fix: address security review findings
This commit is contained in:
@@ -21,7 +21,7 @@ function mailLoginCleanupMain(): void
|
||||
exit(2);
|
||||
}
|
||||
|
||||
$base = rtrim($config['base_url'], '/');
|
||||
$base = mailLoginCleanupValidateBaseUrl($config['base_url']);
|
||||
$now = time();
|
||||
$states = mailLoginCleanupLoadStates($config['state_dir']);
|
||||
$entries = mailLoginCleanupApiRequest('GET', $base . '/api/login-keys/urls', $config);
|
||||
@@ -76,6 +76,9 @@ function mailLoginCleanupShouldDelete(array $entry, array $states, int $now): bo
|
||||
return false;
|
||||
}
|
||||
foreach ($states as $state) {
|
||||
if ((string)($state['id'] ?? '') === '' || (string)$entry['id'] !== (string)$state['id']) {
|
||||
continue;
|
||||
}
|
||||
if (($state['status'] ?? '') !== 'created') {
|
||||
continue;
|
||||
}
|
||||
@@ -100,6 +103,16 @@ function mailLoginCleanupShouldDelete(array $entry, array $states, int $now): bo
|
||||
return false;
|
||||
}
|
||||
|
||||
function mailLoginCleanupValidateBaseUrl(string $baseUrl): string
|
||||
{
|
||||
$baseUrl = rtrim($baseUrl, '/');
|
||||
$parts = parse_url($baseUrl);
|
||||
if (!is_array($parts) || strtolower((string)($parts['scheme'] ?? '')) !== 'https' || empty($parts['host'])) {
|
||||
throw new InvalidArgumentException('DA_BASE_URL must be an https URL');
|
||||
}
|
||||
return $baseUrl;
|
||||
}
|
||||
|
||||
/**
|
||||
* @param array<string,string> $config
|
||||
* @return mixed
|
||||
|
||||
Reference in New Issue
Block a user