Add CLAUDE.md memory file with comprehensive codebase analysis#49
Open
onetechgroupll wants to merge 23 commits intogerdriesselmann:masterfrom
Open
Add CLAUDE.md memory file with comprehensive codebase analysis#49onetechgroupll wants to merge 23 commits intogerdriesselmann:masterfrom
onetechgroupll wants to merge 23 commits intogerdriesselmann:masterfrom
Conversation
- Use CSPRNG (random_bytes) for token generation instead of mt_rand/uniqid - Add allowed_classes restriction to all unserialize() calls to prevent object injection (core serialized fields, APCu/file/XCache/Sphinx caches) - Escape backticks in MySQL escape_database_entity() to prevent SQL injection - Fix host header injection by validating against configured domain - Harden session security: add SameSite=Lax, strict mode, httponly defaults, remove deprecated session.bug_compat_42 setting - Fix XSS in ConverterHtmlEx heading output (missing escape) - Use timing-safe hash_equals() in MD5/SHA1 password hash checks - Add bcrypt password hash implementation using password_hash/password_verify - Restrict phpinfo() endpoint to test mode only - Add security response headers: X-Content-Type-Options, X-Frame-Options, Referrer-Policy https://claude.ai/code/session_01CgKaiM8rgChKCVabFePNu5
- Add escapeshellarg() to all jcssmanager exec() calls (webpack, uglifyjs,
postcss, csso, yui compressors) to prevent shell injection via file paths
- Remove debug echo of shell command in uglifyjs compressor
- Sanitize table names in deletedialog templates to prevent path traversal
via get_table_name() in include paths
- Replace eval() with call_user_func() in punycode uctc.php converter
- Replace shell_exec('mkdir') with PHP native mkdir() in install script
- Replace md5(uniqid()) with random_bytes() in install precondition check
https://claude.ai/code/session_01CgKaiM8rgChKCVabFePNu5
- Fix reflected XSS in punycode example.php: escape $_SERVER['PHP_SELF'] and $_REQUEST['lang'] with htmlspecialchars() - Fix wymeditor tidy plugin: add Content-Type header, fix deprecated get_magic_quotes_gpc() check, handle missing input - Replace insecure rand() with random_int() for feed token generation in notifications settings - Change directory creation permissions from 0777 to 0755 in install https://claude.ai/code/session_01CgKaiM8rgChKCVabFePNu5
Contains full findings from security audit, architecture review, and code quality analysis including prioritized modernization roadmap. https://claude.ai/code/session_015k8CpseHUWgtmK99Ax5Z3b
…security headers PHP 8.x fixes: - Remove dead magic_quotes code (get_magic_quotes_gpc removed in PHP 8.0) - Clean up E_STRICT / E_DEPRECATED error reporting for PHP 8.x - Fix isset() on __toString to use method_exists() (PHP 8.2+ compat) Password hashing: - Add bcrypt hash algorithm using password_hash()/password_verify() - Change default hash type from pas3p (PHPass 0.3) to bcryp (bcrypt cost 12) - Fix timing attack in MD5/SHA1 hash comparison (== → hash_equals()) - Existing auto-upgrade in login flow migrates old hashes on next login Security headers: - Add X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy - Set with override=false so applications can customize defaults https://claude.ai/code/session_015k8CpseHUWgtmK99Ax5Z3b
Summary CRITICAL: Replace insecure token generation (mt_rand/uniqid) with random_bytes(), fix insecure unserialize() in 6 files, fix command injection in 5 jcssmanager compressors via escapeshellarg() HIGH: Fix SQL injection via backtick escaping in MySQL driver, host header injection validation, path traversal in deletedialog templates, replace eval() with call_user_func(), fix XSS in punycode example, add phpinfo access control MEDIUM/LOW: Harden session security (SameSite, strict mode, httponly), add security response headers, fix timing attacks in hash comparison with hash_equals(), add bcrypt password hashing, replace rand() with random_int(), fix chmod 0777 to 0755 29 files changed across 17 vulnerability categories. Test plan Verify token generation still produces valid tokens Test login/authentication flow with hash_equals changes Test session handling across browsers (SameSite cookie support) Verify jcssmanager asset compilation still works with escapeshellarg Test deletedialog templates render correctly Confirm security headers present in HTTP responses Verify phpinfo route returns 404 when not in TESTMODE
Composer & PHPUnit: - Add composer.json with PHPUnit 10.5 as dev dependency - Add phpunit.xml.dist with core/contributions test suites - Add lightweight tests/bootstrap.php (loads core helpers without DB/session) - Port 3 test classes from SimpleTest to PHPUnit (29 tests, 149 assertions): ArrayTest, StringTest, ValidationTest - Fix ß→SS assertion for PHP 8.x mb_strtoupper behavior Prepared Statements: - Add execute_prepared() and query_prepared() to IDBDriver interface - Implement in DBDriverMysql using mysqli prepared statements - Auto-detect parameter types (int/float/string) via detect_param_types() - No breaking changes: existing execute()/query() remain unchanged https://claude.ai/code/session_015k8CpseHUWgtmK99Ax5Z3b
Session security: - Add session.cookie_secure=1 when running over HTTPS - Remove dead PHP < 7.3 setcookie() branch (requires PHP >= 8.0) - Hardcode httponly=true in session cookie options CSRF hardening: - Use strict comparison (=== instead of ==) in FormHandler::validate() - Reviewed: Token system already robust (random_bytes, session-bound, DB-backed, single-use tokens with expiration) Input validation: - Reviewed: Core uses PageData/TracedArray consistently, no raw $_POST/$_GET - Only 3rd-party code (csstidy, wymeditor) has direct $_REQUEST access https://claude.ai/code/session_015k8CpseHUWgtmK99Ax5Z3b
Add PHP 8.0+ type declarations (parameter types, return types, union types) to 5 interfaces and all 30+ implementations: - IDBResultSet (3 impls), ISessionHandler (4 impls), IHashAlgorithm (6 impls), IConverter (12 impls), ICachePersister (5 impls) Modernize Logger with PSR-3 compatible log levels, context interpolation, JSON output, exception support, and configurable minimum level while keeping the legacy log() method backwards compatible. https://claude.ai/code/session_015k8CpseHUWgtmK99Ax5Z3b
- Remove 3 dead modules: cache.xcache (dead since PHP 7), javascript.cleditor (abandoned), javascript.wymeditor (abandoned) - 123 files total - Port 5 SimpleTest suites to PHPUnit: Url, Date, Common, Status, Html (66 tests, ~350 assertions) - Add PHPDoc and return type declarations to ICacheItem and IConverter interfaces - Update all 4 ICacheItem implementations with matching return types (DAOCache, FileCacheItem, ACPuCacheItem, MemcacheCacheItem) - Update CLAUDE.md with Phase 5 progress https://claude.ai/code/session_015k8CpseHUWgtmK99Ax5Z3b
Documents the complete inventory of modern PHP feature usage (namespaces, typed properties, enums, attributes, etc.) and confirms the framework remains PHP 5.x style with selective PHP 7.0+ return type additions in core interfaces. https://claude.ai/code/session_015k8CpseHUWgtmK99Ax5Z3b
…lassmap, PHPStan - Add PHP 7.4+ typed properties to 12 interface implementation classes (DBResultSet, DBResultSetMysql, DBResultSetSphinx, CacheFileImpl, CacheDBImpl, CacheItem classes, ConverterChain, ConverterHtmlTidy, ConverterUnidecode) - Add DB::execute_prepared() and DB::query_prepared() static wrappers with query logging, matching existing DB::execute()/DB::query() API - Configure Composer classmap autoload for gyro/core/ and contributions/ - Add PHPStan 1.12 as dev dependency with Level 1 config - Update CLAUDE.md with Phase 6 documentation https://claude.ai/code/session_015k8CpseHUWgtmK99Ax5Z3b
