Skip to content

fix(security): resolve 4 critical security findings (v2.3.1)#21

Merged
devsimsek merged 1 commit into
mainfrom
dev
Jul 5, 2026
Merged

fix(security): resolve 4 critical security findings (v2.3.1)#21
devsimsek merged 1 commit into
mainfrom
dev

Conversation

@devsimsek

Copy link
Copy Markdown
Owner

Summary

Resolves 4 of 6 critical security findings from the deep security audit (SDF-56 to SDF-100). Non-breaking patch release bumping 2.3.0 → 2.3.1.

Fixes

ID Surface Fix
SDF-56 app/handlers/errors.php Reflected XSS in 404/405 error handlers. Escape $requestPath/$requestMethod with htmlspecialchars(ENT_QUOTES|ENT_SUBSTITUTE|ENT_HTML5, 'UTF-8'); set explicit Content-Type: text/html; charset=UTF-8 and HTTP status before output
SDF-58 sdf/core/Cache/Cache.php Cache::normalizeKey() was defined but never invoked. Wired it into all 9 facade methods (get, set, delete, has, forget, getMultiple, setMultiple, deleteMultiple). Added PSR-16 empty-key guard throwing InvalidArgumentException
SDF-60 sdf/core/Fuse.php, sdf/core/Loader.php extract() used EXTR_OVERWRITE default - view data keys like cacheFile/viewName could hijack the require path (LFI/RCE). Changed to EXTR_SKIP in both. Renamed Loader::view() param $name$view so EXTR_SKIP doesn't block the common ['name' => ...] view variable (positional, no caller breakage)
SDF-61 sdf/core/Request.php X-Forwarded-For was trusted by default when SDF_TRUSTED_PROXIES unset - any client could spoof IP and bypass rate limiting. Inverted to default-deny: returns REMOTE_ADDR only unless trusted proxy configured. Removed HTTP_CLIENT_IP fallback entirely

Version bump

2.3.02.3.1 in sdf/__init.php (SDF_VERSION constant) and index.php docblock.

Verification

  • PHPUnit: 441 tests, 780 assertions, 0 failures
  • PHPStan level 5: No errors
  • PHP-CS-Fixer: 0 files need fixing

Wiki updates

Updated 6 wiki pages to reflect v2.3.1 changes:

  • app/handlers.md - new Error Handlers section with escaping pattern
  • libraries/caching.md - Key normalization subsection, allowed_classes caveat
  • libraries/fuse.md - Safe variable extraction (EXTR_SKIP), htmlspecialchars notes
  • libraries/middleware.md - Default-deny X-Forwarded-For with behavior table + upgrade note
  • libraries/request.md - ip() signature updated
  • sdf/core.md - Loader::view() param rename note

- SDF-56: Escape output in 404/405 error handlers, set Content-Type
- SDF-58: Wire Cache::normalizeKey() into all facade methods + empty-key guard
- SDF-60: Use EXTR_SKIP in Fuse/Loader extract() to prevent LFI via variable overwrite
- SDF-61: Invert X-Forwarded-For trust default (deny when no trusted proxy)
- Bump version 2.3.0 -> 2.3.1
@devsimsek

Copy link
Copy Markdown
Owner Author

Hey you lil-interested fella. I wanted to write an informal comment for you; If you haven't noticed yet, sdf is getting better and better day by day and I have great plans for v3.

Before I can start working on that, I need to fix some issues; most of them I found myself, some coming from users of the framework and some coming from oss llm reviews; fyi I am mostly writing the code myself and doing the code review by hand. Recently I tried using copilot (hosted by GitHub) to automate this process but believe me, it sucked.

So, from now on I will be using my intelligence and some experimental llms engineered and created by me (not trained, developed from scratch! - it's called Saddle!)

Thank you for your interest in my little project; I have been working on this framework starting from when I was in middle school! It's just too enjoyable!!!

@devsimsek

Copy link
Copy Markdown
Owner Author

All checks have passed, lgtm!

After code review, we can merge.

@devsimsek

Copy link
Copy Markdown
Owner Author

Review complete, lgtm!

Let's merge!

@devsimsek devsimsek self-assigned this Jul 5, 2026
@devsimsek devsimsek merged commit 1913104 into main Jul 5, 2026
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant