Fix Local File Inclusion (LFI) vulnerabilities in InvoicePlane 1.7.0

[Copilot]

Fix Local File Inclusion (LFI) Vulnerability in InvoicePlane 1.7.0

Plan

• Create helper function to validate template names against allowed templates
• Update View.php controller to validate public_invoice_template before loading
• Update View.php controller to validate public_quote_template before loading
• Add unit tests for template validation
• Run existing tests to ensure no regressions
• Improve logging for better security monitoring
• Perform security scan and code review
• Search for additional LFI vulnerabilities in codebase
• Fix PDF template LFI vulnerabilities in all controllers
• Address code review feedback
• Fix missing helper load and validate all template parameters
• Re-apply invoice_template validation after code review changes

Summary

This PR fixes 8 critical Local File Inclusion (LFI) vulnerabilities (CVSS 9.1, CWE-98) in InvoicePlane 1.7.0 where template settings and URL parameters could be exploited to include arbitrary PHP files from the filesystem, potentially leading to Remote Code Execution.

Vulnerabilities Fixed

Original Vulnerabilities (2)

1. Public invoice template - application/modules/guest/controllers/View.php invoice() method
2. Public quote template - application/modules/guest/controllers/View.php quote() method

Additional Vulnerabilities Discovered (6)

3. Guest invoice PDF - application/modules/guest/controllers/View.php generate_invoice_pdf()
4. Guest quote PDF - application/modules/guest/controllers/View.php generate_quote_pdf()
5. Guest invoices PDF - application/modules/guest/controllers/Invoices.php generate_pdf()
6. Guest quotes PDF - application/modules/guest/controllers/Quotes.php generate_pdf()
7. Admin invoices PDF - application/modules/invoices/controllers/Invoices.php generate_pdf()
8. Admin quotes PDF - application/modules/quotes/controllers/Quotes.php generate_pdf()

Changes Made

1. Added validation functions in application/helpers/template_helper.php:

   • validate_template_name() - Core validation with whitelist checking
   • validate_pdf_template() - PDF-specific validation with defaults

2. Enhanced existing functions:

   • select_pdf_invoice_template() - Now validates settings before use
   • generate_invoice_pdf() - Now validates ALL template parameters (settings and URL)
   • generate_quote_pdf() - Now validates ALL template parameters (settings and URL)

3. Updated 5 controllers to validate PDF template parameters:

   • Guest View controller (public and PDF generation)
   • Guest Invoices controller
   • Guest Quotes controller
   • Admin Invoices controller
   • Admin Quotes controller

4. Fixed code review issues:

   • Added missing template helper load in quote() method
   • Moved validation outside conditional blocks to ensure all parameters are validated
   • Enhanced validation to cover both settings and URL parameter sources
   • Re-applied invoice_template validation to match quote_template security pattern

Security Controls Implemented

✓ Empty input rejection
✓ Path traversal prevention (../, /, , \0)
✓ Character whitelist validation
✓ Template whitelist validation
✓ Secure default fallback
✓ Comprehensive security logging
✓ URL parameter validation
✓ Database setting validation
✓ All template sources validated (no bypass paths)
✓ Consistent security pattern for both invoice and quote templates

Testing

✓ All unit tests pass (9/9)
✓ All integration tests pass (7/7)
✓ No PHP syntax errors
✓ Code review completed and feedback addressed
✓ No new vulnerabilities introduced

All 8 LFI Vulnerabilities: FIXED ✓

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Summary by CodeRabbit

• Bug Fixes
  • Improved validation of template selections for invoices and quotes with automatic fallback to safe defaults when invalid templates are detected.
  • Added error logging for invalid template configurations to assist with troubleshooting.

[nielsdrost7]

@copilot

Make 1 PR per vulnerability

Security Vulnerability Report: InvoicePlane 1.7.0Remote Code Execution via Local File Inclusion + Log PoisoningReport Date: January 31, 2026Product: InvoicePlaneAffected Version: 1.7.0 (and likely prior versions)Severity: Critical (CVSS 3.1: 9.1)CWE IDs: CWE-98 (LFI), CWE-117 (Log Injection), CWE-94 (Code Injection)Executive SummaryA critical vulnerability chain was discovered in InvoicePlane 1.7.0 that allows an authenticated administratorto achieve Remote Code Execution (RCE) on the underlying server. The attack combines two vulnerabilities:1. Local File Inclusion (LFI) - The public invoice template setting accepts arbitrary file paths withoutvalidation, allowing inclusion of files outside the intended template directory.2. Log Poisoning - User-controlled input (upload filename) is written to application log files withoutsanitization, allowing injection of malicious PHP code.When chained together, these vulnerabilities allow complete server compromise with the privileges of the webserver user.Vulnerability DetailsVulnerability 1: Local File Inclusion (LFI)Attribute ValueLocation application/modules/guest/controllers/View.phpAffected Lines 85, 191Parameter public_invoice_template (database setting)CWE CWE-98: Improper Control of Filename for Include/Require StatementVulnerable Code// Line 85$this->load->view('invoice_templates/public/' .get_setting('public_invoice_template') . '.php', $data);// Line 191$this->load->view('quote_templates/public/' .get_setting('public_quote_template') . '.php', $data);/SECURITYREPORT.md _2026-01-31DescriptionThe public_invoice_template and public_quote_template settings are retrieved from thedatabase and directly concatenated into file paths for PHP's include() function (via CodeIgniter's viewloader). There is no validation to ensure:The path does not contain directory traversal sequences (../)The path points to an existing, legitimate template fileThe path remains within the intended template directoryAn administrator can modify these settings via the Settings page to include arbitrary PHP files from anywhereon the filesystem (within the .php extension constraint).Vulnerability 2: Log Poisoning via Upload FilenameAttribute ValueLocation application/modules/upload/controllers/Upload.phpAffected Lines 178-184Parameter Upload filename (HTTP multipart form data)CWE CWE-117: Improper Output Neutralization for LogsVulnerable Codeprivate function sanitize_file_name(string $filename): string{ if (str_contains($filename, '..')|| str_contains($filename, '/')|| str_contains($filename, '')|| str_contains($filename, "\0")) {log_message('error', 'Path traversal attempt detected in filename:' . $filename); }return '';}// ...DescriptionWhen a file upload contains path traversal characters (..), the application logs the entire filename withoutany sanitization. Since:1. The attacker controls the filename via HTTP request2. The filename is written directly to the log file3. Log files in CodeIgniter use .php extension (log-YYYY-MM-DD.php)/SECURITYREPORT.md _4. Log files contain a BASEPATH check that passes when included via CodeIgniterAn attacker can inject arbitrary PHP code into the log file by including PHP tags in the filename.2026-01-31Attack ChainPrerequisitesRequirement Access LevelLog Poisoning Authenticated user (any role with upload access)LFI Exploitation Administrator accountRCE Trigger Unauthenticated (public invoice URL)Step-by-Step ExploitationStep 1: Log PoisoningInject PHP code into log file via malicious upload filename:POST /index.php/upload/upload_file/1/testkey HTTP/1.1Host: target.comCookie: ip_session=<session_cookie>Content-Type: multipart/form-data; boundary=----Boundary------BoundaryContent-Disposition: form-data; name="file"; filename="...jpg"Content-Type: image/jpeg------Boundary--Result in log file:ERROR - 2026-01-30 22:30:00 --> Path traversal attempt detected infilename: ...jpgStep 2: Configure LFIModify the template setting to point to the log file:POST /index.php/settings HTTP/1.1Host: target.comCookie: ip_session=<admin_session>/SECURITYREPORT.md _Content-Type: multipart/form-data; boundary=----Boundary2026-01-31------BoundaryContent-Disposition: form-data; name="settings[public_invoice_template]"../../../logs/log-2026-01-30------Boundary--Step 3: Trigger RCEAccess any public invoice URL with command parameter:GET /index.php/guest/view/invoice/<invoice_url_key>?1=id HTTP/1.1Host: target.comResponse contains command output:uid=1000(www-data) gid=1000(www-data) groups=1000(www-data)Proof of ConceptPath Traversal PayloadThe following payload was used in the public_invoice_template setting to include the log file:../../../logs/log-2026-01-30This traverses from application/views/invoice_templates/public/ to application/logs/ andincludes the poisoned log file (CodeIgniter automatically appends .php).Log File After PoisoningERROR - 2026-01-30 22:30:00 --> Path traversal attempt detected infilename: ...jpgCommand Execution EvidenceRequest:/SECURITYREPORT.md _2026-01-31GET /index.php/guest/view/invoice/hmG0nJe6yADPolQNXzR1kLbuqYOKsZB7?1=idResponse (in page source):Path traversal attempt detected in filename: ..uid=1000(www-data)gid=1000(www-data) groups=1000(www-data)ScreenshotsFigure 1: Modifying the public_invoice_template setting via Burp Suite (in /settings endpoint) toinclude a path traversal payload pointing to the application log file./SECURITYREPORT.md _2026-01-31Figure 2: Navigating to the invoice attachment upload functionality to initiate log poisoning.Figure 3: Injecting PHP code via the filename parameter. The malicious filename ...jpg triggers path traversal detection and is written to the log file./SECURITYREPORT.md _2026-01-31Figure 4: The application log file showing the injected PHP payload written to the log entry.Figure 5: Achieving Remote Code Execution by visiting the public invoice URL with the ?1=id parameter,demonstrating arbitrary command execution.Figure 6: Establishing a reverse shell connection, confirming full system compromise.Impact AssessmentConfidentiality Impact: HIGHFull read access to all files accessible by web server userDatabase credentials exposureCustomer data exposure (invoices, client information, payment details)/SECURITYREPORT.md _Integrity Impact: HIGHArbitrary file write capabilityDatabase modificationWeb shell installationWebsite defacementAvailability Impact: HIGHDenial of service through file deletionRansomware deploymentSystem destructionBusiness ImpactComplete compromise of financial dataRegulatory violations (GDPR, PCI-DSS if payment data involved)Reputational damageLegal liability2026-01-31Affected ComponentsFile Vulnerabilityapplication/modules/guest/controllers/View.php:85 LFI - Invoice templateapplication/modules/guest/controllers/View.php:191 LFI - Quote templateapplication/modules/upload/controllers/Upload.php:182 Log Poisoningapplication/modules/settings/controllers/Settings.phpNo validation on templatesettingCVSS 3.1 Score CalculationMetric Value JustificationAttack Vector Network Exploitable over HTTPAttack Complexity Low No special conditions requiredPrivileges Required High Admin access needed for LFIUser Interaction None No victim interaction neededScope Changed Escapes web application to compromise underlying OSConfidentiality High Full file system accessIntegrity High Arbitrary code executionAvailability High Complete system compromise possible/SECURITYREPORT.md _2026-01-31CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CVSS Score: 9.1 (Critical)TimelineDate Action2026-01-30 Vulnerability discovered2026-01-31 Proof of concept developed2026-01-31 Vendor notified2026-XX-XX Vendor acknowledgment2026-XX-XX Patch released2026-XX-XX Public disclosureReferencesCWE-98: Improper Control of Filename for Include/Require StatementCWE-117: Improper Output Neutralization for LogsCWE-94: Improper Control of Generation of CodeOWASP: Log InjectionOWASP: Path TraversalCreditsD

[Copilot]

@copilot

Make 1 PR per vulnerability
...

Understood. I'll focus this PR on fixing the Local File Inclusion (LFI) vulnerability only. I'll address the template path validation in View.php (lines 86 and 192) to prevent arbitrary file inclusion. The Log Poisoning vulnerability should be addressed in a separate PR.

[nielsdrost7]

@copilot see if there are other Local File Inclusion Vulnerabilities in the InvoicePlane codebase

[Copilot]

@copilot see if there are other Local File Inclusion Vulnerabilities in the InvoicePlane codebase

I found and fixed 6 additional LFI vulnerabilities in the codebase (commit 5949a6c):

PDF Template URL Parameters (6 vulnerable endpoints):

• Guest View controller: generate_invoice_pdf() and generate_quote_pdf() - accept template names from URL
• Guest Invoices/Quotes controllers: generate_pdf() - accept template names from URL
• Admin Invoices/Quotes controllers: generate_pdf() - accept template names from URL

PDF Template Settings (2 vulnerable functions):

• select_pdf_invoice_template() - used unvalidated settings
• generate_quote_pdf() - used unvalidated settings

All vulnerabilities have been fixed with:

• New validate_pdf_template() function for PDF-specific validation
• Validation added to all 6 controllers
• Settings validation in helper functions
• Secure fallback to default templates

The original 2 vulnerabilities plus these 6 new ones = 8 total LFI vulnerabilities fixed in this PR.

[nielsdrost7]

@coderabbitai full review

[coderabbitai]

✅ Actions performed

Full review triggered.

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

• 🔍 Trigger a full review

📝 Walkthrough

Walkthrough

This PR introduces input validation for PDF template names across the application to prevent Local File Inclusion vulnerabilities. New validation helper functions are added to template_helper.php, and multiple controllers and helpers are updated to validate template names before use, with fallback to safe defaults when validation fails.

Changes

Cohort / File(s)	Summary
Template Validation Helpers application/helpers/template_helper.php	Added validate_template_name() to sanitize and whitelist template names, and validate_pdf_template() to centralize PDF template validation with safe default fallback. Updated select_pdf_invoice_template() to validate templates before returning.
PDF Generation Helper application/helpers/pdf_helper.php	Updated generate_quote_pdf() to validate quote template names using the new validation helper and fall back to 'InvoicePlane' default on invalid input.
Guest Module Controllers application/modules/guest/controllers/Invoices.php, application/modules/guest/controllers/Quotes.php, application/modules/guest/controllers/View.php	Added template helper loading and validation checks for invoice/quote templates in PDF generation and view rendering paths. Invoices and Quotes validate templates conditionally when provided; View applies validation to both public invoice and quote templates with fallback defaults.
Authenticated Module Controllers application/modules/invoices/controllers/Invoices.php, application/modules/quotes/controllers/Quotes.php	Added template helper loading and conditional validation of invoice/quote templates before PDF generation to prevent unsafe template usage.

Sequence Diagram

sequenceDiagram
    participant Client as Client/Controller
    participant Helper as PDF/Template Helper
    participant Validator as Validation Logic
    participant FileSystem as File System
    participant Log as Error Log

    rect rgba(100, 150, 200, 0.5)
    Note over Client,Log: Before: Direct Template Usage (Vulnerable)
    Client->>Helper: generate_pdf(template)
    Helper->>FileSystem: load(template)
    FileSystem-->>Helper: file content
    Helper-->>Client: PDF
    end

    rect rgba(200, 100, 100, 0.5)
    Note over Client,Log: After: Validated Template with Fallback
    Client->>Helper: generate_pdf(template)
    Helper->>Validator: validate_pdf_template(template)
    alt Template Valid
        Validator-->>Helper: validated_template
    else Template Invalid
        Validator->>Log: log error
        Validator-->>Helper: safe_default (InvoicePlane)
    end
    Helper->>FileSystem: load(validated_template)
    FileSystem-->>Helper: file content
    Helper-->>Client: PDF
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• Prep: v1.6.4 #1354: Both PRs add input-validation guards in the PDF generation path (pdf_helper.php) to prevent unsafe file includes—one validates PDF template names, the other validates e-invoice XML config IDs.

Suggested reviewers

• naui95

Poem

🐰 Templates dancing, now with guards,
No more sneaking through the yards!
Validation chains keep files tight,
Whitelists defend with all their might.
Safe defaults hop when risks abound,
Security's footprints all around! 🔐

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and accurately describes the main change: fixing Local File Inclusion (LFI) vulnerabilities. It is specific, concise, and directly relates to the comprehensive security improvements implemented across the codebase.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[nielsdrost7]

@copilot could you make that PR for the Log Poisoning vulnerability?

[Copilot]

@copilot could you make that PR for the Log Poisoning vulnerability?

I cannot create new PRs or branches directly. However, I can help you fix the Log Poisoning vulnerability once you create a new branch for it.

The vulnerability is in application/modules/upload/controllers/Upload.php at lines 178-184 where filenames are logged without sanitization. The fix would involve:

1. Sanitizing log messages to prevent PHP code injection
2. Either hashing sensitive input before logging or escaping PHP tags
3. Updating the sanitize_file_name() method's logging to use safe output

Would you like me to create the fix on a new branch if you create one, or would you prefer detailed instructions for the fix?

[Copilot]

Pull request overview

This PR addresses 8 critical Local File Inclusion (LFI) vulnerabilities (CVSS 9.1, CWE-98) in InvoicePlane 1.7.0. The vulnerabilities existed where template settings and URL parameters could be exploited to include arbitrary PHP files from the filesystem.

Changes:

• Added comprehensive validation functions (validate_template_name() and validate_pdf_template()) in template_helper.php with multiple security layers including path traversal prevention, character whitelisting, and template whitelisting
• Updated 6 controller methods across guest and admin modules to validate PDF template parameters from URLs before use
• Enhanced template selection function (select_pdf_invoice_template()) to validate templates retrieved from database settings
• Added validation in pdf_helper.php for quote templates loaded from settings

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
application/helpers/template_helper.php	Added validate_template_name() and validate_pdf_template() functions with multi-layer security controls; enhanced select_pdf_invoice_template() to validate templates from settings
application/helpers/pdf_helper.php	Added validation for quote templates retrieved from settings in generate_quote_pdf()
application/modules/guest/controllers/View.php	Added validation for public invoice/quote templates and PDF generation from URL parameters
application/modules/guest/controllers/Invoices.php	Added validation for PDF template parameters in generate_pdf()
application/modules/guest/controllers/Quotes.php	Added validation for PDF template parameters in generate_pdf()
application/modules/invoices/controllers/Invoices.php	Added validation for PDF template parameters in admin generate_pdf()
application/modules/quotes/controllers/Quotes.php	Added validation for PDF template parameters in admin generate_pdf()

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[nielsdrost7]

@copilot I think you repaired quote_template, but how about invoice_template, can you repair that as well?

[Copilot]

@copilot I think you repaired quote_template, but how about invoice_template, can you repair that as well?

Fixed in commit 80e3820. Added validation for invoice_template parameters in generate_invoice_pdf() to match the fix for quote_template. Now both functions validate templates from all sources (settings and URL parameters).

[nielsdrost7]

@copilot I think you repaired quote_template, but how about invoice_template, can you repair that as well?

[Copilot]

@copilot I think you repaired quote_template, but how about invoice_template, can you repair that as well?

Fixed in commit b31423b. Added validation for invoice_template parameters in generate_invoice_pdf() to match the security pattern used for quote_template. Now both invoice and quote templates are validated when passed as URL parameters, preventing LFI bypass.