From 64d215cb265a64ff318cfbb954dd128b0076dc1d Mon Sep 17 00:00:00 2001 From: magdev Date: Sat, 24 Jan 2026 14:32:11 +0100 Subject: [PATCH] Update session history with security audit learnings Co-Authored-By: Claude Opus 4.5 --- CLAUDE.md | 29 +++++++++++++++++++++++++---- 1 file changed, 25 insertions(+), 4 deletions(-) diff --git a/CLAUDE.md b/CLAUDE.md index e9550a0..ed66c8e 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -29,10 +29,6 @@ This project is proudly **"vibe-coded"** using Claude.AI - the entire codebase w No known bugs at the moment -### Version 0.1.1 - -No changes at the moment - ### Version 0.2.0 No changes at the moment. @@ -181,3 +177,28 @@ When editing CLAUDE.md or other markdown files, follow these rules to avoid lint - Client documentation complements server documentation for complete integration guide - Integration examples for major PHP frameworks help adoption - Error code mapping to exception classes aids programmatic error handling + +### 2026-01-24 - Security Audit and Fixes + +**Completed:** + +- Performed comprehensive security audit of entire codebase +- Fixed JSON encoding error handling in `ResponseSignature::buildSignaturePayload()` +- Sanitized exception messages in both client classes to prevent information disclosure +- Fixed header normalization to treat empty values as null in `SecureLicenseClient` +- Added SSRF protection with URL validation and private IP range blocking +- Replaced custom key derivation with RFC 5869 compliant `hash_hkdf()` +- Added input validation in all DTO `fromArray()` methods +- Added DateTime exception handling in DTOs to prevent uncaught exceptions +- Added new `allowInsecureHttp` constructor parameter for development environments + +**Learnings:** + +- Security audit identified 7 fixable issues across critical, high, and medium priority +- `hash_hkdf()` is PHP's native RFC 5869 implementation - prefer it over custom HKDF +- SSRF protection requires: URL scheme validation, private IP blocking, DNS resolution checks +- Exception messages should never expose internal details to end users +- DTO validation should check both existence (`isset`) and type (`is_int`, `is_bool`, etc.) +- Empty header values should be treated as missing (null) not empty strings +- Constructor parameters added: `allowInsecureHttp` for HTTP on non-localhost in dev mode +- Private IP ranges to block: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.0/8, 169.254.0.0/16, 0.0.0.0/8