Project-Pro/aktualia.com.pl
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
aktualia.com.pl/.paul/codebase/concerns.md

133 lines
7.0 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Codebase Concerns
**Analysis Date:** 2026-04-27
## Security Considerations
**Credentials committed to repository:**
- Risk: DB credentials and SMTP credentials checked into version control
- Files: `_rejestracja/core/config/db.config.ini`, `_rejestracja/core/config/smtp.config.ini`
- Current mitigation: None — production secrets in plaintext in repo
- Recommendations: Move to gitignored config files; add `.gitignore` entry; rotate credentials if repo is/was public
**Web-accessible migration runners:**
- Risk: Anyone who knows the URL can trigger `ALTER TABLE` operations on production DB
- Files: `_rejestracja/sql/apply-*.php` (all runner files)
- Current mitigation: Requires `?run=YYYYMMDD` param to prevent accidental execution
- Recommendations: Move runners outside web root, or add IP/auth check before execution
**`eval()` usage in core:**
- Risk: Remote code execution if user input reaches eval
- Files: Detected in `_rejestracja/core/class/` (exact file TBD — needs verification)
- Current mitigation: Unknown — depends on what is eval'd
- Recommendations: Audit eval usage; replace with explicit logic where possible
**No input sanitization layer:**
- Risk: SQL injection if user input bypasses DAL parameterization; XSS if template escaping is skipped
- Files: `_rejestracja/controller/IndexController.php` — uses `Request::GetPost()` directly
- Current mitigation: Smarty auto-escaping in templates; DAL may use parameterized queries (verify)
- Recommendations: Audit DAL for raw query concatenation; confirm all template output uses `|escape`
## Tech Debt
**`core/_model/` directory duplication:**
- Issue: 78 files in `_rejestracja/core/_model/` mirror `_rejestracja/core/model/` but are NOT loaded by the autoloader
- Files: All files in `_rejestracja/core/_model/`
- Why: Historical backup that was never deleted
- Impact: Confusing when navigating; edits to `_model/` are silently ignored; risk of editing wrong file
- Fix approach: Delete `_rejestracja/core/_model/` entirely — it serves no runtime purpose
**Commented-out debug calls throughout controllers:**
- Issue: `//Utils::ArrayDisplay(Request::GetAllPost());` and similar calls left in code
- Files: `_rejestracja/Admin/controller/CalcController.php` (lines 54, 118), others
- Why: Dev debugging not cleaned up
- Impact: Clutter; risk of accidentally uncommenting in production
- Fix approach: Remove all commented-out debug calls during any refactor pass
**`TODO` about disc field in IndexController:**
- Issue: Unresolved logic around the `disc` field in fee calculation
- Files: `_rejestracja/controller/IndexController.php`
- Why: Deferred during earlier development
- Impact: Potentially incorrect discount pricing in edge cases
- Fix approach: Review `disc` field handling; either implement or document the intended behavior
**`setSortBy()` raw string injection:**
- Issue: `DalData::setSortBy()` injects value directly into `ORDER BY` SQL clause with no escaping
- Files: `_rejestracja/core/class/DefaultDAL.class.php`, all callers
- Why: Design choice for simplicity
- Impact: SQL injection risk if sort value ever comes from user input (currently hardcoded — low risk)
- Fix approach: Whitelist allowed sort columns; never pass user input to `setSortBy()`
## Fragile Areas
**`core/core.php` autoloader:**
- Files: `_rejestracja/core/core.php`
- Why fragile: `spl_autoload_register` loads from `core/model/` — if class naming deviates from `Mf{Entity}.class.php` convention, autoload silently fails
- Common failures: Editing `core/_model/` instead of `core/model/` (no error, just stale behavior)
- Safe modification: Always verify you're editing `core/model/` not `core/_model/`
**`$fields` array in model classes:**
- Files: All `_rejestracja/core/model/Mf*.class.php`
- Why fragile: `$fields` array must exactly match DB column names; mismatch means property reads `null` silently
- Common failures: Adding a DB column without updating `$fields`; typo in column name
- Safe modification: After adding to `$fields`, verify getter returns expected value from DB
**Smarty template variable assignment:**
- Files: All `_rejestracja/template/` and `_rejestracja/Admin/template/` `.tpl` files
- Why fragile: If controller doesn't `assign()` a variable, Smarty silently outputs empty string — no error
- Common failures: Renaming a controller variable without updating template references
- Safe modification: Search for the variable name in both controller and all related templates before renaming
## Known Bugs
**`RegDeleteAction` deletes wrong record:**
- Symptoms: `CalcController::RegDeleteAction` calls `MfParametersDAL::Delete($dalData)` instead of `MfParticipantDAL::Delete($dalData)` — DAL class mismatch
- Files: `_rejestracja/Admin/controller/CalcController.php` lines 187206
- Workaround: Unknown — may delete a pricing parameter row instead of the participant
- Root cause: Copy-paste error in controller method; wrong DAL class referenced
## Performance Bottlenecks
**No query caching:**
- Problem: Every request hits MySQL — `mf_dictionary` is read on every page load for every `{translate}` call
- Files: `_rejestracja/core/model/MfDictionaryDAL.class.php`, all templates using `{translate}`
- Cause: No caching layer; MySQL query per translation key
- Improvement path: Cache dictionary in PHP session or static array per request
**No pagination on admin registration list:**
- Problem: `CalcController::RegAction` loads all `mf_participant` rows into memory with no LIMIT
- Files: `_rejestracja/Admin/controller/CalcController.php` (RegAction), `_rejestracja/Admin/template/partial/Calc/Reg.tpl`
- Cause: `DalData` has no pagination set; template has commented-out pager HTML
- Impact: Will degrade significantly as registration count grows past a few hundred rows
## Dependencies at Risk
**PHP 5.x:**
- Risk: PHP 5.x is end-of-life since December 2018; no security patches
- Impact: Known PHP 5.x vulnerabilities unpatched on production server
- Migration plan: Requires testing all code for PHP 7.x/8.x compatibility (significant effort)
**jQuery 1.x:**
- Risk: jQuery 1.x is unmaintained; known XSS vulnerabilities in older versions
- Impact: Frontend JS security issues
- Migration plan: Upgrade to jQuery 3.x or replace with vanilla JS
**Bundled Smarty / PHPMailer:**
- Risk: Vendor-bundled libraries in `core/lib/` may be outdated versions with unpatched CVEs
- Impact: Template injection (Smarty), email header injection (PHPMailer)
- Migration plan: Replace with Composer-managed dependencies and current versions
## Test Coverage Gaps
**Everything — no tests exist:**
- What's not tested: All application logic
- Files: All of `_rejestracja/`
- Risk: Any code change could introduce silent regressions; verified by manual testing only
- Priority: High for `IndexController.php` (primary user-facing flow) and `DefaultDAL.class.php` (affects all DB operations)
- Difficulty to test: Medium — PHP 5.x compatible test framework required; DAL tests need DB fixture
---
*Concerns audit: 2026-04-27*
*Update as issues are fixed or new ones discovered*
Reference in New Issue View Git Blame Copy Permalink