14 KiB
Security Fix Report - school_api
Executive Summary
- Assessment Date: 2026-06-04
- Reviewer: OpenAI GPT-5.5 Thinking
- Application: school_api
- Framework Observed: Laravel 12 (not CodeIgniter 4)
- Total Findings: 12
- Fixed Findings: 9
- Open Findings: 3
- Overall Risk Level: Medium after static fixes; High until real secrets are rotated and dynamic testing/dependency audit are completed
The uploaded verification plan was applied by category, but the codebase is Laravel 12 rather than CodeIgniter 4. Fixed items are documented with before/after evidence and verification notes. Dynamic testing and dependency advisory scanning remain open because the sandbox lacks Composer and the PHP mbstring extension required to boot Artisan.
Vulnerability Inventory
| ID | Severity | Category | Location | Status |
|---|---|---|---|---|
| SEC-001 | Critical | Secrets / Environment | .env; test.sql | Fixed |
| SEC-002 | High | CSRF / Session State Change | routes/web.php logout route | Fixed |
| SEC-003 | High | Brute Force / Abuse Controls | routes/api.php public auth, registration, invite, contact routes | Fixed |
| SEC-004 | High | File Upload Security | app/Services/Events/EventManagementService.php | Fixed |
| SEC-005 | High | File Upload Security | app/Services/Expenses/ExpenseReceiptService.php | Fixed |
| SEC-006 | Medium | File Upload Security | app/Services/BroadcastEmail/BroadcastEmailImageService.php | Fixed |
| SEC-007 | Medium | File Upload Security | PrintRequestsController; PrintRequestsPortalService | Fixed |
| SEC-008 | Medium | HTTP Security Headers / Content Sniffing | bootstrap/app.php; app/Http/Middleware/SecurityHeaders.php; FileServeService.php | Fixed |
| SEC-009 | Medium | SQL Injection Hardening | app/Models/User.php | Fixed |
| SEC-010 | Medium | Dependency Audit | composer.lock / environment | Open |
| SEC-011 | Medium | Dynamic Security Testing | Running application / OWASP ZAP | Open |
| SEC-012 | Low | Framework Scope Accuracy | security-verification-plan.md | Open |
Detailed Remediation Record
SEC-001 - Critical - Secrets / Environment
Finding: The archive shipped active-looking application, JWT, SMTP, database and PayPal credentials, plus production debug/local settings.
Risk: Credential exposure can enable account takeover, forged JWTs, SMTP abuse, payment-provider abuse, and easier exploitation through debug traces.
Location: .env; test.sql
Evidence: Static secret scan found APP_KEY, JWT_SECRET, Gmail app password, DB root/root, and PayPal client/secret values.
Remediation: Redacted shipped secrets to placeholders, changed production posture, enabled encrypted/secure session settings, and redacted PayPal credentials in test.sql.
Before: APP_DEBUG=true; MAIL_DEFAULT_PASS contained a Gmail app password; JWT_SECRET contained a live-looking HMAC secret; test.sql included PayPal secrets.
After: APP_DEBUG=false; secrets use CHANGE_ME placeholders; SESSION_ENCRYPT=true; SESSION_SECURE_COOKIE=true; PayPal values redacted.
Verification: Repeated static secret scan. Remaining matches are placeholders or framework config keys; no original Gmail/JWT/PayPal strings remained.
Result: Fixed in source archive. Real production credentials must still be rotated outside this codebase.
SEC-002 - High - CSRF / Session State Change
Finding: Browser-session logout used GET, a state-changing action vulnerable to CSRF-style forced logout and link/preload triggering.
Risk: An attacker could cause authenticated users to lose sessions through an image/link/preload request. Not catastrophic, but still sloppy. The web needed one less foot-gun.
Location: routes/web.php logout route
Evidence: Route::get('logout', ...) was registered under the web middleware group.
Remediation: Changed logout to POST so Laravel web CSRF protection applies.
Before: Route::get('logout', [AuthSessionController::class, 'logout'])
After: Route::post('logout', [AuthSessionController::class, 'logout'])
Verification: PHP lint passed for routes/web.php; diff confirms GET was removed for the logout route.
Result: Fixed. Frontend logout calls must use POST.
SEC-003 - High - Brute Force / Abuse Controls
Finding: Several public mutation endpoints had no route-level throttle: login/register aliases, captcha, contact, and authorized-user password setup.
Risk: Attackers could automate credential stuffing, registration abuse, contact spam, and invite/password token guessing at higher volume than necessary.
