zorun
commented
8 months ago @TomRoussel FYI, if you are interested to review. There were two security issues:
- changing state with a GET, this is a bad idea in general. You could easily create an URL with a fake settlement and make somebody click on it to trick them into creating a wrong bill. This PR adresses that.
- insufficient validation of payer and payee, allowing to create a bill involving members of another project. This is caused by a weakness in the Ihatemoney data model, same as https://github.com/spiral-project/ihatemoney/security/advisories/GHSA-67j9-c52g-w2q9, and must be prevented with appropriate validation (and unit tests).
Tests are failing on purpose because I added a test for this second issue. I'm not yet sure how to fix it, I would prefer if we reuse existing checks (they are done in get_billform_for()). Reusing the Bill form would be best, but we can't do that directly, we need hidden fields. Maybe we could use a custom form but reuse the existing bill creation endpoint. If we don't find anything good, we can just duplicate the validation rules but I don't like it.
You should not feel bad about it, we're quite happy to finally have this feature thanks to your dedication. Let's fix this together :)
TomRoussel
This is necessary to avoid XSS. State-changing actions should never be done with a GET.