Fix security vulnerabilities and add type hints

dereuromark · claude · dereuromark · commit c55432ce44c8 · 2025-11-19T13:52:44.000+01:00
- Fix unsafe deserialization in ObjectType by whitelisting safe classes - Fix path traversal vulnerability in GoogleMapHelper icon method - Fix SQL injection in GeocoderBehavior distanceConditions - Implement isAccurateEnough() method in Geocoder - Add missing type hints to GoogleMapHelper methods - Fix type casting in GeoCoordinate::fromString() 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/src/Database/Type/ObjectType.php b/src/Database/Type/ObjectType.php
@@ -4,7 +4,13 @@
 
 use Cake\Database\Driver;
 use Cake\Database\Type\BaseType;
+use Cake\I18n\Date;
+use Cake\I18n\DateTime;
+use DateInterval;
+use DateTimeImmutable;
+use DateTimeZone;
 use PDO;
+use stdClass;
 
 /**
  * This can serialize and unserialize objects.
@@ -22,7 +28,18 @@ public function toPHP(mixed $value, Driver $driver): mixed {
 			return $value;
 		}
 
-		return unserialize($value);
+		// Allow only safe classes to prevent object injection attacks
+		$allowedClasses = [
+			DateTime::class,
+			DateTimeImmutable::class,
+			DateTimeZone::class,
+			DateInterval::class,
+			DateTime::class,
+			Date::class,
+			stdClass::class,
+		];
+
+		return unserialize($value, ['allowed_classes' => $allowedClasses]);
 	}
 
 	/**
@@ -38,7 +55,18 @@ public function marshal(mixed $value): mixed {
 			return $value;
 		}
 
-		return unserialize($value);
+		// Allow only safe classes to prevent object injection attacks
+		$allowedClasses = [
+			DateTime::class,
+			DateTimeImmutable::class,
+			DateTimeZone::class,
+			DateInterval::class,
+			DateTime::class,
+			Date::class,
+			stdClass::class,
+		];
+
+		return unserialize($value, ['allowed_classes' => $allowedClasses]);
 	}
 
 	/**
diff --git a/src/Geocoder/GeoCoordinate.php b/src/Geocoder/GeoCoordinate.php
@@ -88,7 +88,7 @@ public static function fromString(string $coordinate): static {
 
 		[$lat, $lng] = explode(',', $coordinate);
 
-		return new static($lat, $lng);
+		return new static((float)$lat, (float)$lng);
 	}
 
 	/**
diff --git a/src/Geocoder/Geocoder.php b/src/Geocoder/Geocoder.php
@@ -336,14 +336,79 @@ public function containsAccurateEnough(AddressCollection $addresses) {
 	 * @return bool
 	 */
 	public function isAccurateEnough(Location $address) {
-		$levels = array_keys($this->_types);
-		$values = array_values($this->_types);
-		$map = array_combine($levels, $values);
-
 		$expected = $this->_config['minAccuracy'];
+		if (!$expected) {
+			return true;
+		}
+
+		$minAccuracyIndex = array_search($expected, $this->_types, true);
+		if ($minAccuracyIndex === false) {
+			return true;
+		}
+
+		$adminLevels = $address->getAdminLevels();
+		$adminLevelMap = [
+			static::TYPE_AAL1 => 1,
+			static::TYPE_AAL2 => 2,
+			static::TYPE_AAL3 => 3,
+			static::TYPE_AAL4 => 4,
+			static::TYPE_AAL5 => 5,
+		];
+
+		// Check all accuracy levels from minimum required to most accurate
+		for ($i = $minAccuracyIndex; $i < count($this->_types); $i++) {
+			$type = $this->_types[$i];
+			switch ($type) {
+				case static::TYPE_COUNTRY:
+					if ($address->getCountry() !== null) {
+						return true;
+					}
+
+					break;
+				case static::TYPE_AAL1:
+				case static::TYPE_AAL2:
+				case static::TYPE_AAL3:
+				case static::TYPE_AAL4:
+				case static::TYPE_AAL5:
+					if ($adminLevels->has($adminLevelMap[$type])) {
+						return true;
+					}
+
+					break;
+				case static::TYPE_LOC:
+					if ($address->getLocality() !== null) {
+						return true;
+					}
+
+					break;
+				case static::TYPE_SUBLOC:
+					if ($address->getSubLocality() !== null) {
+						return true;
+					}
+
+					break;
+				case static::TYPE_POSTAL:
+					if ($address->getPostalCode() !== null) {
+						return true;
+					}
+
+					break;
+				case static::TYPE_ADDRESS:
+					if ($address->getStreetName() !== null) {
+						return true;
+					}
+
+					break;
+				case static::TYPE_NUMBER:
+					if ($address->getStreetNumber() !== null) {
+						return true;
+					}
+
+					break;
+			}
+		}
 
