MokoConsulting/MokoSuiteBackup
1
0
Fork 0
Code Issues 18 Pull Requests Packages Releases 3 Wiki Activity
261 Commits 3 Branches 3 Tags
a77458a24a40af4b2e5c804f98ab0fa1a4e1f5e0
Commit Graph

4 Commits

Author SHA1 Message Date
Jonathan Miller c466839a40 fix: final review — SQL injection, input escaping, undefined var
Generic: Repo Health / Access control (push) Successful in 1s
Details
Generic: Repo Health / Site Health (push) Has been skipped
Details
Universal: PR Check / Branch Policy (pull_request) Successful in 1s
Details
Generic: Repo Health / Site Health (pull_request) Has been skipped
Details
Generic: Repo Health / Access control (pull_request) Successful in 2s
Details
Joomla: Extension CI / Release Readiness Check (pull_request) Failing after 3s
Details
Universal: Secret Scanning / Gitleaks Secret Scan (pull_request) Successful in 6s
Details
Joomla: Extension CI / Lint & Validate (pull_request) Failing after 6s
Details
Universal: Auto Version Bump / Version Bump (push) Successful in 9s
Details
Universal: Pre-Release / Build Pre-Release (${{ inputs.stability || github.ref_name }}) (push) Successful in 6s
Details
Universal: PR Check / Validate PR (pull_request) Failing after 20s
Details
Generic: Repo Health / Scripts governance (push) Has been cancelled
Details
Generic: Repo Health / Repository health (push) Has been cancelled
Details
Generic: Repo Health / Report Issues (push) Has been cancelled
Details
Joomla: Extension CI / Tests (PHP 8.2) (pull_request) Has been cancelled
Details
Joomla: Extension CI / Tests (PHP 8.3) (pull_request) Has been cancelled
Details
Joomla: Extension CI / PHPStan Analysis (pull_request) Has been cancelled
Details
Universal: PR Check / Build RC Package (pull_request) Has been cancelled
Details
Universal: PR Check / Report Issues (pull_request) Has been cancelled
Details
Generic: Repo Health / Scripts governance (pull_request) Has been cancelled
Details
Generic: Repo Health / Repository health (pull_request) Has been cancelled
Details
Generic: Repo Health / Report Issues (pull_request) Has been cancelled
Details 
Critical/High:
- Fix undefined $configFile → $configPath in from-scratch config path
- Escape all user input with addcslashes before interpolating into
  configuration.php (both regex-replace and HEREDOC paths)
- Add getValidatedPrefix() helper — validates db_prefix format before
  use in SQL table names across all restore functions
- fixPackageClientId() now warns user via enqueueMessage on failure
- sanitizeConfiguration() logs error on file read failure

