Improve security of plugin.

dereuromark · dereuromark · commit 7ac1b54dc716 · 2025-11-20T11:38:11.000+01:00
diff --git a/src/Controller/Admin/QueuedJobsController.php b/src/Controller/Admin/QueuedJobsController.php
@@ -142,13 +142,27 @@ public function import() {
 			/** @var \Laminas\Diactoros\UploadedFile|null $file */
 			$file = $this->request->getData('file');
 			if ($file && $file->getError() == UPLOAD_ERR_OK && $file->getSize() > 0) {
+				$clientMediaType = $file->getClientMediaType();
+				if ($clientMediaType !== 'application/json') {
+					throw new RuntimeException('Only JSON files are allowed');
+				}
+
 				$content = file_get_contents($file->getStream()->getMetadata('uri'));
 				if ($content === false) {
 					throw new RuntimeException('Cannot parse file');
 				}
+
 				$json = json_decode($content, true);
+				if (json_last_error() !== JSON_ERROR_NONE) {
+					throw new RuntimeException('Invalid JSON: ' . json_last_error_msg());
+				}
+
 				if (!$json || empty($json['queuedJob'])) {
-					throw new RuntimeException('Invalid JSON content');
+					throw new RuntimeException('Invalid JSON content: missing queuedJob data');
+				}
+
+				if (!is_array($json['queuedJob'])) {
+					throw new RuntimeException('Invalid JSON structure: queuedJob must be an array');
 				}
 
 				$data = $json['queuedJob'];
diff --git a/src/Model/Table/QueuedJobsTable.php b/src/Model/Table/QueuedJobsTable.php
@@ -983,7 +983,7 @@ public function key(): string {
 		if ($this->_key !== null) {
 			return $this->_key;
 		}
-		$this->_key = sha1(microtime() . mt_rand(100, 999));
+		$this->_key = bin2hex(random_bytes(32));
 		if (!$this->_key) {
 			throw new RuntimeException('Invalid key generated');
 		}
diff --git a/src/Queue/Task/ExecuteTask.php b/src/Queue/Task/ExecuteTask.php
@@ -10,6 +10,7 @@
 
 use Cake\Console\CommandInterface;
 use Cake\Console\ConsoleIo;
+use Cake\Core\Configure;
 use Cake\Log\LogTrait;
 use Queue\Model\QueueException;
 use Queue\Queue\AddInterface;
@@ -85,6 +86,10 @@ public function run(array $data, int $jobId): void {
 			'accepted' => [CommandInterface::CODE_SUCCESS],
 		];
 
+		if (!$data['escape'] && !Configure::read('debug')) {
+			throw new QueueException('Command escaping must be enabled when debug mode is off for security reasons');
+		}
+
 		$command = $data['command'];
 		if ($data['escape']) {
 			$command = escapeshellcmd($data['command']);

Original file line number	Diff line number	Diff line change
`@@ -983,7 +983,7 @@ public function key(): string {`
`983`	`983`	`if ($this->_key !== null) {`
`984`	`984`	`return $this->_key;`
`985`	`985`	`}`
`986`		`- $this->_key = sha1(microtime() . mt_rand(100, 999));`
	`986`	`+ $this->_key = bin2hex(random_bytes(32));`
`987`	`987`	`if (!$this->_key) {`
`988`	`988`	`throw new RuntimeException('Invalid key generated');`
`989`	`989`	`}`