Security improvements and API compatibility fixes (v0.3.6)

- Add recursive key sorting for response signing compatibility - Fix IP header spoofing in rate limiting with trusted proxy support - Add CSRF protection to CSV export with nonce verification - Explicit Twig autoescape for XSS prevention - Escape status values in CSS classes - Update README with security documentation and trusted proxy config - Update translations for v0.3.6 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-23 21:18:32 +01:00
parent c7967f71ab
commit 35d802c2b8
11 changed files with 669 additions and 392 deletions
--- a/src/Api/ResponseSigner.php
+++ b/src/Api/ResponseSigner.php
@@ -94,8 +94,8 @@ final class ResponseSigner
        $timestamp = time();
        $signingKey = $this->deriveKey($licenseKey);

-        // Sort keys for consistent ordering
-        ksort($data);
+        // Recursively sort keys for consistent ordering (required by client implementation)
+        $data = $this->recursiveKeySort($data);

        // Build signature payload
        $payload = $timestamp . ':' . json_encode(
@@ -109,6 +109,33 @@ final class ResponseSigner
        ];
    }

+    /**
+     * Recursively sort array keys alphabetically
+     *
+     * @param mixed $data The data to sort
+     * @return mixed The sorted data
+     */
+    private function recursiveKeySort(mixed $data): mixed
+    {
+        if (!is_array($data)) {
+            return $data;
+        }
+
+        // Check if array is associative (has string keys)
+        $isAssociative = array_keys($data) !== range(0, count($data) - 1);
+
+        if ($isAssociative) {
+            ksort($data);
+        }
+
+        // Recursively sort nested arrays
+        foreach ($data as $key => $value) {
+            $data[$key] = $this->recursiveKeySort($value);
+        }
+
+        return $data;
+    }
+
    /**
     * Derive a unique signing key for a license
     *