magdev/wc-licensed-product-client
1
Fork 0
Code Issues Pull Requests Activity

Fix security vulnerabilities identified in audit

Browse Source 
- Add JSON encoding error handling in ResponseSignature to prevent silent failures
- Sanitize exception messages to prevent information disclosure
- Fix header normalization to treat empty values as null
- Add SSRF protection with URL validation and private IP blocking
- Replace custom key derivation with RFC 5869 compliant hash_hkdf()
- Add input validation in DTO fromArray() methods
- Add DateTime exception handling in DTOs

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Marco Grätsch
2026-01-24 14:31:13 +01:00
parent 9f513a819e
commit fa748d61d3
6 changed files with 241 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
src/Dto/ActivationResult.php
View File

@@ -14,6 +14,13 @@ final readonly class ActivationResult
public static function fromArray(array $data): self
{
if (!isset($data['success']) || !is_bool($data['success'])) {
throw new \InvalidArgumentException('Invalid response: missing or invalid success field');
}
if (!isset($data['message']) || !is_string($data['message'])) {
throw new \InvalidArgumentException('Invalid response: missing or invalid message field');
}
return new self(
success: $data['success'],
message: $data['message'],