Skip to content

N°9654 - Reduce surface attack on config file rights during setup#932

Merged
Lenaick merged 2 commits into
developfrom
feature/9654-reduce-surface-attack-on-config-file-rights-during-setup
Jun 9, 2026
Merged

N°9654 - Reduce surface attack on config file rights during setup#932
Lenaick merged 2 commits into
developfrom
feature/9654-reduce-surface-attack-on-config-file-rights-during-setup

Conversation

@Lenaick

@Lenaick Lenaick commented Jun 9, 2026

Copy link
Copy Markdown
Contributor

N°9654 - Reduce surface attack on config file rights during setup

@CombodoApplicationsAccount CombodoApplicationsAccount added the internal Work made by Combodo label Jun 9, 2026
@greptile-apps

greptile-apps Bot commented Jun 9, 2026

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR changes setup authorization and config-file permission handling during installation. The main changes are:

  • Setup AJAX calls now rely on the session setup token instead of an authent request parameter.
  • Wizard pages no longer render hidden setup-token inputs.
  • wizard.php now hardens an existing writable config file before creating the setup token.
  • The data feature removal bridge now uses the session token when returning to setup.
  • The final setup page no longer posts admin credentials to enter iTop.

Confidence Score: 3/5

These issues should be fixed before merging.

  • The cleanup bridge can create a setup token while deletion is still pending.

  • The setup token can stay valid across the cleanup workflow.

  • Config permission hardening can fail silently while setup continues.

  • DataFeatureRemovalController.php needs the token and deletion-state logic corrected.

  • setup/wizard.php needs explicit handling when config hardening fails.

Important Files Changed
Filename Overview
datamodels/2.x/combodo-data-feature-removal/src/Controller/DataFeatureRemovalController.php Moves cleanup bridge authorization to the session token but leaves the token alive and checks the wrong deletion flag.
setup/wizard.php Adds early config permission hardening before setup-token creation but does not handle chmod failure.

Reviews (1): Last reviewed commit: "N°9654 - Reduce surface attack on config..." | Re-trigger Greptile

greptile-apps[bot]
greptile-apps Bot reviewed Jun 9, 2026
View reviewed changes
Comment thread datamodels/2.x/combodo-data-feature-removal/src/Controller/DataFeatureRemovalController.php
Comment on lines +199 to +201
if (!$aParams['bHasDeletionNeeded']) {
SetupUtils::CreateSetupToken();
}

@greptile-apps greptile-apps Bot Jun 9, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Use the right flag

This branch checks bHasDeletionNeeded, but the code only sets bDeletionNeeded a few lines above. The missing key is treated as null, so this condition is always true and PHP can emit a warning. When the analysis still has deletion work to do, this still creates a fresh setup token even though the cleanup flow has not completed.

Suggested change
if (!$aParams['bHasDeletionNeeded']) {
SetupUtils::CreateSetupToken();
}
if (!$aParams['bDeletionNeeded']) {
SetupUtils::CreateSetupToken();
}

@Lenaick Lenaick merged commit 733eea8 into develop Jun 9, 2026
@Lenaick Lenaick deleted the feature/9654-reduce-surface-attack-on-config-file-rights-during-setup branch June 9, 2026 14:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Assignees

@Lenaick Lenaick

Labels

internal Work made by Combodo

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Lenaick @CombodoApplicationsAccount