Prep: v1.6.4

[nielsdrost7]

Summary by CodeRabbit

• New Features

  • Added password reset rate limiting (IP and email-based) with configuration options.
  • Added bot detection for enhanced password reset security.

• Bug Fixes

  • Improved file download safety and path validation.
  • Enhanced redirect validation to prevent unsafe redirects.
  • Better error handling for PDF generation.

• Security

  • Implemented input validation for e-invoicing configurations.
  • Converted SQL queries to parameterized bindings to prevent injection.
  • Added filename sanitization for uploads and downloads.

• Chores

  • Added password reset rate limiting configuration settings.
  • Updated attachment download routing.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Caution

Review failed

The pull request is closed.

Walkthrough

This PR fortifies security across multiple domains: XML config validation prevents path traversal in e-invoicing workflows; password reset implements rate limiting with bot detection and secure redirects; file retrieval gains path traversal safeguards; SQL queries transition to parameterized bindings; and language strings support new validation and logging scenarios.

Changes

Cohort / File(s)	Summary
XML Config Validation application/helpers/e-invoice_helper.php, application/helpers/pdf_helper.php, application/modules/clients/models/Mdl_clients.php	Adds is_valid_xml_config_id() function to validate XML IDs against path traversal and invalid characters. Applied in generate_xml_invoice_file(), get_xml_template_files(), get_xml_full_name(), and PDF helper to reject invalid configs with error logging. Client model adds validate_einvoicing_version() callback rule for form validation.
Password Reset Security application/modules/sessions/controllers/Sessions.php, ipconfig.php.example	Introduces IP-based and email-based rate limiting for password reset with bot detection via _is_ip_rate_limited_password_reset(), _is_email_rate_limited_password_reset(), _is_bot_request(), and _record_*_attempt() methods. Adds safe referer handling via _get_safe_referer(). New config keys: PASSWORD_RESET_IP_MAX_ATTEMPTS, PASSWORD_RESET_IP_WINDOW_MINUTES, PASSWORD_RESET_EMAIL_MAX_ATTEMPTS, PASSWORD_RESET_EMAIL_WINDOW_HOURS.
File Path Traversal Prevention application/modules/guest/controllers/Get.php, application/modules/upload/controllers/Upload.php	Get.php validates filenames against path traversal patterns (../, leading slash) via realpath verification and basename sanitization before file operations. Upload.php adds sanitize_file_name() helper to strip dangerous sequences and enforce empty filename rejection.
Secure Redirect & Referer Handling application/helpers/mailer_helper.php, application/modules/sessions/controllers/Sessions.php	Mailer helper's check_mail_errors() restricts HTTP_REFERER redirect to same-domain URLs, falling back to site base URL. Sessions controller replaces direct referer usage with safe validation helper across post-auth and password-reset flows.
Parameterized Query Migration application/modules/guest/controllers/View.php, application/modules/upload/models/Mdl_uploads.php	View.php's get_attachments() converts string-interpolated url_key to parameterized binding. Mdl_uploads.php's get_quote_uploads() and get_invoice_uploads() adopt parameterized queries for URL key parameter.
Error Handling & PDF Generation application/helpers/mpdf_helper.php	Wraps WriteHTML call in try-catch to log errors and display via show_error() instead of uncaught exception. Adds 'footer' HTML footer definition alongside existing page-number and default footers.
Data Normalization application/modules/reports/models/Mdl_reports.php	Normalizes minQuantity and maxQuantity to integers; normalizes empty from_date and to_date to current date; applies explicit int casting or escaping in WHERE clauses.
Attachment Route Updates application/views/invoice_templates/public/InvoicePlane_Web.php, application/views/quote_templates/public/InvoicePlane_Web.php	Changes attachment download endpoint from guest/get/attachment/{fullname} to guest/get/get_file/{fullname}.
Language & Configuration application/language/english/ip_lang.php	Adds 15 new language keys for e-invoicing validation, password reset rate limiting, security logging, and bot detection messages.
Template & Formatting Fixes application/views/invoice_templates/pdf/InvoicePlane.php, application/modules/invoices/views/view.php	PDF template fixes unclosed div and adjusts spacing for $invoice_mode operator. Invoice view applies minor formatting to if-block closing brace.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant Sessions as Sessions Controller
    participant RateLimiter as Rate Limiter
    participant BotDetector as Bot Detector
    participant Auth as Auth System
    participant Email as Email Service

