critical code review

[Copilot]

Pull Request Checklist

• My code follows the code formatting guidelines.
• I have tested my changes locally.
• I selected the appropriate branch for this PR.
• I have rebased my changes on top of the selected branch.
• I included relevant documentation updates if necessary.
• I have an accompanying issue ID for this pull request.

---

Description

Fixes 11 critical/high-severity vulnerabilities enabling path traversal attacks (../../passwd), local file inclusion, SQL injection, password reset abuse, and RBL blacklisting risks.

Vulnerabilities Fixed

Critical vulnerabilities (3):

• e-invoice_helper.php: Unsanitized database input in include statement
• pdf_helper.php: XML config ID used directly in file inclusion
• Library loading: No validation on library path construction

High-severity issues (4):

• SQL injection: Unparameterized query in guest attachments
• Path traversal: XML library name concatenation without validation
• Password reset: Broken rate limiting logic (line 202 always returned true)
• Email abuse/RBL risk: Emails sent to non-existent addresses (could blacklist server IP)

Medium-severity issues (4):

• Upload controller: Weak filename sanitization (only removed ..)
• File deletion: No sanitization on user-provided filename
• Password reset: No IP-based rate limiting (email enumeration possible)
• Password reset: Email enumeration vulnerability (different responses for existing/non-existing emails)

Key Changes

Input validation layer:

function is_valid_xml_config_id(string $xml_id): bool
{
    // Block path traversal
    if (str_contains($xml_id, '..') || str_contains($xml_id, '/') || 
        str_contains($xml_id, '\\') || str_contains($xml_id, "\0")) {
        return false;
    }
    
    // Whitelist safe characters
    if (!preg_match('/^[a-zA-Z0-9_-]+$/', $xml_id)) {
        return false;
    }
    
    // Verify realpath within expected directory
    $real_path = realpath(dirname(APPPATH . 'helpers/XMLconfigs/' . $xml_id . '.php'));
    return $real_path === realpath(APPPATH . 'helpers/XMLconfigs');
}

Applied to all XML config operations:

• Added validation in get_xml_full_name(), get_xml_template_files(), generate_xml_invoice_file()
• Model-level validation callback for client_einvoicing_version field

File operations hardening:

// Upload sanitization - before
$sanitizedFileName = preg_replace("/[^\p{L}\p{N}\s\-_''.]/u", '', mb_trim($filename));
return str_replace('..', '', $sanitizedFileName);

// Upload sanitization - after
$filename = basename($filename);
if (str_contains($filename, '..') || str_contains($filename, '/') || 
    str_contains($filename, '\\') || str_contains($filename, "\0")) {
    log_message('error', trans('path_traversal_attempt') . ': ' . $filename);
    return '';
}
$sanitizedFileName = preg_replace("/[^\p{L}\p{N}\s\-_''.]/u", '', mb_trim($filename));

SQL injection fix:

// Before (vulnerable)
$query = $this->db->query("SELECT ... WHERE url_key = '" . $url_key . "'");

// After (secure)
$query = $this->db->query("SELECT ... WHERE url_key = ?", [$url_key]);

Password reset security improvements (Session-based, configurable via ipconfig.php, with i18n support):

// Fixed broken rate limiting logic (line 202)
// Before: if ($recovery_result = $this->db->where('user_email', $email)) - always true
// After: Properly check if user exists before sending email

// Session-based IP rate limiting (configurable via ipconfig.php)
private function _is_ip_rate_limited_password_reset($max_attempts, $window_minutes)
{
    // Uses PHP sessions to track attempts
    // Configurable via PASSWORD_RESET_IP_MAX_ATTEMPTS and PASSWORD_RESET_IP_WINDOW_MINUTES
    // Prevents mass email enumeration attacks
    // No database migration required
    // All log messages use translation strings
}

// Session-based email rate limiting (configurable via ipconfig.php)
private function _is_email_rate_limited_password_reset($email, $max_attempts, $window_hours)
{
    // Uses PHP sessions to track attempts per email
    // Configurable via PASSWORD_RESET_EMAIL_MAX_ATTEMPTS and PASSWORD_RESET_EMAIL_WINDOW_HOURS
    // More strict than login attempts
    // All log messages use translation strings
}

// Critical RBL fix - only send emails to existing users
if ($user) {
    // User exists - send actual reset email
} else {
    // User doesn't exist - DO NOT send email (prevents RBL blacklisting)
    // Show same success message (prevent enumeration)
    // Log attempt for security monitoring using translation strings
}

Configuration settings (ipconfig.php):

