From cbece2f2794a0c968373f0e3bcd2d766087ba556 Mon Sep 17 00:00:00 2001 From: magdev Date: Wed, 28 Jan 2026 11:28:02 +0100 Subject: [PATCH] Update CLAUDE.md with v0.7.0 session history Co-Authored-By: Claude Opus 4.5 --- CLAUDE.md | 64 +++++++++++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 57 insertions(+), 7 deletions(-) diff --git a/CLAUDE.md b/CLAUDE.md index 05cc4b3..4bebefe 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -34,7 +34,12 @@ This project is proudly **"vibe-coded"** using Claude.AI - the entire codebase w ### Version 0.7.0 -No changes planned at the moment +This is a security version. It includes a full security audit and a remote check of a live version of this plugin on . The shop is the property of the plugin developer, all actions are permitted. + +- Check the sourcecode for best practises of all involved components, including checks for SQLi, XSRF, XSS and similar techniques +- Check the remote version for the OWASP Top 10 +- Check the whole licensing workflow +- Minimize the thread vectors ## Technical Stack @@ -1783,12 +1788,57 @@ Bug fix and improvement release addressing admin license testing, auto-update se - Updated `magdev/wc-licensed-product-client` from v0.2.0 to v0.2.1 -**Additional UI change:** +### 2026-01-28 - Version 0.7.0 - Security Hardening -- Product name in test license modal now displayed in bold (``) for better visibility +**Overview:** -**Release v0.6.1:** +Security-focused release with comprehensive audit and hardening. Performed OWASP Top 10 testing against live shop (shop.magdev.cc) and fixed identified vulnerabilities. -- Created release package: `releases/wc-licensed-product-0.6.1.zip` (899 KB) -- SHA256: `f1f1cbdfdd6cda7b20cbd2b88ab4697cde38d987e04cda1f52e885d7818d32f5` -- Tagged as `v0.6.1` and pushed to `main` branch +**Security Audit Results:** + +- SQL injection: Protected (prepared statements throughout) +- CSRF: Protected (nonce verification on all forms/AJAX) +- Rate limiting: Working (429 responses after ~28 requests) +- Access control: Working (403 for unauthorized access) +- HTTPS: Enforced with proper redirect +- Missing security headers noted: X-Frame-Options, HSTS, CSP (server-level configuration) + +**Critical Fixes:** + +- **XSS in checkout-blocks.js**: Replaced `innerHTML` template literals with safe DOM construction using `document.createElement()` and `textContent` +- **IP Detection**: UpdateController was using raw `$_SERVER['REMOTE_ADDR']` without proxy support - now uses shared `IpDetectionTrait` + +**New Files:** + +- `src/Api/IpDetectionTrait.php` - Shared IP detection with proxy header support (Cloudflare, X-Forwarded-For, X-Real-IP) +- `src/Common/RateLimitTrait.php` - Reusable rate limiting for frontend operations + +**Security Enhancements:** + +- Added rate limiting to license transfers (5/hour per user) +- Added rate limiting to file downloads (30/hour per user) +- Added CSV import limits: 2MB max file size, 1000 max rows, 5-minute cooldown +- Added JSON error handling in StoreApiExtension +- Added license ID validation in frontend.js to prevent selector injection + +**Modified Files:** + +- `assets/js/checkout-blocks.js` - XSS-safe DOM construction +- `assets/js/frontend.js` - Added `sanitizeForSelector()` helper +- `src/Api/RestApiController.php` - Use IpDetectionTrait, remove duplicate methods +- `src/Api/UpdateController.php` - Use IpDetectionTrait for rate limiting +- `src/Admin/AdminController.php` - CSV import security limits +- `src/Frontend/AccountController.php` - Transfer rate limiting +- `src/Frontend/DownloadController.php` - Download rate limiting +- `src/Checkout/StoreApiExtension.php` - JSON error handling + +**Technical Notes:** + +- IpDetectionTrait supports `WC_LICENSE_TRUSTED_PROXIES` constant for proxy configuration +- RateLimitTrait uses WordPress transients with user ID-based keys +- CSV import constants: `MAX_IMPORT_FILE_SIZE = 2097152`, `MAX_IMPORT_ROWS = 1000`, `IMPORT_RATE_LIMIT_WINDOW = 300` + +**Release v0.7.0:** + +- Created release package: `releases/wc-licensed-product-0.7.0.zip` +- Tagged as `v0.7.0` and pushed to `main` branch