drmaterac.pl/.paul/codebase/concerns.md

Codebase Concerns

Analysis Date: 2026-05-10

Severity legend: CRITICAL (immediate fix), HIGH (next sprint), MEDIUM (planned), LOW (track).

Critical Security

Hardcoded credentials committed to repository — CRITICAL

• Files: buy-by-phone.php (lines ~11–28: reCAPTCHA secret 6LeJAUUsAAAAAIyCrwFMrsw9yQLPgnCWCOHPcjc8, SMTP passwords 8njIZnAb, kM4BU_F_), app/config/parameters.php (DB password eRbZ]Ioh-0-2]fM+, app secret LStbzv3bfsMaq5dvsVR5wXt8dEpe63IAx2uOHffpbK9gy9x4EZsjWeRM, cookie keys)
• Why: convenience during development — never moved to env vars
• Impact: full DB compromise, mail account takeover, session forgery if repo or backups leak; secrets remain valid in git history
• Fix: rotate ALL exposed credentials immediately → move to environment variables (or Docker secrets) → load via getenv() → purge from git history (git filter-repo / BFG) → add the file to .gitignore

Diagnostic / phpinfo files exposed in webroot — CRITICAL

• Files: diag_20792_tmp.php (2.6 KB), diag_upload_tmp.php (4.4 KB), diag_fix_tmp.php (14 B), info.php (14 B — almost certainly <?php phpinfo();)
• Why: ad-hoc debug scripts left after a 2026-03-05 incident (feat: update diagnostic scripts and configuration for improved product data handling, commit 194405bc)
• Impact: info.php discloses full PHP environment to anyone; diag scripts run raw SQL with weak $_GET['key'] !== 'diag2026' gate (security through obscurity, easily bypassed)
• Fix: delete these 4 files now; if production deploy mirrors repo, also delete on server; consider reverting commit 194405bc

Unsanitized $_POST / $_GET in custom scripts — HIGH

• Files: buy-by-phone.php lines 29–58 (17 direct $_POST[...] accesses) and lines 83–94 (POST values injected into HTML email body — XSS via mail / SMTP header injection); category-description.php line 7 ($url = $_GET['url'])
• Why: written outside PrestaShop conventions
• Impact: header injection, mail-relay abuse, stored XSS in support inboxes
• Fix: replace with Tools::getValue('field', '') (PrestaShop sanitizer) and escape on output (htmlspecialchars, Tools::safeOutput); validate email with Validate::isEmail(); add reCAPTCHA verification result check before send

SQL string concatenation in custom scripts — HIGH

• Files: diag_20792_tmp.php lines 23–49, diag_upload_tmp.php lines 22–50, import-product.php lines 63–93
• Why: legacy PrestaShop pattern (pSQL() instead of bound parameters)
• Impact: any unsanitized input flowing into these queries is an injection vector
• Fix: delete diag scripts; refactor import-product.php to use Db::getInstance() with proper escaping or Doctrine DBAL parameterized queries; never concatenate user input into SQL

Database backups + 5 MB error log inside webroot — HIGH

• Files: iadmin/backups/ (e.g. 1698930967-7683b7af.sql.bz2), iadmin/errors.log (5 MB, 26 months of PHP errors), errors.log (root)
• Why: standard PrestaShop default location; iadmin/ is the renamed admin folder (still under DocumentRoot)
• Impact: SQL dumps directly downloadable if URL guessed; error log discloses paths and module internals
• Fix: move backups outside DocumentRoot or Deny from all via .htaccess; rotate logs to /var/log/...; add errors.log, *.log, iadmin/backups/, iadmin/errors.log to .gitignore

Tech Debt

Backup and obsolete files committed — HIGH

• Files: backup_before_patch/As4SearchEngine.php.backup (160 KB), backup_before_patch/As4SearchEngineDb.php.backup (3.4 KB), backup_before_patch/pm_advancedsearch4.php.backup (279 KB)
• Why: manual snapshot taken before patching the search engine module
• Impact: bloats repo, confuses code search, may shadow current implementation in IDEs
• Fix: delete the directory; rely on git log for history; add *.backup, backup_before_patch/ to .gitignore

Oversized root-level scripts — MEDIUM

• Files: import-product.php (813 lines / 32 KB — fetches and applies external XML feed), buy-by-phone.php (122 lines — manual PHPMailer + reCAPTCHA)
• Why: written as single-file utilities
• Impact: hard to test, no transaction safety in importer, no logging of import results
• Fix approach: extract import-product.php into a proper PrestaShop module or CLI command (bin/console-style), wrap DB writes in transactions, add structured logging; convert buy-by-phone.php into a ModuleFrontController

