fix: security + data-integrity fixes (P0/P1) #211

Merged
jmiller merged 2 commits from fix/security-integrity-p0p1 into main 2026-07-05 21:33:49 +00:00
Owner

Batches the P0 (security) and P1 (data-integrity) fixes from the triage. php -l clean, XML well-formed.

Security (P0)

  • #169 — mask FTP password: add 'ftp' => ['password'] to both $secrets maps in AjaxController::maskSecrets() / mergeExistingSecrets() (stored FTP remotes no longer leak their password via listRemotes).
  • #187 — remove 'absolute_path' from $fieldsToRenderItem in api/.../Backups/JsonapiView.php (single-item API view no longer exposes the server filesystem path).
  • #182SftpUploader scp/ssh builders: StrictHostKeyChecking=noaccept-new (TOFU instead of blind-accept; closes the trivial MITM).

Data integrity / correctness (P1)

  • #179DatabaseDumper.php:329: emit a real newline after DROP TABLE (was a literal \n in a double-quoted string, corrupting the streamed dump).
  • #180 — profile-picker forms ORDER BY id instead of the ordering column, which migration 01.43.33 drops on upgraded sites (the query errored there). Fixed in plg_task .../run_profile.xml and plg_content .../mokosuitebackup.xml. (Fresh installs still create the now-unused column via install.mysql.sql — harmless; removing it is a minor follow-up.)
  • #181uninstall.mysql.sql: add the missing DROP TABLE … _snapshots (was orphaning the table).
  • #184 — CLI snapshot delete: use data_file (the real column); file_path doesn't exist, so snapshot files were never unlinked.
  • #186 — remove the duplicate pre-update backup: the content plugin no longer subscribes to onExtensionBeforeUpdate (that's owned by the system plugin); it keeps onExtensionBeforeInstall. One update → one backup.
  • #188DatabaseImporter now collects non-fatal statement errors (getErrors() / hasErrors()) instead of only error_log-and-continue. Backward compatible (still returns the count, still continues); this makes restores no longer silent so the caller can surface a warning status. (Wiring the restore-status to hasErrors() is the remaining half of #188 — left for a focused follow-up since it touches the restore flow.)

Also

Folds in the .mokogitea/CLAUDE.md mokoplatformmokocli stale-name fix (loose end).

Closes #169, #179, #180, #181, #182, #184, #186, #187. Partially addresses #188.

