MokoConsulting/MokoSuiteBackup
1
0
Fork 0
Code Issues 5 Pull Requests Packages Releases 3 Wiki Activity

fix: critical review — infinite recursion, SQL injection, FK prefix
Generic: Repo Health / Site Health (push) Has been skipped
Details
Generic: Repo Health / Access control (push) Successful in 1s
Details
Universal: PR Check / Branch Policy (pull_request) Successful in 1s
Details
Universal: Auto Version Bump / Version Bump (push) Successful in 4s
Details
Joomla: Extension CI / Release Readiness Check (pull_request) Failing after 5s
Details
Universal: Secret Scanning / Gitleaks Secret Scan (pull_request) Successful in 5s
Details
Generic: Repo Health / Site Health (pull_request) Has been skipped
Details
Generic: Repo Health / Access control (pull_request) Successful in 1s
Details
Universal: PR Check / Validate PR (pull_request) Failing after 7s
Details
Universal: Pre-Release / Build Pre-Release (${{ inputs.stability || github.ref_name }}) (push) Successful in 7s
Details
Generic: Project CI / Lint & Validate (push) Successful in 31s
Details
Generic: Project CI / Lint & Validate (pull_request) Successful in 31s
Details
Joomla: Extension CI / Lint & Validate (pull_request) Failing after 35s
Details
Generic: Project CI / Tests (push) Has been cancelled
Details
Generic: Project CI / Tests (pull_request) Has been cancelled
Details
Joomla: Extension CI / Tests (PHP 8.2) (pull_request) Has been cancelled
Details
Joomla: Extension CI / Tests (PHP 8.3) (pull_request) Has been cancelled
Details
Joomla: Extension CI / PHPStan Analysis (pull_request) Has been cancelled
Details
Joomla: Extension CI / Build RC Pre-Release (pull_request) Has been cancelled
Details
Generic: Repo Health / Scripts governance (push) Has been cancelled
Details
Generic: Repo Health / Repository health (push) Has been cancelled
Details
Generic: Repo Health / Report Issues (push) Has been cancelled
Details
Universal: PR Check / Build RC Package (pull_request) Has been cancelled
Details
Universal: PR Check / Report Issues (pull_request) Has been cancelled
Details
Generic: Repo Health / Scripts governance (pull_request) Has been cancelled
Details
Generic: Repo Health / Repository health (pull_request) Has been cancelled
Details
Generic: Repo Health / Report Issues (pull_request) Has been cancelled
Details

Browse Source 
Critical:
- Fix infinite recursion in getValidatedPrefix() — was calling itself
  instead of extracting from $data array
- Fix SQL injection in actionResetAdmin() — prefix not validated,
  now uses getValidatedPrefix()

High:
- Fix prefix abstraction to cover FK REFERENCES — str_replace now
  targets backtick+prefix pattern to catch all table references in
  CREATE TABLE output, not just the current table name

Medium:
- Security gate file write check — skip verification gracefully if
  file cannot be written (don't lock user out)
- Stepped notification catch \Throwable instead of \Exception
This commit is contained in:
Jonathan Miller
2026-06-18 10:55:58 -05:00
parent 682538e4de
commit a4c03d0032
3 changed files with 13 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
source/packages/com_mokosuitebackup/src/Engine/DatabaseDumper.php
+3 -2
View File
@@ -114,8 +114,9 @@ class DatabaseDumper
continue;
}
// Replace live prefix with #__ in CREATE TABLE output
$createSql = str_replace($table, $abstractName, $createRow[1]);
// Replace all occurrences of the live prefix with #__ in CREATE TABLE
// output — covers the table itself and FK REFERENCES to other tables
$createSql = str_replace('`' . $prefix, '`#__', $createRow[1]);
$output[] = 'DROP TABLE IF EXISTS `' . $abstractName . '`;';
$output[] = $createSql . ';';
$output[] = '';
source/packages/com_mokosuitebackup/src/Engine/MokoRestore.php
+7 -3
View File
@@ -128,7 +128,11 @@ if (empty($securityCode)) {
. "Code: " . $securityCode . "\n"
. "Enter this code in the MokoRestore browser interface to proceed.\n"
. "This file will be deleted automatically after verification.\n";
file_put_contents($securityFile, $securityContent);
if (file_put_contents($securityFile, $securityContent) === false) {
// Cannot write security file — skip verification to avoid locking user out
$_SESSION['security_verified'] = true;
error_log('MokoRestore: Cannot write security file — verification skipped (check directory permissions)');
}
}
// Handle security code verification via POST
@@ -731,7 +735,7 @@ HTACCESS;
function getValidatedPrefix(array $data): string
{
$prefix = getValidatedPrefix($data);
$prefix = trim($data['db_prefix'] ?? 'moko_');
if (!preg_match('/^[a-zA-Z][a-zA-Z0-9_]{0,20}$/', $prefix)) {
throw new RuntimeException('Invalid table prefix format');
@@ -766,7 +770,7 @@ function actionListAdmins(array $data): array
function actionResetAdmin(array $data): array
{
$pdo = getDbConnection($data);
$prefix = $data['db_prefix'] ?? 'moko_';
$prefix = getValidatedPrefix($data);
$userId = (int) ($data['admin_id'] ?? 0);
$password = $data['new_password'] ?? '';
source/packages/com_mokosuitebackup/src/Engine/SteppedBackupEngine.php
+3 -2
View File
@@ -473,7 +473,7 @@ class SteppedBackupEngine
NotificationSender::send($profile, $record, true, $logContent);
}
} catch (\Exception $e) {
} catch (\Throwable $e) {
error_log('MokoSuiteBackup: SteppedBackupEngine notification failed: ' . $e->getMessage());
}
}
@@ -548,7 +548,8 @@ class SteppedBackupEngine
return '';
}
$createSql = str_replace($table, $abstractName, $createRow[1]);
// Replace all occurrences of the live prefix — covers FK REFERENCES too
$createSql = str_replace('`' . $prefix, '`#__', $createRow[1]);
$output[] = 'DROP TABLE IF EXISTS `' . $abstractName . '`;';
$output[] = $createSql . ';';
$output[] = '';