Commit Graph

9 Commits

Author SHA1 Message Date
Marijn b290620cf9 Declare ext-intl/ext-zip requirements and fix security audit findings (#213)
* Declare ext-intl and ext-zip as explicit composer requirements

DataExportService uses ZipArchive directly and the Dutch-locale
format_datetime Twig filter needs real ext-intl (the polyfill only
supports en), but composer.json only declared ext-ctype/ext-iconv.
Adding them lets `composer check-platform-reqs` catch a missing
extension before a runtime crash.

* Add authorization checks to PrepareEliminationController

index and viewElimination had no IsGranted guard, unlike every other
backoffice/elimination controller, so any authenticated user could
prepare or overwrite another season's elimination screens.

* Prevent formula injection in spreadsheet exports

Answer/candidate text starting with =, +, -, or @ was written to XLSX
exports as a live formula rather than plain text. Since seasons can
have multiple owners, a co-owner could plant a formula that runs (and
can exfiltrate data) when another owner opens the export in Excel.

* Add rate limiting to login and season-code entry points

Neither /login nor the public season-code guess form (POST /) had
any throttling, making both an unlimited brute-force/enumeration
oracle. Adds symfony/rate-limiter and enables login_throttling on
the main firewall, plus a dedicated per-IP rate limiter on the
season-code form.

* Add unique constraint to prevent double-submit score inflation

A candidate could submit two concurrent POSTs for the same question
before either committed, since GivenAnswer had no unique constraint
and the "next question" check was subject to a TOCTOU race — each
insert was then counted as a correct answer.

* Address CodeRabbit review findings

Include a Retry-After header on the season-code rate limit, correct
stale line references in the security audit doc, and fix a stray
comma in the reset-password email.
2026-07-13 22:58:29 +02:00
Marijn 5d92d91432 fix: trust X-Forwarded-Proto header from Traefik proxy (#189)
Traefik terminates TLS and forwards requests over HTTP internally,
setting X-Forwarded-Proto: https. Without trusting this header,
Symfony generates http:// URLs (e.g. in password reset emails).
2026-07-08 07:45:07 +00:00
Marijn 81e471a760 Change namespace to Tvdt 2025-09-28 18:14:58 +02:00
Marijn 4e22feb256 Update framework.yaml 2025-04-22 23:49:20 +02:00
Marijn 0f07e7eabf Phpstan 2025-04-22 23:42:07 +02:00
Marijn 7b05e52d95 A lot 2025-04-22 22:25:18 +02:00
Marijn acd85bfc2b Fix csrf-tokens 2025-04-21 14:09:02 +02:00
Marijn f7b4b98da4 Refactor YAML and Twig files for consistent indentation and formatting
CI / Tests (push) Failing after 10m32s
CI / Docker Lint (push) Successful in 9s
2025-03-05 22:47:59 +01:00
Marijn 628bfa22f0 Start of Symfony 2024-12-29 14:58:03 +01:00