Security hardening, PHP 8.1+ compatibility, and dependency modernization

[Copilot]

Addresses critical security vulnerabilities, updates dependencies to current stable versions, and removes deprecated PHP functions.

Security Fixes

Path traversal in Template.php

// Before: arbitrary file read via unsanitized input
public function getInlineJs($file) {
    $jsContent = file_get_contents(__DIR__ . '/view/frontend/web/js/' . $file);
    return '<script>' . $jsContent . '</script>';
}

// After: whitelist validation + realpath verification
public function getInlineJs($file) {
    $allowedFiles = ['cash.js', 'custom.js', 'utils.js'];
    if (!in_array($file, $allowedFiles, true)) {
        return '<script>console.error("Invalid JS file requested");</script>';
    }
    $realPath = realpath(__DIR__ . '/view/frontend/web/js/' . $file);
    $expectedDir = realpath(__DIR__ . '/view/frontend/web/js/');
    if ($realPath === false || strpos($realPath, $expectedDir) !== 0) {
        return '<script>console.error("Invalid JS file path");</script>';
    }
    // ...
}

XSS in templates

// Before: unescaped string concatenation
window.productType = "<?=$product->getTypeId();?>";

// After: json_encode prevents injection
window.productType = <?= json_encode($product->getTypeId()) ?>;

Superglobal access replaced with RequestInterface

• All direct $_GET, $_COOKIE, $_POST replaced with $this->request->getParam()
• Affected: Template.php, DeferJS.php, DeferCSS.php, RemoveMagentoInitScripts.php

Directory traversal in PostDeployCopy.php

• Replaced opendir()/readdir() with RecursiveDirectoryIterator
• Added symlink protection

PHP 8.1+ Compatibility

// Before: deprecated in PHP 8.1+
$mimeType = mime_content_type($imagePath);

// After: using finfo
$finfo = finfo_open(FILEINFO_MIME_TYPE);
$mimeType = finfo_file($finfo, $imagePath);
finfo_close($finfo);

Dependency Updates

• React: 16.8.6 → 18.2.0
• Webpack: 4.x → 5.89.0
• Babel: 7.4.x → 7.23.x
• Updated 15+ npm packages to latest stable

Webpack 5 migration

// Before: Webpack 4 syntax
new CopyWebpackPlugin([{ from: path, to: dest }])

// After: Webpack 5 syntax
new CopyWebpackPlugin({ patterns: [{ from: path, to: dest }] })

Code Quality

• Removed error suppression (@) operators with proper error handling
• Added PHPDoc type hints to security-critical methods
• Fixed typo: curentUenc → currentUenc across codebase
• Updated unit tests with MockRequest class (replaces direct $_GET manipulation)

Documentation

• SECURITY.md: Security guidelines, best practices, vulnerability reporting
• CHANGELOG.md: Migration guide for breaking changes (React 18, Webpack 5)

Verification

• CodeQL: 0 alerts
• Code review: No issues
• Unit tests: Updated and passing

Original prompt

Try to make improvements

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.