-		//TODO
-		return true;
+		return false;
 	}
 
 	/**
diff --git a/src/Model/Behavior/GeocoderBehavior.php b/src/Model/Behavior/GeocoderBehavior.php
@@ -475,11 +475,29 @@ public function distanceConditions($distance = null, $fieldName = null, $fieldLa
 		if ($tableName === null) {
 			$tableName = $this->_table->getAlias();
 		}
+
+		// Validate field and table names to prevent SQL injection
+		if (!preg_match('/^[a-zA-Z0-9_]+$/', $tableName)) {
+			throw new \InvalidArgumentException('Invalid table name');
+		}
+		if (!preg_match('/^[a-zA-Z0-9_]+$/', $fieldLat)) {
+			throw new \InvalidArgumentException('Invalid field name');
+		}
+		if (!preg_match('/^[a-zA-Z0-9_]+$/', $fieldLng)) {
+			throw new \InvalidArgumentException('Invalid field name');
+		}
+
 		$conditions = [
 			$tableName . '.' . $fieldLat . ' <> 0',
 			$tableName . '.' . $fieldLng . ' <> 0',
 		];
 		$fieldName = !empty($fieldName) ? $fieldName : 'distance';
+
+		// Validate distance field name
+		if (!preg_match('/^[a-zA-Z0-9_]+$/', $fieldName)) {
+			throw new \InvalidArgumentException('Invalid field name');
+		}
+
 		if ($distance !== null) {
 			$conditions[] = '1=1 HAVING ' . $tableName . '.' . $fieldName . ' < ' . (int)$distance;
 		}
diff --git a/src/View/Helper/GoogleMapHelper.php b/src/View/Helper/GoogleMapHelper.php
@@ -354,7 +354,7 @@ public function initialize(array $config): void {
 	 * @param array<string, mixed> $query
 	 * @return string Full URL
 	 */
-	public function apiUrl(array $query = []) {
+	public function apiUrl(array $query = []): string {
 		$url = $this->_protocol() . static::API;
 
 		if ($this->_runtimeConfig['map']['api']) {
@@ -381,7 +381,7 @@ public function apiUrl(array $query = []) {
 	 * @deprecated Not in use.
 	 * @return string
 	 */
-	public function gearsUrl() {
+	public function gearsUrl(): string {
 		$this->_gearsIncluded = true;
 		$url = $this->_protocol() . 'code.google.com/apis/gears/gears_init.js';
 
@@ -391,14 +391,14 @@ public function gearsUrl() {
 	/**
 	 * @return string currentMapObject
 	 */
-	public function name() {
+	public function name(): string {
 		return 'map' . static::$mapCount;
 	}
 
 	/**
 	 * @return string currentContainerId
 	 */
-	public function id() {
+	public function id(): string {
 		return $this->_runtimeConfig['div']['id'];
 	}
 
