Severity: LOW
Location: Repository root: check_basic.php, check_db.php, debug_database_direct.php, cleanup_id_properties.php, cleanup_schema.php, enhance_archimate_service.php, find_objects_simple.php, test-magic-mapper-import.php, test-csv-php.php
Description:
Multiple debug/repair/test PHP scripts exist in the repository root. If these files are shipped in the distributed app package and the web server maps the app directory to a public URL, they become unauthenticated HTTP-accessible endpoints. Several contain direct database manipulation (cleanup_*.php, debug_database_direct.php) that could be triggered without any NC authentication.
Suggested fix:
Add all check_*.php, debug_*.php, cleanup_*.php, enhance_*.php, find_*.php, and test-*.php root files to .distignore so they are excluded from packaged releases. Alternatively, move them to a scripts/ or dev-tools/ directory that is explicitly excluded from the app package.
Source: deep team-reviewer pass 2026-05-27
Severity: LOW
Location: Repository root:
check_basic.php,check_db.php,debug_database_direct.php,cleanup_id_properties.php,cleanup_schema.php,enhance_archimate_service.php,find_objects_simple.php,test-magic-mapper-import.php,test-csv-php.phpDescription:
Multiple debug/repair/test PHP scripts exist in the repository root. If these files are shipped in the distributed app package and the web server maps the app directory to a public URL, they become unauthenticated HTTP-accessible endpoints. Several contain direct database manipulation (
cleanup_*.php,debug_database_direct.php) that could be triggered without any NC authentication.Suggested fix:
Add all
check_*.php,debug_*.php,cleanup_*.php,enhance_*.php,find_*.php, andtest-*.phproot files to.distignoreso they are excluded from packaged releases. Alternatively, move them to ascripts/ordev-tools/directory that is explicitly excluded from the app package.Source: deep team-reviewer pass 2026-05-27