core/php-tenant
8
0
Fork 0
Code Issues 43 Pull requests 33 Projects Releases Packages Wiki Activity Actions

fix: validate invitation token format before database lookup

Browse source 
Add route-level regex constraints to all token route parameters,
requiring exactly 64 alphanumeric characters. Malformed tokens
(path traversal attempts, overly long strings, special characters)
now receive a 404 at the routing layer before reaching controllers
or triggering database lookups.

Fixes #43

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Claude 2026-03-24 13:12:16 +00:00
parent 74b81589c1
commit 1434c7e9d8
No known key found for this signature in database
GPG key ID: AF404715446AEB41
1 changed files with 6 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
Routes/web.php
View file

@ -26,10 +26,12 @@ use Illuminate\Support\Facades\Route;
Route::prefix('account')->name('account.')->group(function () {
Route::get('/delete/{token}', ConfirmDeletion::class)
->name('delete.confirm');
->name('delete.confirm')
->where('token', '[a-zA-Z0-9]{64}');
Route::get('/delete/{token}/cancel', CancelDeletion::class)
->name('delete.cancel');
->name('delete.cancel')
->where('token', '[a-zA-Z0-9]{64}');
});
/*
@ -43,7 +45,8 @@ Route::prefix('account')->name('account.')->group(function () {
*/
Route::get('/workspace/invitation/{token}', WorkspaceInvitationController::class)
->name('workspace.invitation.accept');
->name('workspace.invitation.accept')
->where('token', '[a-zA-Z0-9]{64}');
/*
|--------------------------------------------------------------------------