You've already forked wc-licensed-product-client
Update session history with security audit learnings
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
29
CLAUDE.md
29
CLAUDE.md
@@ -29,10 +29,6 @@ This project is proudly **"vibe-coded"** using Claude.AI - the entire codebase w
|
|||||||
|
|
||||||
No known bugs at the moment
|
No known bugs at the moment
|
||||||
|
|
||||||
### Version 0.1.1
|
|
||||||
|
|
||||||
No changes at the moment
|
|
||||||
|
|
||||||
### Version 0.2.0
|
### Version 0.2.0
|
||||||
|
|
||||||
No changes at the moment.
|
No changes at the moment.
|
||||||
@@ -181,3 +177,28 @@ When editing CLAUDE.md or other markdown files, follow these rules to avoid lint
|
|||||||
- Client documentation complements server documentation for complete integration guide
|
- Client documentation complements server documentation for complete integration guide
|
||||||
- Integration examples for major PHP frameworks help adoption
|
- Integration examples for major PHP frameworks help adoption
|
||||||
- Error code mapping to exception classes aids programmatic error handling
|
- Error code mapping to exception classes aids programmatic error handling
|
||||||
|
|
||||||
|
### 2026-01-24 - Security Audit and Fixes
|
||||||
|
|
||||||
|
**Completed:**
|
||||||
|
|
||||||
|
- Performed comprehensive security audit of entire codebase
|
||||||
|
- Fixed JSON encoding error handling in `ResponseSignature::buildSignaturePayload()`
|
||||||
|
- Sanitized exception messages in both client classes to prevent information disclosure
|
||||||
|
- Fixed header normalization to treat empty values as null in `SecureLicenseClient`
|
||||||
|
- Added SSRF protection with URL validation and private IP range blocking
|
||||||
|
- Replaced custom key derivation with RFC 5869 compliant `hash_hkdf()`
|
||||||
|
- Added input validation in all DTO `fromArray()` methods
|
||||||
|
- Added DateTime exception handling in DTOs to prevent uncaught exceptions
|
||||||
|
- Added new `allowInsecureHttp` constructor parameter for development environments
|
||||||
|
|
||||||
|
**Learnings:**
|
||||||
|
|
||||||
|
- Security audit identified 7 fixable issues across critical, high, and medium priority
|
||||||
|
- `hash_hkdf()` is PHP's native RFC 5869 implementation - prefer it over custom HKDF
|
||||||
|
- SSRF protection requires: URL scheme validation, private IP blocking, DNS resolution checks
|
||||||
|
- Exception messages should never expose internal details to end users
|
||||||
|
- DTO validation should check both existence (`isset`) and type (`is_int`, `is_bool`, etc.)
|
||||||
|
- Empty header values should be treated as missing (null) not empty strings
|
||||||
|
- Constructor parameters added: `allowInsecureHttp` for HTTP on non-localhost in dev mode
|
||||||
|
- Private IP ranges to block: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.0/8, 169.254.0.0/16, 0.0.0.0/8
|
||||||
|
|||||||
Reference in New Issue
Block a user