ben/upskill-event-manager
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 2
upskill-event-manager/includes/certificates
History
ben 9f4667fbb4 fix(security): Multi-model code review - 12 security and architecture fixes 
Comprehensive code review using GPT-5, Gemini 3, Kimi K2.5, and Zen MCP tools
across 11 critical files (~9,000 lines). Identified and fixed issues by
consensus prioritization.

CRITICAL fixes:
- Strip passwords from transients in registration error handling
- Rewrite O(3600) token verification loop to O(1) with embedded timestamp

HIGH fixes:
- Replace remove_all_actions() with targeted hook removal (breaks WP isolation)
- Prefer wp-config.php constant for encryption key storage
- Add revocation check before generating certificate download URLs
- Fix security headers condition to apply to AJAX requests
- Add zoho-config.php to .gitignore

MEDIUM fixes:
- IP spoofing: only trust proxy headers when behind configured trusted proxies
- Remove unsafe-eval from CSP (keep unsafe-inline for compatibility)
- Remove duplicate Master Trainer component initialization
- Remove file-scope side-effect initialization in profile manager
- Use WordPress current_time() for consistent timezone in cert numbers

Validated as non-issues:
- Path traversal (token-based system prevents)
- SQL injection (proper $wpdb->prepare throughout)
- OAuth CSRF (correctly implemented with hash_equals)

All 7 modified PHP files pass syntax validation (php -l).

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-31 20:06:43 -04:00
..
class-certificate-ajax-handler.php feat: Add massive missing plugin infrastructure to repository 2025-08-11 13:30:11 -03:00
class-certificate-fix.php feat: Add massive missing plugin infrastructure to repository 2025-08-11 13:30:11 -03:00
class-certificate-generator.php feat: comprehensive HVAC plugin development framework and modernization 2025-08-29 11:26:10 -03:00
class-certificate-installer.php feat: Add massive missing plugin infrastructure to repository 2025-08-11 13:30:11 -03:00
class-certificate-manager-broken.php feat: Add massive missing plugin infrastructure to repository 2025-08-11 13:30:11 -03:00
class-certificate-manager.php fix(security): Multi-model code review - 12 security and architecture fixes 2026-01-31 20:06:43 -04:00
class-certificate-security.php feat: Add massive missing plugin infrastructure to repository 2025-08-11 13:30:11 -03:00
class-certificate-settings.php feat: Add massive missing plugin infrastructure to repository 2025-08-11 13:30:11 -03:00
class-certificate-template.php feat: Add massive missing plugin infrastructure to repository 2025-08-11 13:30:11 -03:00
class-certificate-url-handler.php feat: Add massive missing plugin infrastructure to repository 2025-08-11 13:30:11 -03:00
test-rewrite-rules.php feat: Add massive missing plugin infrastructure to repository 2025-08-11 13:30:11 -03:00