core/php-framework
8
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 3
php-framework/changelog/2026/jan/code-review.md

5.4 KiB
Raw Blame History

Core-PHP Code Review - January 2026

Comprehensive Opus-level code review of all Core/* modules.

Summary

Severity Count Status
Critical 15 All Fixed
High 52 51 Fixed
Medium 38 All Fixed
Low 32 All Fixed

Critical Issues Fixed

Bouncer/BlocklistService.php

  • Missing table existence check - Added cached tableExists() check.

Cdn/Services/StorageUrlResolver.php

  • Weak token hashing - Changed to HMAC-SHA256.

Config/ConfigService.php

  • SQL injection via LIKE wildcards - Added wildcard escaping.

Console/Boot.php

  • References non-existent commands - Commented out missing commands.

Console/Commands/InstallCommand.php

  • Regex injection - Added preg_quote().

Input/Sanitiser.php

  • Nested arrays become null - Implemented recursive filtering.

Mail/EmailShieldStat.php

  • Race condition - Changed to atomic insertOrIgnore() + increment().

ModuleScanner.php

  • Duplicate code - Removed duplicate.
  • Missing namespaces - Added Website and Plug namespace handling.

Search/Unified.php

  • Missing class_exists check - Added guard.

Seo/Schema.php, SchemaBuilderService.php, SeoMetadata.php

  • XSS vulnerability - Added JSON_HEX_TAG flag.

Storage/CacheResilienceProvider.php

  • Hardcoded phpredis - Added Predis support with fallback.

High Severity Issues Fixed

Bouncer (3/3)

  • BlocklistService auto-block workflow with pending/approved/rejected status
  • TeapotController rate limiting with configurable max attempts
  • HoneypotHit configurable severity levels

Cdn (4/5)

  • BunnyStorageService retry logic with exponential backoff
  • BunnyStorageService file size validation
  • BunnyCdnService API key redaction in errors
  • StorageUrlResolver configurable signed URL expiry
  • Remaining: Integration tests

Config (4/4)

  • ConfigService value type validation
  • ConfigResolver max recursion depth
  • Cache invalidation strategy documented

Console (3/3)

  • InstallCommand credential masking
  • InstallCommand rollback on failure
  • Created MakeModCommand, MakePlugCommand, MakeWebsiteCommand

Crypt (3/3)

  • LthnHash multi-key rotation support
  • LthnHash MEDIUM_LENGTH and LONG_LENGTH options
  • QuasiHash security documentation

Events (3/3)

  • Event prioritization via array syntax
  • EventAuditLog for replay/audit logging
  • Dead letter queue via recordFailure()

Front (3/3)

  • AdminMenuProvider permission checks
  • Menu item caching with configurable TTL
  • DynamicMenuProvider interface

Headers (3/3)

  • CSP configurable, unsafe-inline only in dev
  • Permissions-Policy header with 19 feature controls
  • Environment-specific header configuration

Input (3/3)

  • Schema-based per-field filter rules
  • Unicode NFC normalisation
  • Audit logging with PSR-3 logger

Lang (3/3)

  • LangServiceProvider auto-discovery
  • Fallback locale chain support
  • Translation key validation

Mail (3/3)

  • Disposable domain auto-update
  • MX lookup caching
  • Data retention cleanup command

Media (4/4)

  • Local abstracts to remove Core\Mod\Social dependency
  • Memory limit checks before image processing
  • HEIC/AVIF format support

Search (3/3)

  • Configurable API endpoints
  • Search result caching
  • Wildcard DoS protection

Seo (3/3)

  • Schema validation against schema.org
  • Sitemap generation (already existed)

Service (2/2)

  • ServiceVersion with semver and deprecation
  • HealthCheckable interface and HealthCheckResult

Storage (3/3)

  • RedisFallbackActivated event
  • CacheWarmer with registration system
  • Configurable exception throwing

Medium Severity Issues Fixed

  • Bouncer pagination for large blocklists
  • CDN URL building consistency, content-type detection, health check
  • Config soft deletes, sensitive value encryption, ConfigProvider interface
  • Console progress bar, --dry-run option
  • Crypt fast hash with xxHash, benchmark method
  • Events PHPDoc annotations, event versioning
  • Front icon validation, menu priority constants
  • Headers nonce-based CSP, configuration UI
  • Input HTML subset for rich text, max length enforcement
  • Lang pluralisation rules, ICU message format
  • Mail async validation, email normalisation
  • Media queued conversions, EXIF stripping, progressive JPEG
  • Search scoring tuning, fuzzy search, analytics tracking
  • SEO lazy schema loading, OG image validation, canonical conflict detection
  • Service dependency declaration, discovery mechanism
  • Storage circuit breaker, metrics collection

Low Severity Issues Fixed

  • Bouncer unit tests, configuration documentation
  • CDN PHPDoc return types, CdnUrlBuilder extraction
  • Config import/export, versioning for rollback
  • Console autocompletion, colorized output
  • Crypt algorithm documentation, constant-time comparison docs
  • Events listener profiling, flow diagrams
  • Front fluent menu builder, menu grouping
  • Headers testing utilities, CSP documentation
  • Input filter presets, transformation hooks
  • Lang translation coverage reporting, translation memory
  • Mail validation caching, disposable domain documentation
  • Media progress reporting, lazy thumbnail generation
  • Search suggestions/autocomplete, result highlighting
  • SEO score trend tracking, structured data testing
  • Service registration validation, lifecycle documentation
  • Storage hit rate monitoring, multi-tier caching

Review performed by: Claude Opus 4.5 code review agents Implementation: Claude Opus 4.5 fix agents (9 batches)