Skip to content

Fix XSS, SSRF, and missing session verification#1081

Merged
daveearley merged 6 commits intodevelopfrom
fix/security-xss-ssrf-session-verification
Mar 13, 2026
Merged

Fix XSS, SSRF, and missing session verification#1081
daveearley merged 6 commits intodevelopfrom
fix/security-xss-ssrf-session-verification

Conversation

@daveearley
Copy link
Contributor

@daveearley daveearley commented Mar 13, 2026

Summary

  • UpdateEventSettingsHandler: Fix null coalescing bug that bypassed HtmlPurifier on all non-null input for post_checkout_message, pre_checkout_message, email_footer_message, offline_payment_instructions, and online_event_connection_details
  • CompleteOrderHandler / TransitionOrderToOfflinePaymentHandler: Add session verification to match the existing pattern in GetOrderPublicHandler and AbandonOrderPublicHandler
  • CreateProductCategoryHandler / EditProductCategoryHandler: Add missing HtmlPurifier for category description field
  • NoInternalUrlRule: Fix IPv4-mapped IPv6 bypass (::ffff:127.0.0.1, ::ffff:169.254.169.254, etc.)
  • HtmlPurifierService: Return null instead of '' for null input to preserve nullable column semantics

Test plan

  • All 329 unit tests pass
  • New test testRejectsIpv4MappedIpv6Addresses covers the SSRF bypass
  • Existing CompleteOrderHandlerTest updated to include session mock

@daveearley
add plans to git ignore
e14b1b8
@daveearley
Merge branch 'develop' of github.com:HiEventsDev/hi.events into develop
fc0a154
@daveearley
Merge branch 'develop' of github.com:HiEventsDev/hi.events into develop
2ac5bf0
@daveearley
Merge branch 'develop' of github.com:HiEventsDev/hi.events into develop
10e342e
@daveearley
Merge branch 'develop' of github.com:HiEventsDev/hi.events into develop
ab2de8d
@daveearley
Fix XSS, SSRF, and missing session verification vulnerabilities
9278084 
- Fix broken null coalescing in UpdateEventSettingsHandler that prevented
  HtmlPurifier from ever running on non-null input
- Add session verification to CompleteOrderHandler and
  TransitionOrderToOfflinePaymentHandler to match the pattern used by
  GetOrderPublicHandler and AbandonOrderPublicHandler
- Add HtmlPurifier to CreateProductCategoryHandler and
  EditProductCategoryHandler for description field sanitization
- Fix IPv4-mapped IPv6 bypass in NoInternalUrlRule (e.g. ::ffff:127.0.0.1)
- Preserve null return from HtmlPurifierService::purify() for nullable fields
- Update tests
@daveearley daveearley merged commit f918718 into develop Mar 13, 2026
4 checks passed
@github-actions github-actions bot locked and limited conversation to collaborators Mar 13, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@daveearley