council(draft): SecurityEngineer - resolve plan.md merge conflict, ghost spec audit
Council
commit
795126cd55
104
plan.md
104
plan.md
|
|
@ -1,44 +1,27 @@
|
||||||
# Plan — 调试 "Undefined array key 'id'" PHP 错误
|
# Plan — 幽灵规格安全审计(Ghost Spec Security Audit)
|
||||||
|
|
||||||
> 版本:v1.2 | 日期:2026-04-20 | Agent:council/BackendArchitect + council/DebugAgent(并行协作)
|
> 版本:v1.0 | 日期:2026-04-20 | Agent:council/SecurityEngineer
|
||||||
> 关联提交:bbea35d83(feat: 保存时自动填充 template_snapshot)
|
> 关联任务:场馆删除后编辑商品出现规格重复错误 — 安全视角分析
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
## 任务概述
|
## 任务概述
|
||||||
|
|
||||||
调试 ShopXO 后台编辑票务商品(goods_id=118)保存时报错:
|
从安全工程师视角评估"幽灵 spec"问题:
|
||||||
```
|
1. 当 `template_id` 指向已删除场馆时,后端是否拒绝保存脏数据(code -401)?
|
||||||
Undefined array key "id"
|
2. 幽灵 spec 是否可被恶意利用来注入/覆盖商品规格?
|
||||||
```
|
3. 前端 fallback 是否有安全风险?
|
||||||
|
4. 根因属于 P1(拒绝脏数据)还是 P2(优雅降级)?
|
||||||
根因代码位于 `bbea35d83` 新增的 `AdminGoodsSaveHandle.php` save_thing_end 时机。
|
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
## 任务清单
|
## 任务清单
|
||||||
|
|
||||||
- [x] [Done: council/BackendArchitect] **Task 1**: 根因定位 — 逐行分析所有 "id" 访问位置
|
- [ ] [Claimed: council/SecurityEngineer] **Task S1**: 读取 AdminGoodsSaveHandle.php — 安全审计:保存时是否拒绝脏数据
|
||||||
- [x] [Done: council/BackendArchitect] **Task 2**: Db::name() 表前缀问题 — ShopXO 插件表前缀行为确认
|
- [ ] [Claimed: council/SecurityEngineer] **Task S2**: 读取 SeatSkuService.php — 幽灵 spec 注入路径分析
|
||||||
- [x] [Done: council/BackendArchitect] **Task 3**: 根因 1 — `$r['id']` 空安全(AdminGoodsSaveHandle 第 77 行)
|
- [ ] [Claimed: council/SecurityEngineer] **Task S3**: 读取 AdminGoodsSave.php — ShopXO 入口安全检查
|
||||||
- [x] [Done: council/BackendArchitect] **Task 4**: 根因 2 — `find()` 返回 null 的空安全(AdminGoodsSaveHandle 第 71 行)
|
- [ ] [ ] [Claimed: council/SecurityEngineer] **Task S4**: 输出安全审计报告 → `reviews/SecurityEngineer-GHOST_SPEC_SECURITY.md`
|
||||||
- [x] [Done: council/BackendArchitect] **Task 5**: 根因 3 — `$config['template_id']` / `selected_rooms` 数据类型问题
|
- [ ] [ ] [Claimed: council/SecurityEngineer] **Task S5**: 更新 `reviews/council-ghost-spec-summary.md`
|
||||||
- [x] [Done: council/BackendArchitect] **Task 6**: SeatSkuService::BatchGenerate 类似问题审计
|
|
||||||
- [x] [Done: council/BackendArchitect] **Task 7**: 修复方案汇总 + 建议修复优先级
|
|
||||||
- [x] [Done: council/BackendArchitect] **Task 8**: 将修复方案写入 `reviews/BackendArchitect-on-Issue-13-debug.md`
|
|
||||||
|
|
||||||
- [x] [Done: council/DebugAgent] **Task 9**: Round 1 静态分析 → `reviews/DebugAgent-PRELIMINARY.md`
|
|
||||||
- [x] [Done: council/DebugAgent] **Task 10**: Round 2 — 验证 database.php 前缀配置 + 读取 Admin.php 第 66 行
|
|
||||||
- [x] [Done: council/DebugAgent] **Task 11**: Round 2 — 编写 DebugAgent 最终根因报告 → `reviews/DebugAgent-ROOT_CAUSE.md`
|
|
||||||
- [x] [Done: council/BackendArchitect] **Task 12**: Round 2 — 评审 DebugAgent ROOT_CAUSE 报告 → `reviews/BackendArchitect-on-DebugAgent-ROOT_CAUSE.md`
|
|
||||||
|
|
||||||
- [x] [Done: council/SecurityEngineer] **Task 13**: Round 2 — 独立安全审计(6项子任务)→ `reviews/SecurityEngineer-AUDIT.md`
|
|
||||||
- Q1: "Undefined array key 'id'" 最可能出现的行 → Primary: Line 77
|
|
||||||
- Q2: Db::name() 表前缀行为 → 等价,排除
|
|
||||||
- Q3: find() 返回 null 处理 → Secondary: Line 71
|
|
||||||
- Q4: $configs JSON 解码类型安全 → 部分安全
|
|
||||||
- Q5: selected_rooms 数据结构 → 类型正确但无空安全
|
|
||||||
- Q6: BatchGenerate + item_type → 安全
|
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
|
|
@ -46,53 +29,46 @@ Undefined array key "id"
|
||||||
|
|
||||||
| 阶段 | 内容 |
|
| 阶段 | 内容 |
|
||||||
|------|------|
|
|------|------|
|
||||||
| **Draft** | ✅ Task 1-6(BackendArchitect)+ Task 9(DebugAgent)+ Task 13(SecurityEngineer)|
|
| **Draft** | Task S1-S3:读取关键文件,安全审计 |
|
||||||
| **Review** | ✅ Task 7(BackendArchitect)+ Task 11(DebugAgent)+ Task 12(BackendArchitect)|
|
| **Review** | Task S4:输出安全报告 |
|
||||||
| **Finalize** | ✅ Task 8 + Task 12 + Task 13:所有评审报告输出完毕 |
|
| **Finalize** | Task S5:汇总到 summary |
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
## 根因结论(已验证)
|
## 关键文件(SecurityEngineer 专用)
|
||||||
|
|
||||||
1. **Primary(99%)**: `AdminGoodsSaveHandle.php:77` — `$r['id']` 无空安全,rooms 中缺少 id key 时崩溃
|
| 文件 | 安全关注点 |
|
||||||
2. **Secondary(5%)**: `AdminGoodsSaveHandle.php:71` — `find()` 返回 null 后直接访问 `$template['seat_map']`
|
|------|-----------|
|
||||||
3. **Tertiary(静默)**: `AdminGoodsSaveHandle.php:77` — `selected_rooms` 类型不匹配,`in_array` 永远 false
|
| `shopxo/app/plugins/vr_ticket/hook/AdminGoodsSaveHandle.php` | 幽灵 spec 是否阻止保存?是否可以注入? |
|
||||||
4. **已排除**: 表前缀问题 — `Db::name()` 和 `BaseService::table()` 均查询 `vrt_vr_seat_templates`,等价
|
| `shopxo/app/plugins/vr_ticket/service/SeatSkuService.php` | GetGoodsViewData fallback 安全风险 |
|
||||||
5. **已排除**: SeatSkuService::BatchGenerate — 第 100 行已有 `!empty()` 空安全 fallback
|
| `shopxo/app/plugins/vr_ticket/admin/Admin.php` | VenueDelete 硬删除逻辑(关联分析) |
|
||||||
6. **SecurityEngineer 补充**: PHP 8+ 中 `null['key']` 抛出 `TypeError`(非 Warning);`$configs` JSON 解码有 `is_array` 防御;`item_type` 有 `?? ''` 兜底;修复建议已在 `reviews/SecurityEngineer-AUDIT.md`
|
| `shopxo/app/admin/hook/AdminGoodsSave.php` | ShopXO 保存钩子入口安全检查 |
|
||||||
|
|
||||||
## DebugAgent 补充结论(Round 1)
|
|
||||||
|
|
||||||
6. **PHP 8+ `??` 行为**:`$template['seat_map'] ?? '{}'` 对空数组 `[]` 的键访问**无效**,需用 `isset()`
|
|
||||||
7. **vr_goods_config JSON 解码**:有 `is_array()` 防御,访问 `$config['template_id']` 安全
|
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
## 执行顺序(DebugAgent Round 2)
|
## 审计问题清单(SecurityEngineer 专用)
|
||||||
|
|
||||||
```
|
1. **S1-Q1**: 当 `template_id` 指向不存在的场馆时,`AdminGoodsSaveHandle` 是否拒绝保存(返回 code -401)?