Location: routes/api.php public auth, registration, invite, contact routes
Evidence: Public POST/GET routes were registered without throttle middleware.
Remediation: Added route-level throttles: login 10/min, register 5/min, captcha 30/min, invite GET 20/min, password setup POST 10/min, contact 5/min.
Before: Route::post('login', ...); Route::post('register', ...); Route::post('contact', ...);
After: Routes now include middleware('throttle:...') on public auth/contact/invite mutation paths.
Verification: PHP lint passed for routes/api.php; route snippets confirm throttle middleware is attached.
Result: Fixed statically. Live rate-limit behavior still needs HTTP retesting after deployment.
SEC-004 - High - File Upload Security
Finding: Event flyer upload moved files into public storage without explicit MIME allowlist or file-size enforcement in the service.
Risk: Untrusted files could be stored in a web-accessible directory. Extension games are ancient, stupid, and still work when services trust uploads too much.
Location: app/Services/Events/EventManagementService.php
Evidence: storeFlyer() used hashName() and move() without validating MIME or size inside the service.
Remediation: Added service-level MIME allowlist for JPEG, PNG, WEBP, PDF; max 5MB; cryptographically random server-side filename using the validated MIME extension.
Before: $name = $file->hashName(); $file->move($dir, $name);
After: MIME map validation, size check, random_bytes filename, controlled extension.
Verification: PHP lint passed for EventManagementService.php; static diff confirms validation was added before move().
Result: Fixed.
SEC-005 - High - File Upload Security
Finding: Receipt upload stored files without service-level validation of validity, MIME type, or size.
Risk: Malformed or unexpected files could be accepted and later served/downloaded, increasing malware and content-sniffing risk.
Location: app/Services/Expenses/ExpenseReceiptService.php
Evidence: storeReceipt() directly called $file->store('receipts') and returned basename.
Remediation: Added isValid(), MIME allowlist, max 5MB, random server-side filename, and controlled extension.
Before: $stored = $file->store('receipts');
After: Validated MIME and size, then storeAs() with bin2hex(random_bytes(16)).
Verification: PHP lint passed for ExpenseReceiptService.php; static diff confirms checks and randomized naming.
Result: Fixed.
SEC-006 - Medium - File Upload Security
Finding: Broadcast email image upload used uniqid() for public filenames and lacked an explicit isValid() check.
Risk: uniqid() is predictable enough to make public file discovery easier. Tiny risk, but still a classic example of software pretending timestamps are secrets.
Location: app/Services/BroadcastEmail/BroadcastEmailImageService.php
Evidence: $newName = uniqid('em_', true) . '.' . $ext; no isValid() guard.
Remediation: Added isValid() handling and replaced uniqid() with bin2hex(random_bytes(16)).
Before: uniqid('em_', true)
After: 'em_' . bin2hex(random_bytes(16))
Verification: PHP lint passed for BroadcastEmailImageService.php; diff confirms change.
Result: Fixed.
SEC-007 - Medium - File Upload Security
Finding: Print request uploads had controller extension/MIME validation but service naming still trusted the client original extension.
Risk: Client-controlled extensions can create misleading stored files and weaken downstream serving assumptions.
Location: PrintRequestsController; PrintRequestsPortalService
Evidence: Portal service used getClientOriginalExtension() to build stored filenames.
Remediation: Added safeExtensionForUpload() that maps detected MIME to controlled extensions; added mimetypes rules to controller validation.
Before: $ext = $file->getClientOriginalExtension();
After: $ext = $this->safeExtensionForUpload($file); plus mimetypes validation.
Verification: PHP lint passed for controller and service; diff confirms service no longer trusts client extensions.
Result: Fixed.
SEC-008 - Medium - HTTP Security Headers / Content Sniffing
Finding: The app lacked a global security header middleware and some uploaded/private file responses were cacheable as public unless nosniff was manually requested.
Risk: Missing headers increases clickjacking/content-sniffing exposure. Public caching of private uploaded files can leak sensitive school documents through shared caches.
Location: bootstrap/app.php; app/Http/Middleware/SecurityHeaders.php; FileServeService.php
Evidence: No global header middleware; FileServeService used Cache-Control public, max-age=86400 and conditional nosniff.
Remediation: Added global SecurityHeaders middleware; added nosniff, frame denial, referrer policy, permissions policy, HSTS over HTTPS; changed file serving to private max-age=300 and nosniff always.
Before: Cache-Control: public, max-age=86400; conditional X-Content-Type-Options.