@@ -409,7 +409,7 @@ public function id() {
 	 * @param bool $full true=optionsAsWell
 	 * @return void
 	 */
-	public function reset($full = true) {
+	public function reset(bool $full = true): void {
 		static::$markerCount = static::$infoWindowCount = 0;
 		$this->markers = $this->infoWindows = [];
 		if ($full) {
@@ -430,7 +430,7 @@ public function reset($full = true) {
 	 * @param array<string, mixed> $options
 	 * @return void
 	 */
-	public function setControls(array $options = []) {
+	public function setControls(array $options = []): void {
 		if (isset($options['streetView'])) {
 			$this->_runtimeConfig['map']['streetViewControl'] = $options['streetView'];
 		}
@@ -455,7 +455,7 @@ public function setControls(array $options = []) {
 	 * @param array<string, mixed> $options associative array of settings are passed
 	 * @return string divContainer
 	 */
-	public function map(array $options = []) {
+	public function map(array $options = []): string {
 		$this->reset();
 		$this->_runtimeConfig = Hash::merge($this->_runtimeConfig, $options);
 		$this->_runtimeConfig['map'] = $options + $this->_runtimeConfig['map'];
@@ -560,7 +560,7 @@ protected function _initialLocation() {
 	 * @throws \Cake\Core\Exception\CakeException
 	 * @return mixed Integer marker count or boolean false on failure
 	 */
-	public function addMarker($options) {
+	public function addMarker(array $options): mixed {
 		$defaults = $this->_runtimeConfig['marker'];
 		if (isset($options['icon']) && is_array($options['icon'])) {
 			$defaults = $options['icon'] + $defaults;
@@ -732,7 +732,7 @@ protected function _directions($directions, array $markerOptions = []) {
 	 * @param string $content
 	 * @return int Current marker counter
 	 */
-	public function addInfoContent($content) {
+	public function addInfoContent(string $content): int {
 		$this->infoContents[static::$markerCount] = $this->escapeString($content);
 		$event = "
 			gWindowContents" . static::$mapCount . '.push(' . $this->escapeString($content) . ");
@@ -762,7 +762,7 @@ public function addInfoContent($content) {
 	 * NOTE: for special ones only first parameter counts!
 	 * @return array Array(icon, shadow, shape, ...)
 	 */
-	public function iconSet($color, $char = null, $size = 'm') {
+	public function iconSet(string $color, ?string $char = null, string $size = 'm'): array {
 		$colors = ['red', 'green', 'yellow', 'blue', 'purple', 'white', 'black'];
 		if (!in_array($color, $colors)) {
 			$color = 'red';
@@ -833,7 +833,7 @@ public function iconSet($color, $char = null, $size = 'm') {
 	 * @param array<string, mixed> $shadowOptions Shadow image options
 	 * @return array Resulting array
 	 */
-	public function addIcon($image, $shadow = null, array $imageOptions = [], array $shadowOptions = []) {
+	public function addIcon(string $image, ?string $shadow = null, array $imageOptions = [], array $shadowOptions = []): array {
 		$res = ['url' => $image];
 		$res['icon'] = $this->icon($image, $imageOptions);
 		if ($shadow) {
@@ -864,14 +864,18 @@ public function addIcon($image, $shadow = null, array $imageOptions = [], array
 	 * - anchor: array(width=>x, height=>y)
 	 * @return int Icon count
 	 */
-	public function icon(string $url, array $options = []) {
+	public function icon(string $url, array $options = []): int {
 		// The shadow image is larger in the horizontal dimension
 		// while the position and offset are the same as for the main image.
 		if (empty($options['size'])) {
 			// We will deprecate this in the future maybe as this is super slow!
 			//trigger_error('Please specify size manually [width => ..., height => ...] for performance reasons.', E_USER_DEPRECATED);
 			if (!empty($options['imagePath'])) {
 				$path = realpath($options['imagePath']);
+				$allowedDir = realpath(WWW_ROOT . 'img' . DS);
+				if (!$path || !$allowedDir || strpos($path, $allowedDir) !== 0) {
+					throw new CakeException('Invalid image path');
+				}
 			} else {
 				$path = $url;
 				if (!preg_match('#^((https?://)|//)#i', $path)) {
@@ -919,7 +923,7 @@ public function icon(string $url, array $options = []) {
 	 * - lat, lng, content, maxWidth, pixelOffset, zIndex
 	 * @return int windowCount
 	 */
-	public function addInfoWindow(array $options = []) {
+	public function addInfoWindow(array $options = []): int {
 		$defaults = $this->_runtimeConfig['infoWindow'];
 		$options += $defaults;
 
@@ -951,7 +955,7 @@ public function addInfoWindow(array $options = []) {
 	 * @param bool $open Also open it right away.
 	 * @return void
 	 */
-	public function addEvent($marker, $infoWindow, $open = false) {
+	public function addEvent(int $marker, int $infoWindow, bool $open = false): void {
 		$this->map .= "
 			google.maps.event.addListener(gMarkers" . static::$mapCount . "[{$marker}], 'click', function() {
 				gInfoWindows" . static::$mapCount . "[$infoWindow].open(" . $this->name() . ", this);
@@ -971,7 +975,7 @@ public function addEvent($marker, $infoWindow, $open = false) {
 	 * @param string $event (js)
 	 * @return void
 	 */
-	public function addCustomEvent($marker, $event) {
+	public function addCustomEvent(int $marker, string $event): void {
 		$this->map .= "
 			google.maps.event.addListener(gMarkers" . static::$mapCount . "[{$marker}], 'click', function() {
 				$event
@@ -985,7 +989,7 @@ public function addCustomEvent($marker, $event) {
 	 * @param string $js Custom JS
 	 * @return void
 	 */
-	public function addCustom($js) {
+	public function addCustom(string $js): void {
 		$this->map .= $js;
 	}
 
@@ -1008,7 +1012,7 @@ public function addCustom($js) {
 	 * - region: String
 	 * @return void
 	 */
-	public function addDirections($from, $to, array $options = []) {
+	public function addDirections(array|string $from, array|string $to, array $options = []): void {
 		$id = 'd' . static::$markerCount++;
 		$defaults = $this->_runtimeConfig['directions'];
 		$options += $defaults;
@@ -1066,7 +1070,7 @@ public function addDirections($from, $to, array $options = []) {
 	 * - weight in pixels (defaults to 2)
 	 * @return void
 	 */
-	public function addPolyline($from, $to, array $options = []) {
+	public function addPolyline(array|string $from, array|string $to, array $options = []): void {
 		if (is_array($from)) {
 			$from = 'new google.maps.LatLng(' . (float)$from['lat'] . ', ' . (float)$from['lng'] . ')';
 		} else {
@@ -1110,7 +1114,7 @@ public function addPolyline($from, $to, array $options = []) {
 	 * @param int $index infoWindowCount
 	 * @return void
 	 */
-	public function setContentInfoWindow($content, $index) {
+	public function setContentInfoWindow(string $content, int $index): void {
 		$this->map .= "
 			gInfoWindows" . static::$mapCount . "[$index]. setContent(" . $this->escapeString($content) . ');';
 	}
@@ -1121,7 +1125,7 @@ public function setContentInfoWindow($content, $index) {
 	 * @param mixed $content
 	 * @return string JSON
 	 */
-	public function escapeString($content) {
+	public function escapeString(mixed $content): string {
 		$result = json_encode($content);
 		if ($result === false) {
 			return '';

Original file line number	Diff line number	Diff line change
`@@ -88,7 +88,7 @@ public static function fromString(string $coordinate): static {`
`88`	`88`
`89`	`89`	`[$lat, $lng] = explode(',', $coordinate);`
`90`	`90`
`91`		`- return new static($lat, $lng);`
	`91`	`+ return new static((float)$lat, (float)$lng);`
`92`	`92`	`}`
`93`	`93`
`94`	`94`	`/**`