Declare ext-intl/ext-zip requirements and fix security audit findings (#213)

* Declare ext-intl and ext-zip as explicit composer requirements

DataExportService uses ZipArchive directly and the Dutch-locale
format_datetime Twig filter needs real ext-intl (the polyfill only
supports en), but composer.json only declared ext-ctype/ext-iconv.
Adding them lets `composer check-platform-reqs` catch a missing
extension before a runtime crash.

* Add authorization checks to PrepareEliminationController

index and viewElimination had no IsGranted guard, unlike every other
backoffice/elimination controller, so any authenticated user could
prepare or overwrite another season's elimination screens.

* Prevent formula injection in spreadsheet exports

Answer/candidate text starting with =, +, -, or @ was written to XLSX
exports as a live formula rather than plain text. Since seasons can
have multiple owners, a co-owner could plant a formula that runs (and
can exfiltrate data) when another owner opens the export in Excel.

* Add rate limiting to login and season-code entry points

Neither /login nor the public season-code guess form (POST /) had
any throttling, making both an unlimited brute-force/enumeration
oracle. Adds symfony/rate-limiter and enables login_throttling on
the main firewall, plus a dedicated per-IP rate limiter on the
season-code form.

* Add unique constraint to prevent double-submit score inflation

A candidate could submit two concurrent POSTs for the same question
before either committed, since GivenAnswer had no unique constraint
and the "next question" check was subject to a TOCTOU race — each
insert was then counted as a correct answer.

* Address CodeRabbit review findings

Include a Retry-After header on the season-code rate limit, correct
stale line references in the security audit doc, and fix a stray
comma in the reset-password email.
This commit is contained in:
2026-07-13 22:58:29 +02:00
committed by GitHub
parent 97cec66083
commit b290620cf9
21 changed files with 595 additions and 9 deletions
@@ -0,0 +1,41 @@
<?php
declare(strict_types=1);
namespace Tvdt\Tests\Repository;
use Doctrine\DBAL\Exception\UniqueConstraintViolationException;
use PHPUnit\Framework\Attributes\CoversClass;
use Tvdt\Entity\Answer;
use Tvdt\Entity\GivenAnswer;
use Tvdt\Entity\Question;
use Tvdt\Repository\GivenAnswerRepository;
#[CoversClass(GivenAnswerRepository::class)]
final class GivenAnswerRepositoryTest extends DatabaseTestCase
{
public function testDuplicateGivenAnswerForSameQuestionIsRejected(): void
{
$krtekSeason = $this->getSeasonByCode('krtek');
$candidate = $this->getCandidateBySeasonAndName($krtekSeason, 'Tom');
$question = $this->questionRepository->findNextQuestionForCandidate($candidate);
$this->assertInstanceOf(Question::class, $question);
$answers = $question->answers;
$this->assertGreaterThanOrEqual(2, $answers->count());
$firstAnswer = $answers->first();
$secondAnswer = $answers->get(1);
$this->assertInstanceOf(Answer::class, $firstAnswer);
$this->assertInstanceOf(Answer::class, $secondAnswer);
$this->entityManager->persist(new GivenAnswer($candidate, $question->quiz, $firstAnswer));
$this->entityManager->flush();
$this->entityManager->persist(new GivenAnswer($candidate, $question->quiz, $secondAnswer));
$this->expectException(UniqueConstraintViolationException::class);
$this->entityManager->flush();
}
}