Project-Pro/shopPRO
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

security: faza 1 - usuniecie debug logu tpay, naprawa SQL i usun rb.php

Browse Source 
- ShopOrderController: usunieto file_put_contents do tpay.txt (ujawnial dane platnicze)
- ShopOrderController: hardcoded sekret HotPay przeniesiony do stałej HOTPAY_HASH_SEED
- IntegrationsRepository: zastapiono raw SQL query('SELECT * FROM $table') metodą Medoo select()
- index.php + admin/index.php: usunieto RedBeanPHP (rb.php) - biblioteka byla ladowana ale nieuzywana
- libraries/rb.php: usunieto plik (536 KB, zero uzyc w kodzie aplikacji)
- Testy IntegrationsRepository zaktualizowane do nowego API (select zamiast query)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Jacek
2026-03-12 09:18:37 +01:00
parent f268e3b5d4
commit 167b11679d
6 changed files with 23 additions and 17546 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
admin/index.php
View File

@@ -31,17 +31,9 @@ function __autoload_my_classes( $classname )
spl_autoload_register( '__autoload_my_classes' ); spl_autoload_register( '__autoload_my_classes' );
require_once '../config.php'; require_once '../config.php';
require_once '../libraries/medoo/medoo.php'; require_once '../libraries/medoo/medoo.php';
require_once '../libraries/rb.php';
require_once '../libraries/phpmailer/class.phpmailer.php'; require_once '../libraries/phpmailer/class.phpmailer.php';
require_once '../libraries/phpmailer/class.smtp.php'; require_once '../libraries/phpmailer/class.smtp.php';
define( 'REDBEAN_MODEL_PREFIX', '' );
\R::setup( 'mysql:host=' . $database['host'] . ';dbname=' . $database['name'], $database['user'], $database['password'] );
\R::ext( 'xdispense', function ( $type )
{
return R::getRedBean() -> dispense( $type );
} );
date_default_timezone_set( 'Europe/Warsaw' ); date_default_timezone_set( 'Europe/Warsaw' );
$mdb = new medoo( [ $mdb = new medoo( [

5
autoload/Domain/Integrations/IntegrationsRepository.php
View File

@@ -28,10 +28,9 @@ class IntegrationsRepository
public function getSettings( string $provider ): array public function getSettings( string $provider ): array
{ {
$table = $this->settingsTable( $provider ); $table = $this->settingsTable( $provider );
$stmt = $this->db->query( "SELECT * FROM $table" ); $rows = $this->db->select( $table, [ 'name', 'value' ] );
$results = $stmt ? $stmt->fetchAll( \PDO::FETCH_ASSOC ) : [];
$settings = []; $settings = [];
foreach ( $results as $row ) foreach ( $rows ?: [] as $row )
$settings[$row['name']] = $row['value']; $settings[$row['name']] = $row['value'];
return $settings; return $settings;

6
autoload/front/Controllers/ShopOrderController.php
View File

@@ -6,6 +6,8 @@ use Domain\Order\OrderAdminService;
class ShopOrderController class ShopOrderController
{ {
private const HOTPAY_HASH_SEED = 'ProjectPro1916;';
private $repository; private $repository;
private $adminService; private $adminService;
@@ -29,8 +31,6 @@ class ShopOrderController
public function paymentStatusTpay() public function paymentStatusTpay()
{ {
file_put_contents( 'tpay.txt', print_r( $_POST, true ) . print_r( $_GET, true ), FILE_APPEND );
if ( \Shared\Helpers\Helpers::get( 'tr_status' ) == 'TRUE' && \Shared\Helpers\Helpers::get( 'tr_crc' ) ) if ( \Shared\Helpers\Helpers::get( 'tr_status' ) == 'TRUE' && \Shared\Helpers\Helpers::get( 'tr_crc' ) )
{ {
$order = $this->repository->findRawByHash( \Shared\Helpers\Helpers::get( 'tr_crc' ) ); $order = $this->repository->findRawByHash( \Shared\Helpers\Helpers::get( 'tr_crc' ) );
@@ -102,7 +102,7 @@ class ShopOrderController
$summary_tmp += $order['transport_cost']; $summary_tmp += $order['transport_cost'];
endif; endif;
if ( hash( "sha256", "ProjectPro1916;" . round( $summary_tmp, 2 ) . ";" . $_POST["ID_PLATNOSCI"] . ";" . $_POST["ID_ZAMOWIENIA"] . ";" . $_POST["STATUS"] . ";" . $_POST["SEKRET"] ) == $_POST["HASH"] ) if ( hash( "sha256", self::HOTPAY_HASH_SEED . round( $summary_tmp, 2 ) . ";" . $_POST["ID_PLATNOSCI"] . ";" . $_POST["ID_ZAMOWIENIA"] . ";" . $_POST["STATUS"] . ";" . $_POST["SEKRET"] ) == $_POST["HASH"] )
{ {
if ( $_POST["STATUS"] == "SUCCESS" ) if ( $_POST["STATUS"] == "SUCCESS" )
{ {

8
index.php
View File

@@ -22,17 +22,9 @@ date_default_timezone_set( 'Europe/Warsaw' );
require_once 'config.php'; require_once 'config.php';
require_once 'libraries/medoo/medoo.php'; require_once 'libraries/medoo/medoo.php';
require_once 'libraries/rb.php';
require_once 'libraries/phpmailer/class.phpmailer.php'; require_once 'libraries/phpmailer/class.phpmailer.php';
require_once 'libraries/phpmailer/class.smtp.php'; require_once 'libraries/phpmailer/class.smtp.php';
\R::setup( 'mysql:host=' . $database[ 'host' ] . ';dbname=' . $database[ 'name' ], $database[ 'user' ], $database[ 'password' ] );
\R::ext( 'xdispense', function ( $type )
{
return R::getRedBean() -> dispense( $type );
} );
$pdo = \R::getPDO();
session_start(); session_start();
if ( !isset( $_SESSION[ 'check' ] ) ) if ( !isset( $_SESSION[ 'check' ] ) )

17480
libraries/rb.php
View File

File diff suppressed because it is too large Load Diff

62
tests/Unit/Domain/Integrations/IntegrationsRepositoryTest.php
View File

@@ -17,20 +17,14 @@ class IntegrationsRepositoryTest extends TestCase
public function testGetSettingsReturnsArray(): void public function testGetSettingsReturnsArray(): void
{ {
$stmt = $this->createMock(\PDOStatement::class); $this->mockDb->expects($this->once())
$stmt->expects($this->once()) ->method('select')
->method('fetchAll') ->with('pp_shop_apilo_settings', ['name', 'value'])
->with(\PDO::FETCH_ASSOC)
->willReturn([ ->willReturn([
['name' => 'client-id', 'value' => 'abc123'], ['name' => 'client-id', 'value' => 'abc123'],
['name' => 'client-secret', 'value' => 'secret'], ['name' => 'client-secret', 'value' => 'secret'],
]); ]);
$this->mockDb->expects($this->once())
->method('query')
->with('SELECT * FROM pp_shop_apilo_settings')
->willReturn($stmt);
$settings = $this->repository->getSettings('apilo'); $settings = $this->repository->getSettings('apilo');
$this->assertIsArray($settings); $this->assertIsArray($settings);
@@ -144,10 +138,7 @@ class IntegrationsRepositoryTest extends TestCase
public function testApiloGetAccessTokenReturnsNullWithoutSettings(): void public function testApiloGetAccessTokenReturnsNullWithoutSettings(): void
{ {
$stmt = $this->createMock(\PDOStatement::class); $this->mockDb->method('select')->willReturn([]);
$stmt->method('fetchAll')->willReturn([]);
$this->mockDb->method('query')->willReturn($stmt);
$this->assertNull($this->repository->apiloGetAccessToken()); $this->assertNull($this->repository->apiloGetAccessToken());
} }
@@ -184,16 +175,10 @@ class IntegrationsRepositoryTest extends TestCase
public function testApiloFetchListResultReturnsDetailedErrorWhenConfigMissing(): void public function testApiloFetchListResultReturnsDetailedErrorWhenConfigMissing(): void
{ {
$stmt = $this->createMock(\PDOStatement::class);
$stmt->expects($this->once())
->method('fetchAll')
->with(\PDO::FETCH_ASSOC)
->willReturn([]);
$this->mockDb->expects($this->once()) $this->mockDb->expects($this->once())
->method('query') ->method('select')
->with('SELECT * FROM pp_shop_apilo_settings') ->with('pp_shop_apilo_settings', ['name', 'value'])
->willReturn($stmt); ->willReturn([]);
$result = $this->repository->apiloFetchListResult('payment'); $result = $this->repository->apiloFetchListResult('payment');
@@ -204,16 +189,10 @@ class IntegrationsRepositoryTest extends TestCase
public function testApiloIntegrationStatusReturnsMissingConfigMessage(): void public function testApiloIntegrationStatusReturnsMissingConfigMessage(): void
{ {
$stmt = $this->createMock(\PDOStatement::class);
$stmt->expects($this->once())
->method('fetchAll')
->with(\PDO::FETCH_ASSOC)
->willReturn([]);
$this->mockDb->expects($this->once()) $this->mockDb->expects($this->once())
->method('query') ->method('select')
->with('SELECT * FROM pp_shop_apilo_settings') ->with('pp_shop_apilo_settings', ['name', 'value'])
->willReturn($stmt); ->willReturn([]);
$status = $this->repository->apiloIntegrationStatus(); $status = $this->repository->apiloIntegrationStatus();
@@ -242,25 +221,20 @@ class IntegrationsRepositoryTest extends TestCase
public function testSettingsTableMapping(): void public function testSettingsTableMapping(): void
{ {
// Verify apilo maps correctly $this->mockDb->method('select')
$stmt = $this->createMock(\PDOStatement::class); ->with('pp_shop_apilo_settings', ['name', 'value'])
$stmt->method('fetchAll')->willReturn([]); ->willReturn([]);
$this->mockDb->method('query')
->with($this->stringContains('pp_shop_apilo_settings'))
->willReturn($stmt);
$this->assertIsArray($this->repository->getSettings('apilo')); $this->assertIsArray($this->repository->getSettings('apilo'));
} }
public function testShopproProviderWorks(): void public function testShopproProviderWorks(): void
{ {
$stmt = $this->createMock(\PDOStatement::class); $this->mockDb->method('select')
$stmt->method('fetchAll')->willReturn([ ->with('pp_shop_shoppro_settings', ['name', 'value'])
['name' => 'domain', 'value' => 'test.com'], ->willReturn([
]); ['name' => 'domain', 'value' => 'test.com'],
$this->mockDb->method('query') ]);
->with($this->stringContains('pp_shop_shoppro_settings'))
->willReturn($stmt);
$settings = $this->repository->getSettings('shoppro'); $settings = $this->repository->getSettings('shoppro');
$this->assertSame('test.com', $settings['domain']); $this->assertSame('test.com', $settings['domain']);