https://claude.ai/code/session_01WbGBN9VyRK61zczYWcCQ2i

Batches the P0 (security) and P1 (data-integrity) fixes from the triage. `php -l` clean, XML well-formed. ## Security (P0) - **#169** — mask FTP password: add `'ftp' => ['password']` to both `$secrets` maps in `AjaxController::maskSecrets()` / `mergeExistingSecrets()` (stored FTP remotes no longer leak their password via `listRemotes`). - **#187** — remove `'absolute_path'` from `$fieldsToRenderItem` in `api/.../Backups/JsonapiView.php` (single-item API view no longer exposes the server filesystem path). - **#182** — `SftpUploader` scp/ssh builders: `StrictHostKeyChecking=no` → `accept-new` (TOFU instead of blind-accept; closes the trivial MITM). ## Data integrity / correctness (P1) - **#179** — `DatabaseDumper.php:329`: emit a real newline after `DROP TABLE` (was a literal `\n` in a double-quoted string, corrupting the streamed dump). - **#180** — profile-picker forms `ORDER BY id` instead of the `ordering` column, which migration `01.43.33` drops on upgraded sites (the query errored there). Fixed in `plg_task .../run_profile.xml` and `plg_content .../mokosuitebackup.xml`. *(Fresh installs still create the now-unused column via `install.mysql.sql` — harmless; removing it is a minor follow-up.)* - **#181** — `uninstall.mysql.sql`: add the missing `DROP TABLE … _snapshots` (was orphaning the table). - **#184** — CLI snapshot delete: use `data_file` (the real column); `file_path` doesn't exist, so snapshot files were never unlinked. - **#186** — remove the duplicate pre-update backup: the content plugin no longer subscribes to `onExtensionBeforeUpdate` (that's owned by the system plugin); it keeps `onExtensionBeforeInstall`. One update → one backup. - **#188** — `DatabaseImporter` now collects non-fatal statement errors (`getErrors()` / `hasErrors()`) instead of only `error_log`-and-continue. Backward compatible (still returns the count, still continues); this makes restores no longer *silent* so the caller can surface a **warning** status. *(Wiring the restore-status to `hasErrors()` is the remaining half of #188 — left for a focused follow-up since it touches the restore flow.)* ## Also Folds in the `.mokogitea/CLAUDE.md` `mokoplatform` → `mokocli` stale-name fix (loose end). Closes #169, #179, #180, #181, #182, #184, #186, #187. Partially addresses #188. https://claude.ai/code/session_01WbGBN9VyRK61zczYWcCQ2i
jmiller added 1 commit 2026-07-05 21:33:12 +00:00
fix: security + data-integrity fixes (P0/P1)
Universal: PR Check / Branch Policy (pull_request) Successful in 1s
Joomla: Extension CI / Release Readiness Check (pull_request) Failing after 6s
Universal: PR Check / Wiki Update Reminder (pull_request) Successful in 2s
Universal: PR Check / Require Docs Update (pull_request) Failing after 8s
Universal: PR Check / Secret Scan (pull_request) Successful in 9s
Generic: Repo Health / Access control (pull_request) Successful in 2s
Generic: Repo Health / Site Health (pull_request) Has been skipped
Universal: PR Check / Validate PR (pull_request) Failing after 13s
Joomla: Metadata Validation / Validate Joomla Metadata (pull_request) Successful in 12s
Universal: Pre-Release / Build Pre-Release (${{ inputs.stability || github.ref_name }}) (push) Successful in 28s
Universal: Build & Release / Promote to RC (pull_request) Has been skipped
Universal: Build & Release / Build & Release Pipeline (pull_request) Has been skipped
Generic: Project CI / Lint & Validate (pull_request) Successful in 46s
Joomla: Extension CI / Lint & Validate (pull_request) Failing after 50s
Generic: Project CI / Tests (pull_request) Has been cancelled
Joomla: Extension CI / Tests (PHP 8.2) (pull_request) Has been cancelled
Joomla: Extension CI / Tests (PHP 8.3) (pull_request) Has been cancelled
Joomla: Extension CI / PHPStan Analysis (pull_request) Has been cancelled
Joomla: Extension CI / Build RC Pre-Release (pull_request) Has been cancelled
Universal: PR Check / Build RC Package (pull_request) Has been cancelled
Universal: PR Check / Report Issues (pull_request) Has been cancelled
Generic: Repo Health / Scripts governance (pull_request) Has been cancelled
Generic: Repo Health / Repository health (pull_request) Has been cancelled
Generic: Repo Health / Report: Scripts Governance (pull_request) Has been cancelled
Generic: Repo Health / Report: Repository Health (pull_request) Has been cancelled
99b844e04a
Security (P0):
- #169 mask FTP password in AjaxController maskSecrets()/mergeExistingSecrets()
- #187 stop leaking absolute_path in API item view (JsonapiView)
- #182 SftpUploader StrictHostKeyChecking=no -> accept-new (MITM)

Data integrity / correctness (P1):
- #179 DatabaseDumper: real newline after DROP TABLE (was literal backslash-n)
- #180 profile-picker forms ORDER BY id (the 'ordering' column is dropped on
  upgraded sites, breaking the query) — run_profile.xml + plg_content xml
- #181 uninstall.mysql.sql: add missing DROP for snapshots table
- #184 CLI snapshot delete uses data_file column (file_path does not exist,
  so snapshot files were never deleted)
- #186 remove duplicate pre-update backup: content plugin no longer subscribes
  to onExtensionBeforeUpdate (owned by the system plugin); keeps pre-install
- #188 DatabaseImporter now collects non-fatal statement errors
  (getErrors()/hasErrors()) so restores are no longer silent and callers can
  surface a warning status

Also folds in the .mokogitea/CLAUDE.md mokoplatform -> mokocli fix (stale repo
name after the rename).

Claude-Session: https://claude.ai/code/session_01WbGBN9VyRK61zczYWcCQ2i
jmiller force-pushed fix/security-integrity-p0p1 from ad182f163c to 99b844e04a 2026-07-05 21:33:12 +00:00 Compare
Author
Owner

Wiki reminder: docs are wiki-first -- if this PR changes behavior, usage, config, or standards, please update the repo wiki before/after merge. (non-blocking)

<!-- wiki-reminder --> **Wiki reminder:** docs are wiki-first -- if this PR changes behavior, usage, config, or standards, please update the repo wiki before/after merge. _(non-blocking)_
jmiller added 1 commit 2026-07-05 21:33:35 +00:00
chore(version): pre-release bump to 02.56.07-dev [skip ci]
RC Revert / Rename rc/ back to dev/ (pull_request) Has been skipped
Universal: Workflow Sync Trigger / Sync workflows to live repos (pull_request) Has been skipped
Branch Cleanup / Delete merged branch (pull_request) Successful in 2s
Universal: Build & Release / Promote to RC (pull_request) Has been skipped
Universal: Build & Release / Build & Release Pipeline (pull_request) Successful in 32s
6ab31c12be
jmiller merged commit f4bc1d128c into main 2026-07-05 21:33:49 +00:00
jmiller deleted branch fix/security-integrity-p0p1 2026-07-05 21:33:51 +00:00
Sign in to join this conversation.