…145 tests Migrate test classes from SimpleTest to PHPUnit 10.5: - Utility tests: ConverterHtml, ConverterHtmlEx, ConverterMimeHeader, HtmlString, Locale, PathStack, Header, RuntimeCache - DB field tests: DBField, DBFieldInt, DBFieldText, DBFieldDate (incl. DateTime, Time) - DB query tests: DBQuery, DBQuerySelect, DBQueryCount, DBQueryDelete, DBQueryInsert, DBQueryUpdate, DBQueryJoined, DBQuerySecondary, DBWhere, DBWhereGroup, DBJoinCondition - Routing tests: ExactMatchRoute, ParameterizedRoute, RouteBase - Other: DAO, DataObject, Referer, WidgetInput Bootstrap updates: - Load model base, fields, queries, sqlbuilder, constraints directories - Load controller/routing, behaviour, view/widgets, model facade classes - Register mock DB driver as default connection for isolated testing - Load SimpleTest mock classes and test DAO models Bug fix: - Fix ConverterHtmlEx::decode() PHP 8.x type declaration compatibility 145 tests, 693 assertions, all passing. https://claude.ai/code/session_015k8CpseHUWgtmK99Ax5Z3b
…lasses Port remaining SimpleTest tests: - DBTest: SQL statement parser (extract_next_sql_statement) - DBDriverMysqlTest: Driver initialization and entity escaping New test classes for previously untested code: - CastTest: int/float/string type conversion helpers - TimerTest: Performance timer (seconds/milliseconds elapsed) - DBExpressionTest: Raw SQL expression value object - DBNullTest: NULL marker value object - DBFieldRelationTest: Field relation mapping with reverse() - TracedArrayTest: Array access tracking (get_item, has_unused, mark_all_as_used) - RequestInfoTest: HTTP request metadata parsing (SSL, method, IP, headers, forwarding) - DBFilterTest: Search filter base class - DBFilterGroupTest: Filter group container with default/current selection - GyroCookieConfigTest: Cookie configuration (to_array, expires, SameSite constants) 200 tests, 854 assertions, all passing. https://claude.ai/code/session_015k8CpseHUWgtmK99Ax5Z3b
…rs, and query helpers New tests for DBFieldBool, DBFieldEnum, DBFieldFloat, DBFieldSerialized, DBFieldSet, ConverterCallback, ConverterChain, ConverterNone, DBSortColumn, DBCondition, DBFilterColumn. Bootstrap updated to load converter classes. Total: 243 tests, 962 assertions. https://claude.ai/code/session_015k8CpseHUWgtmK99Ax5Z3b
…flict - Add Env class (.env file loader) with auto-define of APP_* constants - Integrate .env loading in start.php before constants.inc.php - Add .env.example documenting all available APP_* variables - Raise PHPStan from level 1 to level 2 with baseline (1262 known errors) - Remove Composer classmap autoload (path conflict with Load::directories) - Add EnvTest (11 tests) for the new Env loader - Update CLAUDE.md with Phase 7 documentation and updated scorecard - Total: 254 tests, 985 assertions, PHPStan level 2 clean https://claude.ai/code/session_015k8CpseHUWgtmK99Ax5Z3b
- Add missing $modificationdate property to DAOStudentsTest - Add missing $url property to Url class (used by __sleep/__wakeup) - Result: 254 tests, 985 assertions, 0 deprecations https://claude.ai/code/session_015k8CpseHUWgtmK99Ax5Z3b
- CHANGELOG.md: All changes across Phase 1-7 in reverse chronological order - UPGRADING.md: Complete migration guide covering prerequisites, automatic changes (bcrypt, security headers, session), new features (.env, prepared statements, structured logging), breaking changes, and FAQ - Update CLAUDE.md: Add doc references, fix test file count, mark deprecation warnings as resolved https://claude.ai/code/session_015k8CpseHUWgtmK99Ax5Z3b
Require CHANGELOG.md, UPGRADING.md, and CLAUDE.md to be updated with every code change going forward. https://claude.ai/code/session_015k8CpseHUWgtmK99Ax5Z3b
New CLI tool for managing Gyro-PHP from the command line: - bin/gyro: Entry point with CLI bootstrap (no HTTP context needed) - model:list: Discover and list all DAO models with table names, fields, keys - model:show: Show detailed schema for a model (fields, types, relations, CREATE TABLE SQL) - db:sync: Compare model schema with actual DB, generate ALTER TABLE SQL (dry-run or execute) - CLIKernel: Command routing, argument parsing, colored output - CLITable: ASCII table renderer for formatted CLI output - 33 new tests (287 total, 1066 assertions, all green) - PHPStan clean (0 new errors) https://claude.ai/code/session_015k8CpseHUWgtmK99Ax5Z3b
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Contains full findings from security audit, architecture review, and code quality analysis including prioritized modernization roadmap.