Skip to content
This repository was archived by the owner on May 29, 2026. It is now read-only.
This repository was archived by the owner on May 29, 2026. It is now read-only.

[LOW] L4: Debug/repair PHP scripts in repo root may be shipped in release package as unauthenticated endpoints #351

Description

@rubenvdlinde

Severity: LOW

Location: Repository root: check_basic.php, check_db.php, debug_database_direct.php, cleanup_id_properties.php, cleanup_schema.php, enhance_archimate_service.php, find_objects_simple.php, test-magic-mapper-import.php, test-csv-php.php

Description:
Multiple debug/repair/test PHP scripts exist in the repository root. If these files are shipped in the distributed app package and the web server maps the app directory to a public URL, they become unauthenticated HTTP-accessible endpoints. Several contain direct database manipulation (cleanup_*.php, debug_database_direct.php) that could be triggered without any NC authentication.

Suggested fix:
Add all check_*.php, debug_*.php, cleanup_*.php, enhance_*.php, find_*.php, and test-*.php root files to .distignore so they are excluded from packaged releases. Alternatively, move them to a scripts/ or dev-tools/ directory that is explicitly excluded from the app package.


Source: deep team-reviewer pass 2026-05-27

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions