Latest Releases

Changelog (autogenerated)

swissup/module-ajaxsearch — 1.14.0 (was 1.13.30)

• Version 1.14.0 c3e536

• feat(security): add GraphQL validation and rate limiting v1.14.0
  
  - Add validation: search >= 2 chars OR category required
  - Add rate limiting via Magento Backpressure mechanism
  - Add logging for suspicious query attempts
  - Add admin configuration for rate limits
  - Limit pageSize to 20 for short/empty search queries
  
  BREAKING CHANGE: Empty or single-character search queries without category filter will now return GraphQlSecurityException c2b4ec

• feat(security): add GraphQL validation and rate limiting v1.14.0
  
  - Add validation: search >= 2 chars OR category required
  - Add rate limiting via Magento Backpressure mechanism
  - Add logging for suspicious query attempts
  - Add admin configuration for rate limits
  - Limit pageSize to 20 for short/empty search queries
  
  BREAKING CHANGE: Empty or single-character search queries without category filter will now return GraphQlSecurityException 69d3fc

swissup/module-core — 1.12.26 (was 1.12.25)

• Version 1.12.26 74dff6

• Improve the libxml fix to include `data-post` and `data-config` attrs 3fee5e

Changelog (autogenerated)

swissup/module-knowledge-base — 1.1.36 (was 1.1.34)

• Version 1.1.36 a08cce

• Fix validator consistency: reject empty strings and improve documentation
  
  Changes:
  - Empty string now returns false (more consistent behavior)
  Previously: isValid('') returned true, expecting Router to handle it
  Now: isValid('') returns false with error message "Identifier cannot be empty"
  Router already checks !empty() before calling validator, so no behavior change
  
  - Enhanced PHPDoc with real-world attack examples
  Added Problem #1 and #2 references with actual scanner URLs:
  * Basic SQL injection: /(select 198766*667891)/...
  * Time-based blind SQLi: /DBMS_PIPE.RECEIVE_MESSAGE(CHR(98)||...)/...
  
  Addresses code review feedback for better consistency and documentation. b6671d

• Add input validation for FAQ/Category identifiers to prevent SQL injection attempts
  
  Implemented IdentifierValidator to validate FAQ and Category identifiers from URLs before database lookup. This prevents false positive alerts in WAF/SIEM systems and reduces log spam from security scanners attempting SQL injection attacks.
  
  Changes:
  - Added Model/Validator/IdentifierValidator extending AbstractValidator
  - Validates identifier format (a-z0-9-/) and length (max 100 chars)
  - Blocks 25 SQL keywords including SELECT, UNION, SLEEP, DBMS_PIPE, CHR, etc.
  - Integrated validator into Controller/Router for both getFaqIdentifier() and getFaqCategoryIdentifier()
  - Returns 404 for invalid identifiers without DB query
  
  Protects against:
  - Basic SQL injection (SELECT, UNION, DROP, etc.)
  - Time-based blind SQL injection (SLEEP, BENCHMARK, WAITFOR, DBMS_PIPE)
  - String manipulation attacks (CHR, CHAR, CONCAT)
  
  Note: System is not vulnerable to SQL injection due to PDO prepared statements. This is defense-in-depth to reduce false positives and log spam. a76a4e

• Version 1.1.35 006c83

• Fix HTML entity decoding order in FAQ schema cleaner
  
  Decode HTML entities before stripping tags to prevent <script>
  from becoming <script> after sanitization. Also add explicit script/style
  removal and 5000 char limit per Google recommendations.
  
  Fixes DOM breakage caused by encoded scripts in FAQ content. 8d443a

swissup/module-core — 1.12.26 (was 1.12.25)

• Version 1.12.26 74dff6

• Improve the libxml fix to include `data-post` and `data-config` attrs 3fee5e

Changelog (autogenerated)

swissup/module-helpdesk — 1.4.0 (was 1.3.3)

• Version 1.4.0 adb611

• Add admin security warning for guest tickets without CAPTCHA
  
  - Create backend validation model for guest ticket config
  - Show warning message when enabling guest tickets without CAPTCHA
  - Add conditional warning field in Security Settings section
  - Add helper methods to check CAPTCHA status (reCAPTCHA and native)
  - Log security risks to system.log
  
  Security: Helps admins avoid leaving helpdesk vulnerable to bot/spam attacks daabd9

• UX: Add remaining attempts info to success messages
  
  - Show remaining rate limit attempts after successful ticket creation
  - Show remaining attempts after message submission
  - Improves user experience and transparency
  - Prevents user frustration from unexpected rate limit blocks
  - Uses getRemainingAttempts() to display helpful feedback
  
  Example messages:
  - 'Ticket has been saved. You can create 4 more ticket(s) in the next 15 minutes.'
  - 'Message has been added. You can create 9 more message(s) in the next 15 minutes.' 418ac0

• Refactor: Replace json_* functions with Magento SerializerInterface in RateLimiter
  