After: Cache-Control: private, max-age=300; X-Content-Type-Options: nosniff; global headers middleware.
Verification: PHP lint passed for middleware, bootstrap, and FileServeService; static diff confirms middleware registration.
Result: Fixed statically. Header behavior should be confirmed by HTTP response tests in deployed environment.
SEC-009 - Medium - SQL Injection Hardening
Finding: A school_year value was manually quoted and interpolated into a raw EXISTS SQL string.
Risk: Manual quoting is fragile. It was not obviously exploitable because PDO quote was used, but parameterized query builder logic is safer and auditable.
Location: app/Models/User.php
Evidence: $escYear = DB::getPdo()->quote($schoolYear); ... tc.school_year = {$escYear}
Remediation: Replaced raw interpolation with whereExists(), whereColumn(), and bound where('tc.school_year', $schoolYear).
Before: tc.school_year = {$escYear}
After: ->where('tc.school_year', $schoolYear)
Verification: PHP lint passed for User.php; static diff confirms interpolation removed.
Result: Fixed.
SEC-010 - Medium - Dependency Audit
Finding: Dependency audit could not be completed in this sandbox because composer is not installed.
Risk: Known vulnerable packages may remain. Laravel, JWT, PDF, and mail libraries should be audited before deployment because humans keep shipping libraries faster than they patch them.
Location: composer.lock / environment
Evidence: composer audit returned: bash: composer: command not found.
Remediation: Not fixed here. Run composer audit in CI and fail builds on high/critical advisories.
Before: No verified dependency advisory baseline from this run.
After: Open remediation item documented.
Verification: Attempted composer audit; blocked by missing composer binary.
Result: Open.
SEC-011 - Medium - Dynamic Security Testing
Finding: OWASP ZAP and manual HTTP abuse testing were not executed because no running target with required PHP extensions/database was available in the sandbox.
Risk: Static review can miss runtime authorization, CORS, CSRF token, redirect, and response-header issues.
Location: Running application / OWASP ZAP
Evidence: php artisan route:list failed because the PHP runtime lacks mbstring: undefined function mb_split().
Remediation: Install required PHP extensions, configure a test database, boot the app, then run authenticated and unauthenticated ZAP baseline plus manual endpoint abuse tests.
Before: No dynamic scan baseline.
After: Open remediation item documented with blocker.
Verification: Artisan route listing attempted; blocked by missing mbstring extension.
Result: Open.
SEC-012 - Low - Framework Scope Accuracy
Finding: The uploaded plan says CodeIgniter 4, but the application is Laravel 12.
Risk: Wrong-framework checklists miss framework-specific controls. This is how audits become theater with better fonts.
Location: security-verification-plan.md
Evidence: composer.json name/type and dependencies identify laravel/framework ^12.0; routes, middleware, FormRequests, and artisan confirm Laravel structure.
Remediation: Documented scope mismatch. Future audits should use a Laravel-specific checklist.
Before: CodeIgniter 4 plan wording.
After: This report applies the plan categories to Laravel controls.
Verification: Static framework identification completed from composer.json and project structure.
Result: Open documentation correction.
Verification Evidence
- php -l changed PHP files: passed
- composer audit: blocked - composer command not found
- php artisan route:list: blocked - missing PHP mbstring extension (mb_split undefined)
- static secret scan: original app/JWT/SMTP/PayPal secrets removed from edited .env/test.sql
Changed Source Files
- .env
- test.sql
- routes/web.php
- routes/api.php
- bootstrap/app.php
- app/Http/Middleware/SecurityHeaders.php
- app/Services/Files/FileServeService.php
- app/Services/Events/EventManagementService.php
- app/Services/Expenses/ExpenseReceiptService.php
- app/Services/BroadcastEmail/BroadcastEmailImageService.php
- app/Services/PrintRequests/PrintRequestsPortalService.php
- app/Http/Controllers/Api/PrintRequests/PrintRequestsController.php
- app/Models/User.php
Deployment Notes
- Rotate the exposed Gmail app password, JWT secret, Laravel APP_KEY, database password, and PayPal credentials. Redaction in the repository does not invalidate credentials already leaked in the original ZIP. That part requires action with the providers, not wishful thinking.
- Regenerate APP_KEY and JWT_SECRET in each environment. Do not commit .env files with real values.
- Run composer audit in CI and install required PHP extensions, including mbstring, before dynamic tests.
- Re-test all changed public auth/contact/invite routes for expected 429 behavior and frontend compatibility.