1. `<link rel="stylesheet">` and `@font-face` source declarations
are honoured even with `isRemoteEnabled=false` because Dompdf
resolves `file://` URLs locally. A stylesheet/font reference
smuggled into the dashboard payload could read arbitrary FS
paths. Strip both before handing HTML to Dompdf.
2. The sandbox flags are easy to lose in a future config refactor.
Assert both are false at runtime; throw if they drift.
A `composer audit` step in CI (reviewer's third recommendation) is
already covered by the existing quality workflow's
`Security (composer)` job — verified separately.
Refs: #1419 review (concern 12) — discussion_r31874945191 parent ff45796 commit 7196784
1 file changed
Lines changed: 26 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
57 | 57 | | |
58 | 58 | | |
59 | 59 | | |
| 60 | + | |
| 61 | + | |
| 62 | + | |
| 63 | + | |
| 64 | + | |
| 65 | + | |
| 66 | + | |
| 67 | + | |
| 68 | + | |
| 69 | + | |
| 70 | + | |
| 71 | + | |
| 72 | + | |
| 73 | + | |
| 74 | + | |
| 75 | + | |
60 | 76 | | |
61 | 77 | | |
62 | 78 | | |
| |||
66 | 82 | | |
67 | 83 | | |
68 | 84 | | |
| 85 | + | |
| 86 | + | |
| 87 | + | |
| 88 | + | |
| 89 | + | |
| 90 | + | |
| 91 | + | |
| 92 | + | |
| 93 | + | |
| 94 | + | |
69 | 95 | | |
70 | 96 | | |
71 | 97 | | |
| |||
0 commit comments