fix: address security review findings

This commit is contained in:
Marek Miklewicz
2026-06-30 11:41:40 +02:00
parent 3b096b67bb
commit 54b2e620ff
12 changed files with 188 additions and 31 deletions
+14 -1
View File
@@ -21,7 +21,7 @@ function mailLoginCleanupMain(): void
exit(2);
}
$base = rtrim($config['base_url'], '/');
$base = mailLoginCleanupValidateBaseUrl($config['base_url']);
$now = time();
$states = mailLoginCleanupLoadStates($config['state_dir']);
$entries = mailLoginCleanupApiRequest('GET', $base . '/api/login-keys/urls', $config);
@@ -76,6 +76,9 @@ function mailLoginCleanupShouldDelete(array $entry, array $states, int $now): bo
return false;
}
foreach ($states as $state) {
if ((string)($state['id'] ?? '') === '' || (string)$entry['id'] !== (string)$state['id']) {
continue;
}
if (($state['status'] ?? '') !== 'created') {
continue;
}
@@ -100,6 +103,16 @@ function mailLoginCleanupShouldDelete(array $entry, array $states, int $now): bo
return false;
}
function mailLoginCleanupValidateBaseUrl(string $baseUrl): string
{
$baseUrl = rtrim($baseUrl, '/');
$parts = parse_url($baseUrl);
if (!is_array($parts) || strtolower((string)($parts['scheme'] ?? '')) !== 'https' || empty($parts['host'])) {
throw new InvalidArgumentException('DA_BASE_URL must be an https URL');
}
return $baseUrl;
}
/**
* @param array<string,string> $config
* @return mixed