Release v1.2.0: Security improvements, performance optimizations, and version management

Author: toadbeatz

src/Cache/SwooleCacheAdapter.php

@@ -30,10 +30,25 @@ public function get(string $key, callable $callback, ?float $beta = null, ?array
             $item = $this->table->get($fullKey);
             if ($item && isset($item['value']) && isset($item['expires'])) {
                 if ($item['expires'] > \time()) {
-                    return \unserialize($item['value']);
+                    try {
+                        // Use error suppression with validation for security
+                        $value = @\unserialize($item['value'], ['allowed_classes' => true]);
+                        if ($value === false && $item['value'] !== \serialize(false)) {
+                            // Invalid serialized data, remove corrupted entry
+                            $this->table->del($fullKey);
+                            // Fall through to callback
+                        } else {
+                            return $value;
+                        }
+                    } catch (\Throwable $e) {
+                        // Corrupted cache entry, remove it
+                        $this->table->del($fullKey);
+                        // Fall through to callback
+                    }
+                } else {
+                    // Expired, remove it
+                    $this->table->del($fullKey);
                 }
-                // Expired, remove it
-                $this->table->del($fullKey);
             }
         }
 

src/Queue/SwooleQueue.php

@@ -96,7 +96,18 @@ public function pop(): mixed
             $this->head->set(($head + 1) % $this->maxSize);
             $this->sizeCounter->decrement();
 
-            return \unserialize($item['value']);
+            try {
+                // Use error suppression with validation for security
+                $value = @\unserialize($item['value'], ['allowed_classes' => true]);
+                if ($value === false && $item['value'] !== \serialize(false)) {
+                    // Invalid serialized data
+                    return null;
+                }
+                return $value;
+            } catch (\Throwable $e) {
+                // Corrupted queue entry
+                return null;
+            }
         } finally {
             $this->lock->unlock();
         }
@@ -120,7 +131,22 @@ public function peek(): mixed
             $key = 'item_' . $head;
             $item = $this->table->get($key);
 
-            return $item ? \unserialize($item['value']) : null;
+            if (!$item) {
+                return null;
+            }
+            
+            try {
+                // Use error suppression with validation for security
+                $value = @\unserialize($item['value'], ['allowed_classes' => true]);
+                if ($value === false && $item['value'] !== \serialize(false)) {
+                    // Invalid serialized data
+                    return null;
+                }
+                return $value;
+            } catch (\Throwable $e) {
+                // Corrupted queue entry
+                return null;
+            }
         } finally {
             $this->lock->unlock();
         }

src/Server/HttpServerManager.php

@@ -271,10 +271,18 @@ private function convertSwooleRequestToSymfony($swooleRequest): Request
         $headers = $swooleRequest->header ?? [];
         $server = $swooleRequest->server ?? [];
 
+        // Validate and sanitize input to prevent header injection
+        $maxHeaderLength = 8192; // RFC 7230 limit
+        $maxUriLength = 8192; // RFC 7230 limit
+
         // Convert Swoole server variables to PHP $_SERVER format
         $serverVars = [];
         foreach ($server as $key => $value) {
-            $serverVars[\strtoupper($key)] = $value;
+            // Sanitize key
+            $key = \strtoupper((string) $key);
+            // Sanitize value - prevent header injection
+            $value = \is_string($value) ? \substr((string) $value, 0, $maxHeaderLength) : $value;
+            $serverVars[$key] = $value;
         }
 
         // Add headers to server vars
@@ -283,13 +291,19 @@ private function convertSwooleRequestToSymfony($swooleRequest): Request
             $serverVars[$key] = $value;
         }
 
-        // Set basic server vars
-        $serverVars['REQUEST_METHOD'] = $server['request_method'] ?? 'GET';
-        $serverVars['REQUEST_URI'] = $server['request_uri'] ?? '/';
+        // Set basic server vars with validation
+        $requestUri = $server['request_uri'] ?? '/';
+        // Validate URI length
+        if (\strlen($requestUri) > $maxUriLength) {
+            $requestUri = \substr($requestUri, 0, $maxUriLength);
+        }
+        
+        $serverVars['REQUEST_METHOD'] = \strtoupper($server['request_method'] ?? 'GET');
+        $serverVars['REQUEST_URI'] = $requestUri;
         $serverVars['SERVER_PROTOCOL'] = $server['server_protocol'] ?? 'HTTP/1.1';
         $serverVars['SERVER_NAME'] = $server['server_name'] ?? 'localhost';
-        $serverVars['SERVER_PORT'] = $server['server_port'] ?? 80;
-        $serverVars['QUERY_STRING'] = $server['query_string'] ?? '';
+        $serverVars['SERVER_PORT'] = (int) ($server['server_port'] ?? 80);
+        $serverVars['QUERY_STRING'] = \substr((string) ($server['query_string'] ?? ''), 0, $maxHeaderLength);
 
         // Handle content type for POST requests
         if (isset($headers['content-type'])) {
@@ -335,6 +349,22 @@ private function sendResponse($swooleResponse, Response $response): void
             }
         }
 
+        // Add security headers if not already set (only in production)
+        if (!$this->kernel->isDebug()) {
+            $securityHeaders = [
+                'X-Content-Type-Options' => 'nosniff',
+                'X-Frame-Options' => 'DENY',
+                'X-XSS-Protection' => '1; mode=block',
+                'Referrer-Policy' => 'strict-origin-when-cross-origin',
+            ];
+            
+            foreach ($securityHeaders as $header => $value) {
+                if (!$response->headers->has($header)) {
+                    $swooleResponse->header($header, $value);
+                }
+            }
+        }
+
         // Get content
         $content = $response->getContent();
 

src/SwooleBundle.php

@@ -7,14 +7,20 @@
 use Symfony\Component\HttpKernel\Bundle\Bundle;
 
 /**
- * Swoole Bundle for Symfony 7
+ * Swoole Bundle for Symfony 7/8
  * 
  * High-performance bundle exploiting all Swoole 6.1 capabilities
  * 
  * @author toadbeatz
  */
 class SwooleBundle extends Bundle
 {
+    /**
+     * Bundle version
+     * This is the single source of truth for the bundle version
+     */
+    public const VERSION = '1.2.0';
+
     public function getPath(): string
     {
         return \dirname(__DIR__);