php-framework/changelog/2026/jan/code-review.md

182 lines
5.4 KiB
Markdown
Raw Permalink Normal View History

# Core-PHP Code Review - January 2026
Comprehensive Opus-level code review of all Core/* modules.
## Summary
| Severity | Count | Status |
|----------|-------|--------|
| Critical | 15 | All Fixed |
| High | 52 | 51 Fixed |
| Medium | 38 | All Fixed |
| Low | 32 | All Fixed |
---
## Critical Issues Fixed
### Bouncer/BlocklistService.php
- **Missing table existence check** - Added cached `tableExists()` check.
### Cdn/Services/StorageUrlResolver.php
- **Weak token hashing** - Changed to HMAC-SHA256.
### Config/ConfigService.php
- **SQL injection via LIKE wildcards** - Added wildcard escaping.
### Console/Boot.php
- **References non-existent commands** - Commented out missing commands.
### Console/Commands/InstallCommand.php
- **Regex injection** - Added `preg_quote()`.
### Input/Sanitiser.php
- **Nested arrays become null** - Implemented recursive filtering.
### Mail/EmailShieldStat.php
- **Race condition** - Changed to atomic `insertOrIgnore()` + `increment()`.
### ModuleScanner.php
- **Duplicate code** - Removed duplicate.
- **Missing namespaces** - Added Website and Plug namespace handling.
### Search/Unified.php
- **Missing class_exists check** - Added guard.
### Seo/Schema.php, SchemaBuilderService.php, SeoMetadata.php
- **XSS vulnerability** - Added `JSON_HEX_TAG` flag.
### Storage/CacheResilienceProvider.php
- **Hardcoded phpredis** - Added Predis support with fallback.
---
## High Severity Issues Fixed
### Bouncer (3/3)
- BlocklistService auto-block workflow with pending/approved/rejected status
- TeapotController rate limiting with configurable max attempts
- HoneypotHit configurable severity levels
### Cdn (4/5)
- BunnyStorageService retry logic with exponential backoff
- BunnyStorageService file size validation
- BunnyCdnService API key redaction in errors
- StorageUrlResolver configurable signed URL expiry
- *Remaining: Integration tests*
### Config (4/4)
- ConfigService value type validation
- ConfigResolver max recursion depth
- Cache invalidation strategy documented
### Console (3/3)
- InstallCommand credential masking
- InstallCommand rollback on failure
- Created MakeModCommand, MakePlugCommand, MakeWebsiteCommand
### Crypt (3/3)
- LthnHash multi-key rotation support
- LthnHash MEDIUM_LENGTH and LONG_LENGTH options
- QuasiHash security documentation
### Events (3/3)
- Event prioritization via array syntax
- EventAuditLog for replay/audit logging
- Dead letter queue via recordFailure()
### Front (3/3)
- AdminMenuProvider permission checks
- Menu item caching with configurable TTL
- DynamicMenuProvider interface
### Headers (3/3)
- CSP configurable, unsafe-inline only in dev
- Permissions-Policy header with 19 feature controls
- Environment-specific header configuration
### Input (3/3)
- Schema-based per-field filter rules
- Unicode NFC normalisation
- Audit logging with PSR-3 logger
### Lang (3/3)
- LangServiceProvider auto-discovery
- Fallback locale chain support
- Translation key validation
### Mail (3/3)
- Disposable domain auto-update
- MX lookup caching
- Data retention cleanup command
### Media (4/4)
- Local abstracts to remove Core\Mod\Social dependency
- Memory limit checks before image processing
- HEIC/AVIF format support
### Search (3/3)
- Configurable API endpoints
- Search result caching
- Wildcard DoS protection
### Seo (3/3)
- Schema validation against schema.org
- Sitemap generation (already existed)
### Service (2/2)
- ServiceVersion with semver and deprecation
- HealthCheckable interface and HealthCheckResult
### Storage (3/3)
- RedisFallbackActivated event
- CacheWarmer with registration system
- Configurable exception throwing
---
## Medium Severity Issues Fixed
- Bouncer pagination for large blocklists
- CDN URL building consistency, content-type detection, health check
- Config soft deletes, sensitive value encryption, ConfigProvider interface
- Console progress bar, --dry-run option
- Crypt fast hash with xxHash, benchmark method
- Events PHPDoc annotations, event versioning
- Front icon validation, menu priority constants
- Headers nonce-based CSP, configuration UI
- Input HTML subset for rich text, max length enforcement
- Lang pluralisation rules, ICU message format
- Mail async validation, email normalisation
- Media queued conversions, EXIF stripping, progressive JPEG
- Search scoring tuning, fuzzy search, analytics tracking
- SEO lazy schema loading, OG image validation, canonical conflict detection
- Service dependency declaration, discovery mechanism
- Storage circuit breaker, metrics collection
---
## Low Severity Issues Fixed
- Bouncer unit tests, configuration documentation
- CDN PHPDoc return types, CdnUrlBuilder extraction
- Config import/export, versioning for rollback
- Console autocompletion, colorized output
- Crypt algorithm documentation, constant-time comparison docs
- Events listener profiling, flow diagrams
- Front fluent menu builder, menu grouping
- Headers testing utilities, CSP documentation
- Input filter presets, transformation hooks
- Lang translation coverage reporting, translation memory
- Mail validation caching, disposable domain documentation
- Media progress reporting, lazy thumbnail generation
- Search suggestions/autocomplete, result highlighting
- SEO score trend tracking, structured data testing
- Service registration validation, lifecycle documentation
- Storage hit rate monitoring, multi-tier caching
---
*Review performed by: Claude Opus 4.5 code review agents*
*Implementation: Claude Opus 4.5 fix agents (9 batches)*