    User->>Sessions: POST /reset password form
    Sessions->>BotDetector: _is_bot_request()
    alt Bot Detected
        BotDetector-->>Sessions: true
        Sessions->>User: Redirect to login (bot mitigation)
    else Human Request
        BotDetector-->>Sessions: false
        Sessions->>RateLimiter: _is_ip_rate_limited_password_reset()
        alt IP Rate Limited
            RateLimiter-->>Sessions: true
            Sessions->>User: Show error + Redirect
        else IP Not Limited
            RateLimiter-->>Sessions: false
            Sessions->>Sessions: Validate email format
            alt Invalid Email
                Sessions->>User: Log error + Redirect to login
            else Valid Email
                Sessions->>RateLimiter: _is_email_rate_limited_password_reset(email)
                alt Email Rate Limited
                    RateLimiter-->>Sessions: true
                    Sessions->>User: Show uniform success msg + Redirect
                else Email Not Limited
                    RateLimiter-->>Sessions: false
                    Sessions->>Auth: Query user by email
                    alt User Exists
                        Auth-->>Sessions: User found
                        Sessions->>Sessions: Generate & store reset token
                        Sessions->>Email: Send password reset link
                        Email-->>User: Reset email
                        Sessions->>RateLimiter: _record_password_reset_attempt()
                        Sessions->>RateLimiter: _record_email_password_reset_attempt(email)
                    else User Not Found
                        Auth-->>Sessions: No user
                    end
                    Sessions->>User: Show uniform success msg + Redirect
                end
            end
        end
    end

Loading

sequenceDiagram
    participant Client
    participant FileController as File Controller (Get.php)
    participant PathValidator as Path Validator
    participant FileSystem as File System

    Client->>FileController: GET /guest/get/get_file/{filename}
    FileController->>FileController: Validate filename not empty
    alt Empty Filename
        FileController->>Client: 400 Bad Request
    end
    
    FileController->>PathValidator: Check for traversal patterns (.., /, \, null)
    alt Traversal Detected
        PathValidator-->>FileController: Invalid
        FileController->>Client: 400 Bad Request
    else Valid Filename
        PathValidator-->>FileController: Safe
        FileController->>FileController: basename(filename) → safeFilename
        FileController->>FileSystem: realpath(targetPath + safeFilename)
        alt Realpath Outside Base
            FileSystem-->>FileController: Path verification fails
            FileController->>Client: 403 Forbidden
        else Realpath Within Base
            FileSystem-->>FileController: realFile verified
            FileController->>FileSystem: readfile(realFile)
            FileSystem-->>Client: File content with headers
        end
    end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~75 minutes

• Sessions.php password-reset overhaul: Multiple security layers (bot detection, IP/email rate limiting, secure redirects, uniform responses) introduce dense conditional logic requiring careful verification of bypass prevention and timing attack resistance.
• File path traversal fixes: Get.php and Upload.php sanitization logic must be reviewed for edge cases (symlinks, encoded traversal, realpath behavior on different filesystems).
• XML validation reuse: Ensure is_valid_xml_config_id() is correctly applied across all entry points (e-invoice_helper, pdf_helper, client validation) with consistent error handling.
• SQL injection prevention: Confirm parameterized query conversions in View.php and Mdl_uploads.php use correct binding syntax and don't introduce query structure errors.
• Rate limiting implementation: Verify timestamp-based windows and attempt counters prevent race conditions and account for clock skew; check cache/session storage reliability.

Poem

🐰 Hop through XML forests safe and sound,
No traversal tricks on hallowed ground!
Rate-limit bots before they trespass near,
Secure redirects keep us crystal clear. 🔐
Files and queries, now sanitized with care,
CodeRabbit's warren is fortress fair! ✨

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch prep/v164

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 62434db and 2255ee3.

📒 Files selected for processing (17)

• application/helpers/e-invoice_helper.php (4 hunks)
• application/helpers/mailer_helper.php (1 hunks)
• application/helpers/mpdf_helper.php (2 hunks)
• application/helpers/pdf_helper.php (1 hunks)
• application/language/english/ip_lang.php (2 hunks)
• application/modules/clients/models/Mdl_clients.php (2 hunks)
• application/modules/guest/controllers/Get.php (1 hunks)
• application/modules/guest/controllers/View.php (1 hunks)
• application/modules/invoices/views/view.php (1 hunks)
• application/modules/reports/models/Mdl_reports.php (4 hunks)
• application/modules/sessions/controllers/Sessions.php (8 hunks)
• application/modules/upload/controllers/Upload.php (2 hunks)
• application/modules/upload/models/Mdl_uploads.php (2 hunks)
• application/views/invoice_templates/pdf/InvoicePlane.php (2 hunks)
• application/views/invoice_templates/public/InvoicePlane_Web.php (1 hunks)
• application/views/quote_templates/public/InvoicePlane_Web.php (1 hunks)
• ipconfig.php.example (1 hunks)

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}