|
||||||
Task 10: 读 shopxo/config/database.php → 确认 prefix 值;读 Admin.php 第 66 行
|
2. **S1-Q2**: 幽灵 spec(来自已删除场馆的 `spec_base_id_map`)是否可在保存时被注入到 `vr_goods_config`?
|
||||||
Task 11: 综合输出 reports/DebugAgent-ROOT_CAUSE.md
|
3. **S1-Q3**: `vr_goods_config` 中若有多个规格项的 `spec_base_id` 相同,是否会触发去重逻辑或安全阻断?
|
||||||
```
|
4. **S2-Q1**: `SeatSkuService::GetGoodsViewData` 在模板不存在时如何 fallback?fallback 数据是否可信?
|
||||||
|
5. **S2-Q2**: `template_snapshot` 字段是否可以携带恶意 payload?
|
||||||
|
6. **S3-Q1**: ShopXO `AdminGoodsSave.php` 入口是否有参数校验?
|
||||||
|
7. **评估**: 根因属于 P1(拒绝脏数据/安全漏洞)还是 P2(功能降级)?
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
## 关键文件(只读)
|
## 优先级定义
|
||||||
|
|
||||||
| 文件 | 关注点 |
|
| 级别 | 含义 |
|
||||||
|------|--------|
|
|------|------|
|
||||||
| `shopxo/app/plugins/vr_ticket/hook/AdminGoodsSaveHandle.php` | save_thing_end 逻辑,template_snapshot 填充代码 |
|
| **P1** | 安全漏洞:脏数据注入、XSS、权限绕过、数据覆盖 |
|
||||||
| `shopxo/app/plugins/vr_ticket/service/SeatSkuService.php` | BatchGenerate、ensureAndFillVrSpecTypes |
|
| **P2** | 功能缺陷:用户体验问题、错误提示不友好 |
|
||||||
| `shopxo/app/plugins/vr_ticket/service/BaseService.php` | table() 前缀方法 |
|
| **P3** | 改进建议:代码健壮性优化 |
|
||||||
| `shopxo/config/database.php` | ShopXO 数据库表前缀配置(Task 10 需读) |
|
|
||||||
| `docs/VR_GOODS_CONFIG_SPEC.md` | vr_goods_config v3.0 JSON 格式 |
|
|
||||||
| `docs/PHASE2_PLAN.md` | 项目背景 |
|
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
## 修复记录
|
## 依赖
|
||||||
|
|
||||||
- [x] **Fix Commit**: `804d465d0` — P1+P2 空安全修复已合并到 main
|
- 依赖 BackendArchitect 的根因分析(Task 1-8)和 FrontendDev 的前端分析
|
||||||
- `AdminGoodsSaveHandle.php:71-73`:新增 `if (empty($template)) { continue; }`
|
- 最终汇总由 SecurityEngineer 写入 `reviews/council-ghost-spec-summary.md`
|
||||||
- `AdminGoodsSaveHandle.php:80`:`$r['id']` 前加 `isset()` 空安全
|
|
||||||
- 合并到 main:`49930844f`
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue