Skip to content

v1.56.0 - Rastaban (Security & correctness hardening, second wave.)

Latest
Latest

Choose a tag to compare

View all tags
@MichaelSowah MichaelSowah released this 13 Jun 15:37
v1.56.0
5789165
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

v1.56.0 — Rastaban

Security & correctness hardening, second wave. The June 2026 review continues
across the runtime's remaining sensitive surfaces. Mostly fixes — but several change
defaults or add config/env vars, so this ships as a minor. Read the Upgrade Notes
before deploying.

Highlights

Queue & scheduler payloads are signed and gated. Persisted database/Redis queue
payloads and scheduled-job envelopes are HMAC-signed (handler class + parameters,
plus the row's name and cron schedule) and verified before a handler is resolved or
run. Stored handler classes must now implement JobInterface to be instantiated, so
writing a class name into a queue/scheduler backend can no longer trigger an arbitrary
constructor. The remaining native unserialize() cache sinks (MemcachedCacheDriver,
FileNode, CacheMaintenanceTask) now route through SecureSerializer.

SSRF-safe HTTP and unified redaction. Client::safeRequest(), safeFetch(), and
safeRequestAsync() validate the scheme, resolve, and public-IP-pin every redirect
hop, and pin the validated DNS result to reduce rebinding exposure; webhook delivery
and external health checks use the safe path. Sensitive-parameter redaction is unified
in one SensitiveParamRedactor across request/response logging, exception reporting,
auth access logs, and the security-violation listener, and rate-limit cache keys hash
IP/identifier material.

Fail-closed defaults and JWT temporal claims. The standalone Glueful\Http\Cors
handler no longer defaults open, CORS_SUPPORTS_CREDENTIALS now defaults to false,
and wildcard-origin + credentials is refused at emit time. ImageSecurityValidator
defaults to an empty allow-list with external URLs disabled. JWTService::decode()
requires bounded exp/nbf/iat. File encryption moves to chunked authenticated
streaming and rejects all-zero keys; RequestProvider honors TRUSTED_PROXIES.

Upgrade Notes

  • CORS fails closed. Set CORS_ALLOWED_ORIGINS; set CORS_SUPPORTS_CREDENTIALS=true
    only if you genuinely need credentialed cross-origin requests.
  • Remote image fetching is opt-in. Configure image.security.allowed_domains or
    install/configure glueful/media.
  • Queue & scheduler payloads are signed by default (QUEUE_PAYLOAD_SIGNING /
    QUEUE_REQUIRE_SIGNED_PAYLOADS, inert without APP_KEY). Drain legacy unsigned rows
    with QUEUE_REQUIRE_SIGNED_PAYLOADS=false temporarily. Custom handlers must implement
    JobInterface.
  • JWT requires exp. Tokens without exp (or with expired/non-numeric exp, future
    nbf/iat) are rejected.
  • Memcached cache format changed — flush the cache when upgrading a Memcached-backed
    deployment.
  • Set TRUSTED_PROXIES behind a load balancer. New optional
    http.safe_fetch.max_redirects (default 3). No migrations.
composer update glueful/framework

Full detail: CHANGELOG.md. Companion: glueful/api-skeleton v1.39.0.
Assets 2
Loading