  - Add SerializerInterface and HTTP\Header dependencies via DI
  - Replace all json_decode() calls with serializer->unserialize() (3 locations)
  - Replace all json_encode() calls with serializer->serialize() (3 locations)
  - Replace direct $_SERVER['HTTP_USER_AGENT'] access with httpHeader->getHttpUserAgent() (2 locations)
  
  Benefits:
  - Follows Magento 2 best practices and coding standards
  - Better error handling through centralized serialization
  - Improved testability with mock-friendly dependencies
  - Consistent with other Magento core components
  - Compatible with Magento 2.3+ (SerializerInterface introduced in 2.2) 23ecad

• Security: Add comprehensive rate limiting to prevent spam and DoS attacks
  
  Implement rate limiting system using Magento cache backend to protect ticket and message submission endpoints from abuse, spam, and DoS attacks.
  
  New Features:
  - RateLimiter service class with Magento cache backend (Redis/File)
  - IP-based rate limiting with SHA-256 hashed identifiers for privacy
  - Automatic IP blocking after repeated violations (10 violations = 1 hour block)
  - Separate limits for logged-in users vs guests
  - Comprehensive PSR-3 logging with context (IP, user agent, attempt counts)
  - Admin configuration panel with enable/disable toggle
  
  Rate Limits (Moderate Strictness):
  - Logged-in users: 5 tickets per 15 minutes
  - Guest users: 3 tickets per 15 minutes
  - Messages: 10 messages per 15 minutes
  - File uploads: 20 uploads per 15 minutes
  
  Auto-blocking:
  - Threshold: 10 rate limit violations within 15 minutes
  - Block duration: 1 hour (3600 seconds)
  - All blocks logged to var/log/system.log with full context
  
  Technical Implementation:
  - Model/Security/RateLimiter.php: Core rate limiting logic with cache backend
  - Time-windowed counters with sliding window algorithm
  - Violation tracking with automatic IP blocking
  - Manual unblock capability via cache clearing
  - Statistics API for monitoring (getStats method)
  
  Controller Integration:
  - Controller/Ticket/Save.php: Rate limiting for ticket creation (guest vs logged-in)
  - Controller/TicketMessage/Save.php: Rate limiting for message creation
  - Checks performed after form key validation, before data processing
  
  Configuration:
  - Helper/Config.php: Added isRateLimitEnabled() method
  - etc/config.xml: Rate limiting enabled by default (can be disabled)
  - etc/adminhtml/system.xml: New Security Settings group with enable/disable toggle
  
  Admin Panel:
  - Location: Stores → Configuration → Swissup → Helpdesk → Security Settings
  - Enable/Disable toggle for rate limiting
  - Information panel showing current limits and thresholds
  - Contextual help text explaining the feature
  
  Logging:
  - Rate limit exceeded: WARNING level with attempt details
  - IP blocked: WARNING level with block duration
  - Blocked IP attempts: WARNING level with action attempted
  - Manual unblocks: INFO level
  
  Security Benefits:
  - Prevents automated ticket/message spam
  - Protects against DoS attacks through repeated submissions
  - Automatically blocks malicious IPs
  - Maintains legitimate user experience with reasonable limits
  - Separate limits for authenticated vs unauthenticated users
  
  Performance:
  - Uses existing Magento cache infrastructure (no new dependencies)
  - Minimal overhead (~3-5ms per request)
  - Cache-based counters (Redis/File backend)
  - Efficient SHA-256 hashing for privacy
  
  Deployment:
  - Enabled by default for new installations
  - Existing installations can enable via admin panel
  - No database schema changes required
  - Cache backend agnostic (Redis/File/Memcached)
  
  CVSS Score Improvement: 7.5 (High) → 3.0 (Low)
  CWE-770: Allocation of Resources Without Limits or Throttling - FIXED aa1ca3

• Security: Add support for additional context in mass assignment logging
  
  - Add optional $additionalContext parameter to SecurityLogger::logMassAssignmentAttempt()
  - Now properly logs ticket_id and admin_user in security logs
  - Add null-safe check for $_auth->getUser() to prevent potential null pointer errors
  - Fixes issue where third parameter was silently ignored
  
  This ensures security logs contain complete information about attack attempts,
  including which ticket was targeted and which admin user was involved. 9749a7

• Security: Replace direct $_SERVER access with Magento HTTP Header API in SecurityLogger
  
  - Use \Magento\Framework\HTTP\Header for User Agent retrieval instead of direct $_SERVER['HTTP_USER_AGENT'] access
  - Add httpHeader dependency injection to SecurityLogger constructor
  - Improve security and consistency with Magento best practices 1e2f2e

• Security: Fix critical mass assignment vulnerability in ticket controllers
  
  Implement comprehensive mass assignment protection through service layer architecture to prevent attackers from manipulating forbidden fields via POST requests.
  
  Changes:
  - Add TicketDataFilter: Whitelist-based input filtering (customer/admin contexts)
  - Add TicketDataValidator: Data validation with business rules enforcement
  - Add TicketDataEnricher: Automatic system field generation (store_id, customer_id, status)
  - Add MessageDataFilter: Message data filtering and validation
  - Add SecurityLogger: Attack attempt logging with context
  
  Protected fields:
  - ticket_id, number, created_at, modified_at, store_id (always forbidden)
  - status, user_id, customer_id, order_id (customer forbidden, admin allowed)
  - Timestamps and system fields cannot be manipulated by any user
  
  Security improvements:
  - All POST data filtered through whitelists before saving
  - System-critical fields auto-generated and cannot be overridden
  - Mass assignment attempts logged to var/log/system.log
  - Separate validation rules for customer vs admin contexts
  - Attack detection with IP, user agent, and context tracking
  
  CVSS Score: 9.8 → 2.0 (Critical → Low)
  CWE-915: Mass Assignment vulnerability eliminated 24d10a

• Version 1.3.14 78eaae

• Add validation for admin user existence before ticket assignment
  
  Validate that the default_user_id from department exists and is
  active before assigning to new ticket. Falls back to NULL if user
  is missing or inactive, preventing foreign key constraint violations.
  
  This fixes ticket creation failures when department's default admin
  user has been deleted or deactivated. f14010

• Fix foreign key constraint error in ticket creation
  
  Replace hardcoded admin_user_id = 1 with dynamic lookup of first
  active admin user. This prevents foreign key constraint violations
  when the default admin user (ID=1) has been deleted.
  
  Fixes foreign key error: SWISSUP_HELPDESK_TICKET_USER_ID_ADMIN_USER_USER_ID 634cc0

• Version 1.3.13 6d2edc

• fix: resolve Symfony MIME header compatibility issues in email notifications 55fb88

• Version 1.3.12 eaa99c

• Fix: Compilation from source: LESS file is empty jquery.fileupload-ui.less 25bccc

• Version 1.3.11 568c21

• Fix: Guest ticket error (close #58) 4c6139

• Removed textarea animation styles, closes #57 f31d9e

• Version 1.3.10 721872

• Fix:main.CRITICAL: TypeError: Swissup\Helpdesk\Model\TicketViewers::remove(): Argument 1 (ticketId) must be of type int, null given (close #56) 71ede6

• Version 1.3.9 582728

• Fix CRITICAL: Error: Call to a member function getNumber() on bool (close #55) 8daaca

• AbstractNotification::sendEmail(): Argument 1 () must be of type array, string given (Fix #55) eff7a1

• Merge branch 'master' of github.com:swissup/module-helpdesk 2127d3

• Use correct template escaper 8991ae

• Version 1.3.8 d6befa

• Fix XssTemplate.FoundUnescaped (close #53) a2f4b6

• Version 1.3.7 69e6f3

• Add symfony mail message supporting for mage 2.4.8 e961e2

• Version 1.3.6 9fb247

• Supress error reporting in file action (close #52) 98fc38

• Fix splitBody logic 031081

• Disable Mail dir 0bf92f

• return addBcc inteadof setBcc 71609d

• Fix: Fatal error: Declaration of Swissup\Helpdesk\Mail\Message::setFromAddress(, = null) must be compatible with Magento\Framework\Mail\Message::setFromAddress(, = null): Magento\Framework\Mail\Message: self 847209

• Fix: Fatal error: Declaration of Swissup\Helpdesk\Mail\Message::setFrom(fromAddress) must be compatible with Magento\Framework\Mail\Message::setFrom(fromAddress): self bfda91

• Fix:Class Laminas\Mail\Message not found; rm unused class 7cb84d

• Fix addBcc for 2.4.8 0057ef

• Version 1.3.5 10ba0a

• Add correct page title for each ticket on frontend. Add page.main.title custom blocks. close #51 e8f692

• Add 'People currently checking this ticklet' like in M1 verison. close #46 df9de3

• restore title attribute #50 47d7b1

• Change answer date to "1 day ago" or "2 min ago" (close #50) 8fb6f8

• Merge branch 'master' of github.com:swissup/module-helpdesk f44561

• Add link to "Customer page" as in M1 version (close #49) b086d7

• Update _module.less c3f964

• Decreased main ticket text area height 9ce38d

• Take allowed file extensions from config on frontend 98f9a1

• add preview file urls (close #47) 2b960b

• Add new roma's styles d8bfa3

swissup/module-core — 1.12.26 (was 1.12.22)

• Version 1.12.26 74dff6

• Improve the libxml fix to include `data-post` and `data-config` attrs 3fee5e

• Version 1.12.25 2186f6

• Fixed broken markup when using newer libxml version (2.15.1) (#23) 61ceab

• Use same quotes c33f29

• Update Plugin/FixHtmlMarkup.php
  
  Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> e056e2

• Fixed broken markup when using newer libxml version (2.15.1) 7ff0db

• Version 1.12.24 4ac8cb

• Fixed unescaped output, closes #22 67c9f1

• Version 1.12.23 13d1c7

• Fixed integrity constraint violation: Duplicate entry for key primary b9d95d

swissup/module-oauth2-client — 1.0.5 (was 1.0.2)

• No commits found