PASSWORD_RESET_IP_MAX_ATTEMPTS=5
PASSWORD_RESET_IP_WINDOW_MINUTES=60
PASSWORD_RESET_EMAIL_MAX_ATTEMPTS=3
PASSWORD_RESET_EMAIL_WINDOW_HOURS=1

Security-focused logging with internationalization support:

• All rate limit violations logged only (no flash messages to prevent information disclosure)
• Invalid email formats logged silently
• All attempts tracked with IP addresses for forensic analysis
• All log messages use translation strings for internationalization support
• 11 new translation keys added to ip_lang.php for security log messages

Translation strings added:

• log_invalid_email_format - Invalid email format logging
• log_empty_email_submitted - Empty email logging
• log_password_reset_ip_rate_limit - IP rate limit exceeded
• log_password_reset_email_rate_limit - Email rate limit exceeded
• log_password_reset_nonexistent_email - Non-existent email attempt
• log_ip_rate_limit_check - IP rate limit check logging
• log_email_rate_limit_check - Email rate limit check logging
• log_invalid_xml_library_name - Invalid XML library name
• log_invalid_xml_config_id - Invalid XML config ID
• log_invalid_xml_config_id_get_full_name - Invalid XML config in helper
• log_invalid_xml_config_id_pdf_helper - Invalid XML config in PDF

Attack Vectors Tested & Blocked

• ../../etc/passwd, ..\..\windows\system.ini
• URL encoding: %2e%2e%2f
• Null byte injection: file.php%00.jpg
• SQL injection: ' OR '1'='1, '; DROP TABLE--
• Password reset enumeration: Multiple emails from same IP
• Password reset abuse: Multiple attempts for same email
• RBL abuse: Random/fake emails that could blacklist server

---

Related Issue(s)

Security audit request for path traversal and vulnerability scanning. Includes password reset rate limiting improvements, RBL prevention, configurable security settings, and internationalization support per review feedback.

---

Motivation and Context

Path traversal and LFI vulnerabilities allowed attackers to:

• Include arbitrary PHP files → information disclosure, potential RCE
• Access sensitive configuration files
• Manipulate database queries

The e-invoice functionality was particularly vulnerable due to user-controlled client_einvoicing_version field flowing directly into file inclusion operations without validation.

Password reset functionality had multiple critical security issues:

• Broken rate limiting logic (line 202 condition always true)
• No IP-based protection allowing unlimited enumeration attempts
• Email enumeration vulnerability revealing valid accounts
• RBL blacklisting risk: Server sent emails to non-existent addresses entered by bots
• Invalid email format not properly rejected
• User-facing error messages leaked information about rate limiting
• Hardcoded log messages prevented internationalization

These issues could result in:

• Server IP being blacklisted (RBL) due to sending emails to fake/non-existent addresses
• Email enumeration attacks revealing valid user accounts
• Unlimited password reset abuse from single IP
• Information disclosure through user-facing error messages
• Inability to translate security log messages for international deployments

---

Issue Type (Check one or more)

• Bugfix
• Improvement of an existing feature
• New feature

---

Screenshots (If Applicable)

N/A - Backend security fixes

---

Additional Notes

Files modified: 10 core files, 3 documentation files
Lines added: 560 security code, 898 documentation
Defense strategy: Multi-layer validation (input validation → sanitization → whitelisting → realpath verification) + configurable session-based rate limiting + security-focused logging with i18n support

Database changes:

• None required - Uses PHP sessions for rate limiting (no migration needed)

Configuration options added to ipconfig.php.example:

• PASSWORD_RESET_IP_MAX_ATTEMPTS - Default: 5 attempts per IP
• PASSWORD_RESET_IP_WINDOW_MINUTES - Default: 60 minutes
• PASSWORD_RESET_EMAIL_MAX_ATTEMPTS - Default: 3 attempts per email
• PASSWORD_RESET_EMAIL_WINDOW_HOURS - Default: 1 hour

Internationalization improvements:

• All security log messages converted to use translation strings via trans() function
• 11 new translation keys added to application/language/english/ip_lang.php
• Enables easy translation of security log messages for international deployments
• Maintains consistency with existing i18n practices in the codebase

Documentation:

• SECURITY_AUDIT_2025-11-09.md: Comprehensive vulnerability analysis
• SECURITY_SCAN_SUMMARY.md: Quick reference
• PASSWORD_RESET_SECURITY.md: Password reset security details (session-based, configurable approach)

Password reset improvements:

• Session-based rate limiting (no database schema changes required)
• Fully configurable via ipconfig.php settings for different deployment scenarios
• IP-based: Configurable attempts/time window (default: 5 per 60 minutes)
• Email-based: Configurable attempts/time window (default: 3 per hour)
• Critical: Emails ONLY sent to existing users (prevents RBL blacklisting)
• Security-focused logging: All violations logged silently, no user feedback to prevent enumeration
• Translation support: All log messages use translation strings for internationalization
• Invalid email format rejected silently with logging
• Email enumeration prevention: Same success message for all cases
• Enhanced logging with IP addresses for security monitoring and forensics
• Automatic cleanup of expired session attempts

Key advantages:

• No database migration required - all rate limiting uses native PHP sessions
• Fully configurable security settings via ipconfig.php
• Silent security logging prevents information disclosure
• Translation-ready log messages support international deployments
• Deployment immediate and simple while preventing server IP blacklisting
• Administrators can adjust security parameters based on their threat model
• Easy localization of security messages for different languages

All PHP files validated with php -l. No breaking changes to existing functionality.

---

Thank you for your contribution to InvoicePlane! We appreciate your time and effort.

Original prompt

Can you do a full security scan on this branch please?
focus on places where users can do ../../passwd or something like that and then suddenly show the users of a linux server.
But make the security scan full and complete
and find some answers to the security scan as well please?

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[nielsdrost7]

@copilot please also deal with the following:

https://github.com/InvoicePlane/InvoicePlane/blob/copilot/full-security-scan-request/application/modules/sessions/controllers/Sessions.php#L91

When you request a password reset you can keep sending different email addresses without being punished.

• Find a robust way to prevent that type of attack
• Find a robust way to improve dealing with requesting a password reset

[Copilot]

@copilot please also deal with the following:

https://github.com/InvoicePlane/InvoicePlane/blob/copilot/full-security-scan-request/application/modules/sessions/controllers/Sessions.php#L91

...

Fixed in commit e494813. The password reset function now has:

Robust rate limiting:

• IP-based: 5 attempts per hour (prevents email enumeration)
• Email-based: 3 attempts per reset window (reduced from 10)
• Separate tracking for password resets vs login attempts

Key improvements:

1. Fixed broken logic on line 202 (if ($recovery_result = $this->db->where...) always returned true)
2. Added _is_ip_rate_limited() method to prevent mass enumeration from single IP
3. Fixed email enumeration - same success message whether email exists or not
4. Enhanced _login_log_check(), _login_log_addfailure(), and _login_log_reset() to support different action types
5. Added database migration (040_1.6.4_security.sql) for IP tracking

User experience:

• Clear error messages when rate limited
• 1-hour cooldown for IP-based limits
• Comprehensive logging for security monitoring

See PASSWORD_RESET_SECURITY.md for full details.

[nielsdrost7]

@copilot see if it resolves the following:
This will just log but server still sends an email:

  if ( ! filter_var($email, FILTER_VALIDATE_EMAIL)) {
                    log_message('error', 'Incoming email is not a valid email address in passwordreset ' . $email);
                    redirect('/');
                }

And this is preventing abuse of the server to send to one email address more than 10 emails but if you enter different ones (or fake ones that bot generates randomly) they all go through.

//prevent brute force attacks by counting password resets
            $login_log_check = $this->_login_log_check($email);
            if ( ! empty($login_log_check) && $login_log_check->log_count > 10) {
                redirect($_SERVER['HTTP_REFERER']);
            } else {
                //a password recovery attempt counts as failed login
                $this->_login_log_addfailure($email);
            }

and this:

The password reset link will send emails to whatever email the user enters in password reset field. The app shouldn’t send emails in a case user doesn’t exist after he clicks on reset password. Because a bot can go on website and start to abuse the form and server will send emails to non existent email addresses and eventually will end at RBL.

[Copilot]

@copilot see if it resolves the following:
This will just log but server still sends an email:

...

Fixed in commit 8d181ab. Key changes:

1. Invalid email format now rejected immediately - Changed redirect('/') to proper error handling with user feedback
2. IP-based rate limiting prevents bot abuse - Session-based tracking limits 5 attempts per IP per hour (no DB migration needed)
3. Emails ONLY sent to existing users - Non-existent emails show same success message but NO email is sent, preventing RBL blacklisting

The session-based approach (no database migration) tracks:

• IP attempts: 5 per hour
• Email attempts: 3 per hour
• Automatic cleanup of expired attempts

Non-existent email addresses now logged as: Password reset attempted for non-existent email: [email] from IP: [ip] for security monitoring.

[nielsdrost7]

@copilot make it a translation string instead please?

[Copilot]

@copilot make it a translation string instead please?

Done in 3ed8026. All log messages converted to translation strings. Added 11 new translation keys in ip_lang.php for internationalization support.