council(draft): SecurityEngineer - Round 1 plan for ghost spec security audit
Council
parent
63c1608442
commit
98dfbbd943
121
plan.md
121
plan.md
|
|
@ -1,44 +1,27 @@
|
|||
# Plan — 调试 "Undefined array key 'id'" PHP 错误
|
||||
# Plan — 幽灵规格安全审计(Ghost Spec Security Audit)
|
||||
|
||||
> 版本:v1.3 | 日期:2026-04-20 | Agent:council/BackendArchitect + council/DebugAgent + council/SecurityEngineer(并行协作)
|
||||
> 关联提交:bbea35d83(feat: 保存时自动填充 template_snapshot)
|
||||
> 版本:v1.0 | 日期:2026-04-20 | Agent:council/SecurityEngineer
|
||||
> 关联任务:场馆删除后编辑商品出现规格重复错误 — 安全视角分析
|
||||
|
||||
---
|
||||
|
||||
## 任务概述
|
||||
|
||||
调试 ShopXO 后台编辑票务商品(goods_id=118)保存时报错:
|
||||
```
|
||||
Undefined array key "id"
|
||||
```
|
||||
|
||||
根因代码位于 `bbea35d83` 新增的 `AdminGoodsSaveHandle.php` save_thing_end 时机。
|
||||
从安全工程师视角评估"幽灵 spec"问题:
|
||||
1. 当 `template_id` 指向已删除场馆时,后端是否拒绝保存脏数据(code -401)?
|
||||
2. 幽灵 spec 是否可被恶意利用来注入/覆盖商品规格?
|
||||
3. 前端 fallback 是否有安全风险?
|
||||
4. 根因属于 P1(拒绝脏数据)还是 P2(优雅降级)?
|
||||
|
||||
---
|
||||
|
||||
## 任务清单
|
||||
|
||||
- [x] [Done: council/BackendArchitect] **Task 1**: 根因定位 — 逐行分析所有 "id" 访问位置
|
||||
- [x] [Done: council/BackendArchitect] **Task 2**: Db::name() 表前缀问题 — ShopXO 插件表前缀行为确认
|
||||
- [x] [Done: council/BackendArchitect] **Task 3**: 根因 1 — `$r['id']` 空安全(AdminGoodsSaveHandle 第 77 行)
|
||||
- [x] [Done: council/BackendArchitect] **Task 4**: 根因 2 — `find()` 返回 null 的空安全(AdminGoodsSaveHandle 第 71 行)
|
||||
- [x] [Done: council/BackendArchitect] **Task 5**: 根因 3 — `$config['template_id']` / `selected_rooms` 数据类型问题
|
||||
- [x] [Done: council/BackendArchitect] **Task 6**: SeatSkuService::BatchGenerate 类似问题审计
|
||||
- [x] [Done: council/BackendArchitect] **Task 7**: 修复方案汇总 + 建议修复优先级
|
||||
- [x] [Done: council/BackendArchitect] **Task 8**: 将修复方案写入 `reviews/BackendArchitect-on-Issue-13-debug.md`
|
||||
|
||||
- [x] [Done: council/DebugAgent] **Task 9**: Round 1 静态分析 → `reviews/DebugAgent-PRELIMINARY.md`
|
||||
- [x] [Done: council/DebugAgent] **Task 10**: Round 2 — 验证 database.php 前缀配置 + 读取 Admin.php 第 66 行
|
||||
- [x] [Done: council/DebugAgent] **Task 11**: Round 2 — 编写 DebugAgent 最终根因报告 → `reviews/DebugAgent-ROOT_CAUSE.md`
|
||||
- [x] [Done: council/BackendArchitect] **Task 12**: Round 2 — 评审 DebugAgent ROOT_CAUSE 报告 → `reviews/BackendArchitect-on-DebugAgent-ROOT_CAUSE.md`
|
||||
|
||||
- [x] [Done: council/SecurityEngineer] **Task 13**: Round 2 — 独立安全审计(6项子任务)→ `reviews/SecurityEngineer-AUDIT.md`
|
||||
- Q1: "Undefined array key 'id'" 最可能出现的行 → Primary: Line 77
|
||||
- Q2: Db::name() 表前缀行为 → 等价,排除
|
||||
- Q3: find() 返回 null 处理 → Secondary: Line 71
|
||||
- Q4: $configs JSON 解码类型安全 → 部分安全
|
||||
- Q5: selected_rooms 数据结构 → 类型正确但无空安全
|
||||
- Q6: BatchGenerate + item_type → 安全
|
||||
- [ ] [Claimed: council/SecurityEngineer] **Task S1**: 读取 AdminGoodsSaveHandle.php — 安全审计:保存时是否拒绝脏数据
|
||||
- [ ] [Claimed: council/SecurityEngineer] **Task S2**: 读取 SeatSkuService.php — 幽灵 spec 注入路径分析
|
||||
- [ ] [Claimed: council/SecurityEngineer] **Task S3**: 读取 AdminGoodsSave.php — ShopXO 入口安全检查
|
||||
- [ ] [ ] [Claimed: council/SecurityEngineer] **Task S4**: 输出安全审计报告 → `reviews/SecurityEngineer-GHOST_SPEC_SECURITY.md`
|
||||
- [ ] [ ] [Claimed: council/SecurityEngineer] **Task S5**: 更新 `reviews/council-ghost-spec-summary.md`
|
||||
|
||||
---
|
||||
|
||||
|
|
@ -46,70 +29,46 @@ Undefined array key "id"
|
|||
|
||||
| 阶段 | 内容 |
|
||||
|------|------|
|
||||
| **Draft** | ✅ Task 1-6(BackendArchitect)+ Task 9(DebugAgent)+ Task 13(SecurityEngineer)|
|
||||
| **Review** | ✅ Task 7(BackendArchitect)+ Task 11(DebugAgent)+ Task 12(BackendArchitect)|
|
||||
| **Finalize** | ✅ Task 8 + Task 12 + Task 13:所有评审报告输出完毕 |
|
||||
| **Draft** | Task S1-S3:读取关键文件,安全审计 |
|
||||
| **Review** | Task S4:输出安全报告 |
|
||||
| **Finalize** | Task S5:汇总到 summary |
|
||||
|
||||
---
|
||||
|
||||
## 根因结论(已验证)
|
||||
## 关键文件(SecurityEngineer 专用)
|
||||
|
||||
1. **Primary(99%)**: `AdminGoodsSaveHandle.php:77` — `$r['id']` 无空安全,rooms 中缺少 id key 时崩溃
|
||||
2. **Secondary(5%)**: `AdminGoodsSaveHandle.php:71` — `find()` 返回 null 后直接访问 `$template['seat_map']`
|
||||
3. **Tertiary(静默)**: `AdminGoodsSaveHandle.php:77` — `selected_rooms` 类型不匹配,`in_array` 永远 false
|
||||
4. **已排除**: 表前缀问题 — `Db::name()` 和 `BaseService::table()` 均查询 `vrt_vr_seat_templates`,等价
|
||||
5. **已排除**: SeatSkuService::BatchGenerate — 第 100 行已有 `!empty()` 空安全 fallback
|
||||
6. **SecurityEngineer 补充**: PHP 8+ 中 `null['key']` 抛出 `TypeError`(非 Warning);`$configs` JSON 解码有 `is_array` 防御;`item_type` 有 `?? ''` 兜底;修复建议已在 `reviews/SecurityEngineer-AUDIT.md`
|
||||
|
||||
## DebugAgent 补充结论(Round 1)
|
||||
|
||||
7. **PHP 8+ `??` 行为**:`$template['seat_map'] ?? '{}'` 对空数组 `[]` 的键访问**无效**,需用 `isset()`
|
||||
8. **vr_goods_config JSON 解码**:有 `is_array()` 防御,访问 `$config['template_id']` 安全
|
||||
| 文件 | 安全关注点 |
|
||||
|------|-----------|
|
||||
| `shopxo/app/plugins/vr_ticket/hook/AdminGoodsSaveHandle.php` | 幽灵 spec 是否阻止保存?是否可以注入? |
|
||||
| `shopxo/app/plugins/vr_ticket/service/SeatSkuService.php` | GetGoodsViewData fallback 安全风险 |
|
||||
| `shopxo/app/plugins/vr_ticket/admin/Admin.php` | VenueDelete 硬删除逻辑(关联分析) |
|
||||
| `shopxo/app/admin/hook/AdminGoodsSave.php` | ShopXO 保存钩子入口安全检查 |
|
||||
|
||||
---
|
||||
|
||||
## 执行顺序(DebugAgent Round 2)
|
||||
## 审计问题清单(SecurityEngineer 专用)
|
||||
|
||||
```
|
||||
Task 10: 读 shopxo/config/database.php → 确认 prefix 值;读 Admin.php 第 66 行
|
||||
Task 11: 综合输出 reports/DebugAgent-ROOT_CAUSE.md
|
||||
```
|
||||
1. **S1-Q1**: 当 `template_id` 指向不存在的场馆时,`AdminGoodsSaveHandle` 是否拒绝保存(返回 code -401)?
|
||||
2. **S1-Q2**: 幽灵 spec(来自已删除场馆的 `spec_base_id_map`)是否可在保存时被注入到 `vr_goods_config`?
|
||||
3. **S1-Q3**: `vr_goods_config` 中若有多个规格项的 `spec_base_id` 相同,是否会触发去重逻辑或安全阻断?
|
||||
4. **S2-Q1**: `SeatSkuService::GetGoodsViewData` 在模板不存在时如何 fallback?fallback 数据是否可信?
|
||||
5. **S2-Q2**: `template_snapshot` 字段是否可以携带恶意 payload?
|
||||
6. **S3-Q1**: ShopXO `AdminGoodsSave.php` 入口是否有参数校验?
|
||||
7. **评估**: 根因属于 P1(拒绝脏数据/安全漏洞)还是 P2(功能降级)?
|
||||
|
||||
---
|
||||
|
||||
## 关键文件(只读)
|
||||
## 优先级定义
|
||||
|
||||
| 文件 | 关注点 |
|
||||
|------|--------|
|
||||
| `shopxo/app/plugins/vr_ticket/hook/AdminGoodsSaveHandle.php` | save_thing_end 逻辑,template_snapshot 填充代码 |
|
||||
| `shopxo/app/plugins/vr_ticket/service/SeatSkuService.php` | BatchGenerate、ensureAndFillVrSpecTypes |
|
||||
| `shopxo/app/plugins/vr_ticket/service/BaseService.php` | table() 前缀方法 |
|
||||
| `shopxo/config/database.php` | ShopXO 数据库表前缀配置(Task 10 需读) |
|
||||
| `docs/VR_GOODS_CONFIG_SPEC.md` | vr_goods_config v3.0 JSON 格式 |
|
||||
| 级别 | 含义 |
|
||||
|------|------|
|
||||
| **P1** | 安全漏洞:脏数据注入、XSS、权限绕过、数据覆盖 |
|
||||
| **P2** | 功能缺陷:用户体验问题、错误提示不友好 |
|
||||
| **P3** | 改进建议:代码健壮性优化 |
|
||||
|
||||
---
|
||||
|
||||
## 修复方案(供参考)
|
||||
## 依赖
|
||||
|
||||
### P0 修复(一行改动)
|
||||
|
||||
```php
|
||||
// AdminGoodsSaveHandle.php:77(修复后)
|
||||
$selectedRoomIds = array_column(
|
||||
array_filter($allRooms, function ($r) use ($config) {
|
||||
return !empty($r['id']) && in_array($r['id'], $config['selected_rooms'] ?? []);
|
||||
}), null
|
||||
);
|
||||
```
|
||||
|
||||
### P1 修复(添加模板存在性检查)
|
||||
|
||||
```php
|
||||
// AdminGoodsSaveHandle.php:69-71(修复后)
|
||||
if ($templateId > 0) {
|
||||
$template = Db::name('vr_seat_templates')->find($templateId);
|
||||
if (empty($template)) {
|
||||
continue;
|
||||
}
|
||||
$seatMap = json_decode($template['seat_map'] ?? '{}', true);
|
||||
```
|
||||
- 依赖 BackendArchitect 的根因分析(Task 1-8)和 FrontendDev 的前端分析
|
||||
- 最终汇总由 SecurityEngineer 写入 `reviews/council-ghost-spec-summary.md`
|
||||
|
|
|
|||
Loading…
Reference in New Issue