Medium:
- Content-Disposition header uses RFC 6266 rawurlencode (both admin
  and API download controllers)
- Remove @unlink suppression, log warning on failure
- viewLog() catch block now logs exception context
- writeDefaultHtaccess() checks copy/write, returns status to caller
- actionConfig() checks file_put_contents return value
 2026-06-15 01:10:04 -05:00
Jonathan Miller c381829fc5 fix: ACL review — missing checks, HTTP status codes, memory safety
Generic: Repo Health / Site Health (push) Has been skipped
Details
Generic: Repo Health / Access control (push) Successful in 1s
Details
Universal: PR Check / Branch Policy (pull_request) Successful in 1s
Details
Generic: Repo Health / Site Health (pull_request) Has been skipped
Details
Generic: Repo Health / Access control (pull_request) Successful in 1s
Details
Joomla: Extension CI / Release Readiness Check (pull_request) Failing after 3s
Details
Joomla: Extension CI / Lint & Validate (pull_request) Failing after 5s
Details
Universal: Secret Scanning / Gitleaks Secret Scan (pull_request) Successful in 5s
Details
Universal: Auto Version Bump / Version Bump (push) Successful in 7s
Details
Universal: Pre-Release / Build Pre-Release (${{ inputs.stability || github.ref_name }}) (push) Successful in 6s
Details
Universal: PR Check / Validate PR (pull_request) Failing after 20s
Details
Generic: Repo Health / Scripts governance (push) Has been cancelled
Details
Generic: Repo Health / Repository health (push) Has been cancelled
Details
Generic: Repo Health / Report Issues (push) Has been cancelled
Details
Joomla: Extension CI / Tests (PHP 8.2) (pull_request) Has been cancelled
Details
Joomla: Extension CI / Tests (PHP 8.3) (pull_request) Has been cancelled
Details
Joomla: Extension CI / PHPStan Analysis (pull_request) Has been cancelled
Details
Universal: PR Check / Build RC Package (pull_request) Has been cancelled
Details
Universal: PR Check / Report Issues (pull_request) Has been cancelled
Details
Generic: Repo Health / Scripts governance (pull_request) Has been cancelled
Details
Generic: Repo Health / Repository health (pull_request) Has been cancelled
Details
Generic: Repo Health / Report Issues (pull_request) Has been cancelled
Details 
- Add ACL check (core.manage) to verify() — was completely unguarded
- Add checkToken('get') to download() for CSRF protection
- Wrap all setMessage() calls in Text::_() for proper translation
- Add HTTP 403 status to all AJAX token/ACL denial responses
- Add $status param to sendJson() helper
- Wrap viewLog() DB query in try-catch, return JSON error on failure
- Fix viewLog() file_get_contents to detect read errors vs missing
- Replace API download() file_get_contents + base64 with streaming
  readfile() to prevent memory exhaustion on large backups
- Gate backup profile selector in template behind backup.run permission
 2026-06-13 07:42:23 -05:00
Jonathan Miller ff5f0108b9 feat: wire up ACL permission checks across all controllers and views
Generic: Repo Health / Access control (push) Successful in 1s
Details
Generic: Repo Health / Site Health (push) Has been skipped
Details
Universal: PR Check / Branch Policy (pull_request) Successful in 1s
Details
Generic: Repo Health / Site Health (pull_request) Has been skipped
Details
Generic: Repo Health / Access control (pull_request) Successful in 1s
Details
Joomla: Extension CI / Release Readiness Check (pull_request) Failing after 3s
Details
Universal: Auto Version Bump / Version Bump (push) Successful in 8s
Details
Joomla: Extension CI / Lint & Validate (pull_request) Failing after 6s
Details
Universal: Secret Scanning / Gitleaks Secret Scan (pull_request) Successful in 6s
Details
Universal: Pre-Release / Build Pre-Release (${{ inputs.stability || github.ref_name }}) (push) Successful in 6s
Details
Universal: PR Check / Validate PR (pull_request) Failing after 20s
Details
Generic: Repo Health / Scripts governance (push) Has been cancelled
Details
Generic: Repo Health / Repository health (push) Has been cancelled
Details
Generic: Repo Health / Report Issues (push) Has been cancelled
Details
Joomla: Extension CI / Tests (PHP 8.2) (pull_request) Has been cancelled
Details
Joomla: Extension CI / Tests (PHP 8.3) (pull_request) Has been cancelled
Details
Joomla: Extension CI / PHPStan Analysis (pull_request) Has been cancelled
Details
Universal: PR Check / Build RC Package (pull_request) Has been cancelled
Details
Universal: PR Check / Report Issues (pull_request) Has been cancelled
Details
Generic: Repo Health / Scripts governance (pull_request) Has been cancelled
Details
Generic: Repo Health / Repository health (pull_request) Has been cancelled
Details
Generic: Repo Health / Report Issues (pull_request) Has been cancelled
Details 
Enforce granular permissions defined in access.xml:

Controllers (server-side enforcement):
- BackupsController: start() → backup.run, download() → backup.download,
  restore() → backup.restore
- AjaxController: init()/step() → backup.run, browseDir()/viewLog() →
  core.manage
- API BackupsController: backup() → backup.run, download() →
  backup.download, profiles() → core.manage
- ProfilesController: importAkeeba() → core.create

Views (toolbar button visibility):
- Backups: conditionally show Start, Restore, Delete, Preferences
- Profiles: conditionally show Add, Edit, Import, Delete, Preferences
- Profile edit: conditionally show Save/Apply based on create/edit

Templates:
- Backups list: hide download button when backup.download denied
 2026-06-13 07:23:57 -05:00
Jonathan Miller ace33b60fe feat: rename mokojoombackup → mokosuitebackup, add [HOME] placeholder for backup directory
Generic: Repo Health / Site Health (push) Has been skipped
Details
Generic: Repo Health / Access control (push) Successful in 2s
Details
Universal: Auto Version Bump / Version Bump (push) Successful in 10s
Details
Generic: Repo Health / Scripts governance (push) Has been cancelled
Details
Generic: Repo Health / Repository health (push) Has been cancelled
Details
Generic: Repo Health / Report Issues (push) Has been cancelled
Details 
Renames all sub-extensions from mokojoombackup to mokosuitebackup
(package, component, 7 plugins, language files, manifests).

Adds [HOME] placeholder to BackupDirectory and PlaceholderResolver
so users can set backup_dir to [HOME]/backups (outside web root).
Fixes folder browser "access denied" on PHP-FPM shared hosting
where getenv('HOME') returns empty by adding POSIX and JPATH_ROOT
fallback detection.
 2026-06-11 12:24:27 -05:00