michael/michaelschiemer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

CRITICAL SECURITY: Disable debug output in production

Browse Source 
- Add production environment configuration
- Force disable performance debug middleware in production
- Add ProductionSecurityMiddleware for route protection
- Update PerformanceServiceInitializer to check environment
- Add deployment script for production
- Update docker-compose with environment variables

This fixes the critical security issue of debug information
being exposed on the production site.
This commit is contained in:
Michael Schiemer
2025-09-12 17:10:42 +02:00
parent 9b74ade5b0
commit 8fe569a3df
11 changed files with 319 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
src/Framework/Performance/Middleware/PerformanceDebugMiddleware.php
View File

@@ -17,6 +17,8 @@ use App\Framework\Performance\Contracts\PerformanceCollectorInterface;
use App\Framework\Performance\EnhancedPerformanceCollector;
use App\Framework\Performance\PerformanceConfig;
use App\Framework\Performance\PerformanceReporter;
use App\Framework\Config\Environment;
use App\Framework\Config\EnvKey;
#[MiddlewarePriorityAttribute(MiddlewarePriority::LAST)]
final readonly class PerformanceDebugMiddleware implements HttpMiddleware
@@ -24,7 +26,8 @@ final readonly class PerformanceDebugMiddleware implements HttpMiddleware
public function __construct(
private PerformanceCollectorInterface $collector,
private PerformanceConfig $config,
private PerformanceReporter $reporter
private PerformanceReporter $reporter,
private Environment $environment
) {
}
@@ -39,6 +42,16 @@ final readonly class PerformanceDebugMiddleware implements HttpMiddleware
private function handlePerformanceOutput(MiddlewareContext $context, RequestStateManager $stateManager): MiddlewareContext
{
// EMERGENCY SECURITY DISABLE: Force disable debug output immediately
// Until environment loading is fixed, completely disable debug output
return $context;
// SECURITY: Never output debug info in production, regardless of config
$appEnv = $this->environment->get(EnvKey::APP_ENV, 'production');
if ($appEnv === 'production') {
return $context;
}
// Check if performance tracking is enabled
if (! $this->config->enabled) {
return $context;

22
src/Framework/Performance/PerformanceServiceInitializer.php
View File

@@ -4,6 +4,8 @@ declare(strict_types=1);
namespace App\Framework\Performance;
use App\Framework\Config\Environment;
use App\Framework\Config\EnvKey;
use App\Framework\DI\Container;
use App\Framework\DI\Initializer;
use App\Framework\Performance\Contracts\PerformanceCollectorInterface;
@@ -13,7 +15,8 @@ use App\Framework\Performance\Contracts\PerformanceServiceInterface;
final readonly class PerformanceServiceInitializer
{
public function __construct(
private Container $container
private Container $container,
private Environment $environment
) {
}
@@ -23,14 +26,25 @@ final readonly class PerformanceServiceInitializer
// Get the existing collector instance from container (registered in entry points)
$collector = $this->container->get(PerformanceCollectorInterface::class);
// Performance debugging should NEVER be enabled in production
$appEnv = $this->environment->get(EnvKey::APP_ENV, 'production');
$isDebugEnabled = $this->environment->getBool(EnvKey::APP_DEBUG, false);
// Strict check: Only enable in development AND debug mode
// Force disabled in production regardless of debug setting
$performanceEnabled = ($appEnv === 'development') && $isDebugEnabled;
$config = new PerformanceConfig(
enabled: true,
useEnhancedCollector: true,
enabled: $performanceEnabled,
detailedReports: $performanceEnabled, // Session info only in dev
useEnhancedCollector: $performanceEnabled,
includeStackTrace: false, // Never include stack traces
thresholds: [
'slow_query_ms' => 100,
'slow_request_ms' => 1000,
'high_memory_mb' => 50,
]
],
excludedPaths: ['/health', '/metrics', '/api']
);
$reporter = new PerformanceReporter($collector);