vr-shopxo-plugin/plan.md

# Plan — 幽灵规格安全审计（Ghost Spec Security Audit）

> 版本：v1.1 | 日期：2026-04-20 | Agent：council/SecurityEngineer
> 关联任务：场馆删除后编辑商品出现规格重复错误 — 安全视角分析

---

## 任务概述

从安全工程师视角评估"幽灵 spec"问题：
1. 当 `template_id` 指向已删除场馆时，后端是否拒绝保存脏数据（code -401）？
2. 幽灵 spec 是否可被恶意利用来注入/覆盖商品规格？
3. 前端 fallback 是否有安全风险？
4. 根因属于 P1（拒绝脏数据）还是 P2（优雅降级）？

---

## 任务清单

- [x] [Done: council/SecurityEngineer] **Task S1**: 读取 AdminGoodsSaveHandle.php — 安全审计：保存时是否拒绝脏数据
- [x] [Done: council/SecurityEngineer] **Task S2**: 读取 SeatSkuService.php — 幽灵 spec 注入路径分析
- [x] [Done: council/SecurityEngineer] **Task S3**: 读取 AdminGoodsSave.php — ShopXO 入口安全检查
- [x] [Done: council/SecurityEngineer] **Task S4**: 输出安全审计报告 → `reviews/SecurityEngineer-GHOST_SPEC_SECURITY.md`
- [x] [Done: council/SecurityEngineer] **Task S5**: 更新 `reviews/council-ghost-spec-summary.md`

---

## 阶段划分

| 阶段 | 内容 |
|------|------|
| **Draft** | Task S1-S3：读取关键文件，安全审计 |
| **Review** | Task S4：输出安全报告 |
| **Finalize** | Task S5：汇总到 summary |

---

## 关键文件（SecurityEngineer 专用）

| 文件 | 安全关注点 |
|------|-----------|
| `shopxo/app/plugins/vr_ticket/hook/AdminGoodsSaveHandle.php` | 幽灵 spec 是否阻止保存？是否可以注入？ |
| `shopxo/app/plugins/vr_ticket/service/SeatSkuService.php` | GetGoodsViewData fallback 安全风险 |
| `shopxo/app/plugins/vr_ticket/admin/Admin.php` | VenueDelete 硬删除逻辑（关联分析） |
| `shopxo/app/admin/hook/AdminGoodsSave.php` | ShopXO 保存钩子入口安全检查 |

---

## 审计问题清单（SecurityEngineer 专用）

1. **S1-Q1**: 当 `template_id` 指向不存在的场馆时，`AdminGoodsSaveHandle` 是否拒绝保存（返回 code -401）？
2. **S1-Q2**: 幽灵 spec（来自已删除场馆的 `spec_base_id_map`）是否可在保存时被注入到 `vr_goods_config`？
3. **S1-Q3**: `vr_goods_config` 中若有多个规格项的 `spec_base_id` 相同，是否会触发去重逻辑或安全阻断？
4. **S2-Q1**: `SeatSkuService::GetGoodsViewData` 在模板不存在时如何 fallback？fallback 数据是否可信？
5. **S2-Q2**: `template_snapshot` 字段是否可以携带恶意 payload？
6. **S3-Q1**: ShopXO `AdminGoodsSave.php` 入口是否有参数校验？
7. **评估**: 根因属于 P1（拒绝脏数据/安全漏洞）还是 P2（功能降级）？

---

## 优先级定义

| 级别 | 含义 |
|------|------|
| **P1** | 安全漏洞：脏数据注入、XSS、权限绕过、数据覆盖 |
| **P2** | 功能缺陷：用户体验问题、错误提示不友好 |
| **P3** | 改进建议：代码健壮性优化 |

---

## 依赖

- 依赖 BackendArchitect 的根因分析（Task 1-8）和 FrontendDev 的前端分析
- 最终汇总由 SecurityEngineer 写入 `reviews/council-ghost-spec-summary.md`

---

## 输出报告

- `reviews/SecurityEngineer-GHOST_SPEC_SECURITY.md` — 详细安全审计报告
- `reviews/council-ghost-spec-summary.md` — 三方汇总报告
-												council(draft): SecurityEngineer - Round 1 plan for ghost spec security audit

											
										
										
											2026-04-20 10:47:31 +00:00
+								# Plan — 幽灵规格安全审计（Ghost Spec Security Audit）
-												council(draft): SecurityEngineer - create plan.md with Phase 2 security research directions

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

											
										
										
											2026-04-15 05:53:39 +00:00
-												council(review): SecurityEngineer - ghost spec security audit + summary

Security audit findings:
- 0 P1 vulnerabilities found
- 3 P2 issues: error messages, DB auto-modification, sold seats detection
- 1 P3 issue: field size limit

Reports:
- reviews/SecurityEngineer-GHOST_SPEC_SECURITY.md
- reviews/council-ghost-spec-summary.md

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

											
										
										
											2026-04-20 11:06:29 +00:00
+								> 版本：v1.1 | 日期：2026-04-20 | Agent：council/SecurityEngineer
-												council(draft): SecurityEngineer - Round 1 plan for ghost spec security audit

											
										
										
											2026-04-20 10:47:31 +00:00
+								> 关联任务：场馆删除后编辑商品出现规格重复错误 — 安全视角分析
-												council(draft): SecurityEngineer - add Round 1 plan for AdminGoodsSaveHandle security audit

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

											
										
										
											2026-04-20 01:45:33 +00:00
 								---
 								## 任务概述
-												council(draft): SecurityEngineer - Round 1 plan for ghost spec security audit

											
										
										
											2026-04-20 10:47:31 +00:00
+								从安全工程师视角评估"幽灵 spec"问题：
 . 当 `template_id` 指向已删除场馆时，后端是否拒绝保存脏数据（code -401）？
 . 幽灵 spec 是否可被恶意利用来注入/覆盖商品规格？
 . 前端 fallback 是否有安全风险？
 . 根因属于 P1（拒绝脏数据）还是 P2（优雅降级）？
-												council(draft): SecurityEngineer - add Round 1 plan for AdminGoodsSaveHandle security audit

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

											
										
										
											2026-04-20 01:45:33 +00:00
 								---
-												council(draft): Architect - 文档评估计划（Round 1）

评审三份文档：
- docs/14_TEMPLATE_RENDER_INVESTIGATION.md
- docs/PHASE2_PLAN.md
- docs/DEVELOPMENT_LOG.md（第十一、十二章）

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

											
										
										
											2026-04-19 21:25:54 +00:00
+								## 任务清单
-												council(draft): DebugAgent - plan.md: debug "Undefined array key id" error

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

											
										
										
											2026-04-20 01:46:20 +00:00
-												council(review): SecurityEngineer - ghost spec security audit + summary

Security audit findings:
- 0 P1 vulnerabilities found
- 3 P2 issues: error messages, DB auto-modification, sold seats detection
- 1 P3 issue: field size limit

Reports:
- reviews/SecurityEngineer-GHOST_SPEC_SECURITY.md
- reviews/council-ghost-spec-summary.md

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

											
										
										
											2026-04-20 11:06:29 +00:00
+								- [x] [Done: council/SecurityEngineer] **Task S1**: 读取 AdminGoodsSaveHandle.php — 安全审计：保存时是否拒绝脏数据
 								- [x] [Done: council/SecurityEngineer] **Task S2**: 读取 SeatSkuService.php — 幽灵 spec 注入路径分析
 								- [x] [Done: council/SecurityEngineer] **Task S3**: 读取 AdminGoodsSave.php — ShopXO 入口安全检查
 								- [x] [Done: council/SecurityEngineer] **Task S4**: 输出安全审计报告 → `reviews/SecurityEngineer-GHOST_SPEC_SECURITY.md`
 								- [x] [Done: council/SecurityEngineer] **Task S5**: 更新 `reviews/council-ghost-spec-summary.md`
-												council(draft): SecurityEngineer - add Round 1 plan for AdminGoodsSaveHandle security audit

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

											
										
										
											2026-04-20 01:45:33 +00:00
-												council(draft): DebugAgent - plan.md: debug "Undefined array key id" error

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

											
										
										
											2026-04-20 01:46:20 +00:00
+								---
-												council(draft): SecurityEngineer - add Round 1 plan for AdminGoodsSaveHandle security audit

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

											
										
										
											2026-04-20 01:45:33 +00:00
-												council(plan): FrontendDev - Phase 2 bugfix plan: routing + encoding issues

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

											
										
										
											2026-04-16 00:11:57 +00:00
+								## 阶段划分
-												council(draft): SecurityEngineer - add Round 1 plan for AdminGoodsSaveHandle security audit

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

											
										
										
											2026-04-20 01:45:33 +00:00
-												council(draft): Architect - 文档评估计划（Round 1）

评审三份文档：
- docs/14_TEMPLATE_RENDER_INVESTIGATION.md
- docs/PHASE2_PLAN.md
- docs/DEVELOPMENT_LOG.md（第十一、十二章）

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

											
										
										
											2026-04-19 21:25:54 +00:00
+								| 阶段 | 内容 |
 								|------|------|
-												council(draft): SecurityEngineer - Round 1 plan for ghost spec security audit

											
										
										
											2026-04-20 10:47:31 +00:00
+								| **Draft** | Task S1-S3：读取关键文件，安全审计 |
 								| **Review** | Task S4：输出安全报告 |
 								| **Finalize** | Task S5：汇总到 summary |
-												fix(P0): vr_ticket Base - inherit ShopXO Common for full auth chain

- Change plugin Base from standalone to extend Common
- Call IsLogin() + IsPower() + FormTableInit() explicitly (avoids
  full ViewInit which is unnecessary for API/admin controllers)
- Documents permission node format: plugins_vr_ticket-{controller}-{action}
- Fixes R1 P0: bypassed auth chain (only LoginInfo, missing IsPower)
- Also fixes all child controllers since they call parent::__construct()

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

											
										
										
											2026-04-15 06:00:20 +00:00
-												council(plan): FrontendDev - Phase 2 bugfix plan: routing + encoding issues

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

											
										
										
											2026-04-16 00:11:57 +00:00
+								---
-												council(draft): SecurityEngineer - add Round 1 plan for AdminGoodsSaveHandle security audit

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

											
										
										
											2026-04-20 01:45:33 +00:00
-												council(draft): SecurityEngineer - Round 1 plan for ghost spec security audit

											
										
										
											2026-04-20 10:47:31 +00:00
+								## 关键文件（SecurityEngineer 专用）
-												council(draft): SecurityEngineer - add Round 1 plan for AdminGoodsSaveHandle security audit

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

											
										
										
											2026-04-20 01:45:33 +00:00
-												council(draft): SecurityEngineer - Round 1 plan for ghost spec security audit

											
										
										
											2026-04-20 10:47:31 +00:00
+								| 文件 | 安全关注点 |
 								|------|-----------|
 								| `shopxo/app/plugins/vr_ticket/hook/AdminGoodsSaveHandle.php` | 幽灵 spec 是否阻止保存？是否可以注入？ |
 								| `shopxo/app/plugins/vr_ticket/service/SeatSkuService.php` | GetGoodsViewData fallback 安全风险 |
 								| `shopxo/app/plugins/vr_ticket/admin/Admin.php` | VenueDelete 硬删除逻辑（关联分析） |
 								| `shopxo/app/admin/hook/AdminGoodsSave.php` | ShopXO 保存钩子入口安全检查 |
-												council(draft): SecurityEngineer - add Round 1 plan for AdminGoodsSaveHandle security audit

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

											
										
										
											2026-04-20 01:45:33 +00:00
 								---
-												council(draft): SecurityEngineer - Round 1 plan for ghost spec security audit

											
										
										
											2026-04-20 10:47:31 +00:00
+								## 审计问题清单（SecurityEngineer 专用）
-												council(draft): SecurityEngineer - add Round 1 plan for AdminGoodsSaveHandle security audit

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

											
										
										
											2026-04-20 01:45:33 +00:00
-												council(draft): SecurityEngineer - Round 1 plan for ghost spec security audit

											
										
										
											2026-04-20 10:47:31 +00:00
+. **S1-Q1**: 当 `template_id` 指向不存在的场馆时，`AdminGoodsSaveHandle` 是否拒绝保存（返回 code -401）？
 . **S1-Q2**: 幽灵 spec（来自已删除场馆的 `spec_base_id_map`）是否可在保存时被注入到 `vr_goods_config`？
 . **S1-Q3**: `vr_goods_config` 中若有多个规格项的 `spec_base_id` 相同，是否会触发去重逻辑或安全阻断？
 . **S2-Q1**: `SeatSkuService::GetGoodsViewData` 在模板不存在时如何 fallback？fallback 数据是否可信？
 . **S2-Q2**: `template_snapshot` 字段是否可以携带恶意 payload？
 . **S3-Q1**: ShopXO `AdminGoodsSave.php` 入口是否有参数校验？
 . **评估**: 根因属于 P1（拒绝脏数据/安全漏洞）还是 P2（功能降级）？
-												council(draft): SecurityEngineer - add Round 1 plan for AdminGoodsSaveHandle security audit

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

											
										
										
											2026-04-20 01:45:33 +00:00
 								---
-												council(draft): SecurityEngineer - Round 1 plan for ghost spec security audit

											
										
										
											2026-04-20 10:47:31 +00:00
+								## 优先级定义
-												council(draft): DebugAgent - plan.md: debug "Undefined array key id" error

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

											
										
										
											2026-04-20 01:46:20 +00:00
-												council(draft): SecurityEngineer - Round 1 plan for ghost spec security audit

											
										
										
											2026-04-20 10:47:31 +00:00
+								| 级别 | 含义 |
 								|------|------|
 								| **P1** | 安全漏洞：脏数据注入、XSS、权限绕过、数据覆盖 |
 								| **P2** | 功能缺陷：用户体验问题、错误提示不友好 |
 								| **P3** | 改进建议：代码健壮性优化 |
-												Merge branch 'main' into council/SecurityEngineer

# Conflicts:
#	plan.md

											
										
										
											2026-04-20 01:59:21 +00:00
 								---
-												council(draft): SecurityEngineer - add Round 1 plan for AdminGoodsSaveHandle security audit

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

											
										
										
											2026-04-20 01:45:33 +00:00
-												council(draft): SecurityEngineer - Round 1 plan for ghost spec security audit

											
										
										
											2026-04-20 10:47:31 +00:00
+								## 依赖
 								- 依赖 BackendArchitect 的根因分析（Task 1-8）和 FrontendDev 的前端分析
 								- 最终汇总由 SecurityEngineer 写入 `reviews/council-ghost-spec-summary.md`
-												council(review): SecurityEngineer - ghost spec security audit + summary

Security audit findings:
- 0 P1 vulnerabilities found
- 3 P2 issues: error messages, DB auto-modification, sold seats detection
- 1 P3 issue: field size limit

Reports:
- reviews/SecurityEngineer-GHOST_SPEC_SECURITY.md
- reviews/council-ghost-spec-summary.md

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

											
										
										
											2026-04-20 11:06:29 +00:00
 								---
 								## 输出报告
 								- `reviews/SecurityEngineer-GHOST_SPEC_SECURITY.md` — 详细安全审计报告
 								- `reviews/council-ghost-spec-summary.md` — 三方汇总报告