429-line .htaccess with hardcoded SEO redirects — MEDIUM

• File: .htaccess (~100 manual RewriteRule ^...$ /s/.../...? redirects, lines 14–370+)
• Impact: not maintainable, regex conflicts likely, no audit trail
• Fix: migrate to a database-driven redirect table + module that emits 301s in hookActionDispatcher (or use modules/x13linkrewrite/)

107 undocumented core overrides — MEDIUM

• Files: override/classes/ (31 files — Cart.php, CartRule.php, Product.php, Hook.php, Dispatcher.php, controller/FrontController.php, controller/ProductListingFrontController.php, …) plus 76 more under override/
• Why: each accumulated over time to extend core behavior
• Impact: every PrestaShop upgrade requires manual override review; no inline doc states why each override exists
• Fix: add a header comment to each override stating purpose + ticket; consider moving simple cases to module hooks

Stale stack — PrestaShop 1.7.8.11 / PHP 7.4 — MEDIUM

• File: app/AppKernel.php line 35 (const VERSION = '1.7.8.11')
• Why: production stability
• Impact: missing security patch 1.7.8.12; PHP 7.4 reached EOL 2022-11-28 (no upstream security fixes); core 1.7.x EOL since 2021-10
• Fix: apply 1.7.8.12 patch first (minor), then plan migration to PrestaShop 8.x or 9.x; PHP 8.2 already in runtime — verify all modules under PHP 8.x compat-checker

iadmin/autoupgrade/ contains prestashop_1.7.5.1.zip left in webroot — MEDIUM

• Why: artifact of a past upgrade attempt
• Impact: downloadable archive exposing core source paths
• Fix: delete

Performance

Custom cross-sell module clean — no concerns

• File: modules/crosssellpro/crosssellpro.php
• Uses Product::getAccessoriesLight() (efficient) + Product::getProductsProperties(); filters with Shop::addSqlAssociation; respects DEFAULT_LIMIT = 12
• No N+1 detected

No application-level caching active

• Memcached configured but disabled (app/config/parameters.php)
• Page cache module installed (modules/pagecache/) — verify it is enabled in production
• Fix: enable Memcached + verify pagecache configuration; add OPcache validation if not on

Fragile Areas

Override chain in override/classes/

• Why fragile: Cart::getOrderTotal() extension depends on ets_promotion module presence (override/classes/Cart.php line ~55); Hook::exec extension depends on pagecache (override/classes/Hook.php line ~42)
• Common failures: removing one of those modules without cleaning up the override leaves dead branches
• Safe modification: read the override + the referenced module's hook surface together; never edit core classes/ directly

Recurring header-modification errors in admin

• Source: iadmin/errors.log shows repeated errors at AdminCartRulesController.php:121 (output before header() call)
• Trigger: editing cart rules in back-office
• Likely cause: a module emitting whitespace before <?php or echoing in init()

MySQL "server has gone away" entries

• Source: iadmin/errors.log
• Likely cause: long-running scripts (import-product.php?) exceeding wait_timeout
• Fix: increase wait_timeout/mysql.connect_timeout in PHP config or call Db::getInstance()->disconnect() + reconnect for long-running batch jobs

Test Coverage Gaps

• Custom modules have NO tests — modules/crosssellpro/, modules/caraty/
• No tests for import-product.php (highest-risk script — bulk DB writes, no rollback)
• No tests for buy-by-phone.php (handles user input + sends mail)
• Risk: regressions land silently; manual browser testing is the only safety net

Documentation Gaps

• No README.md at repo root (only PrestaShop's stock files)
• 31 core overrides — none have purpose comments
• iadmin/errors.log retains 26 months of error history but no rotation policy

Deletion Candidates (Quick Wins)

diag_20792_tmp.php
diag_fix_tmp.php
diag_upload_tmp.php
info.php
errors.log
backup_before_patch/
iadmin/errors.log
iadmin/autoupgrade/prestashop_1.7.5.1.zip
themes/classic.zip   # (verify needed)
themes/leo_gstore.zip

Add to .gitignore: errors.log, *.log, *.backup, backup_before_patch/, iadmin/backups/, iadmin/errors.log, iadmin/autoupgrade/*.zip.

---

Concerns audit: 2026-05-10 Update as issues are fixed or new ones discovered