review · segments
Livewire 4 security review of VOD Manager components
claude 101 events 3 segments main
segment 1 of 3
Security-review Livewire components across seven directories
Enumerated all 10 Livewire component classes in the in-scope directories (Dashboard, Onboarding, Wrapped, Actions, Activity, Auth, Marketing), read each PHP class and its paired Blade view, and cross-referenced the mounting routes in routes/web.php to confirm middleware (e.g. ActivityLog behind can:admin). Checked for missing authorization, IDOR/ownership scoping, unlocked sensitive props, mass assignment, XSS via {!! !!}, sensitive-data exposure, and file-upload validation. Found that most components correctly scope queries to Auth::id()/Auth::user(), lock sensitive props, and escape output.
outcome
All in-scope components read and assessed; most confirmed safe (proper scoping, #[Locked] on sensitive props, {{ }} escaping, static-only {!! !!} copy).
next steps
—
key decisions
- Treat every public property as client-readable and writable and every public method as client-callable unless annotated #[Locked], per the stated Livewire threat model.
- Verify each component's mounting route middleware via grep of routes/web.php rather than assuming route protection.
open questions
—
2 days ago → 2 days ago
segment 2 of 3
Verify Livewire v4 hydration behavior for model/array/scalar props in vendor source
To distinguish real vulnerabilities from false positives, inspected the livewire/livewire v4.1 source: ModelSynth::hydrate() plus Checksum::verify() in HandleComponents.php, ArraySynth, IntSynth, BaseLocked, and the SupportModels/SupportLegacyModels providers. Confirmed model-typed properties are re-hydrated from the checksum-protected key in the prior snapshot (client-supplied value ignored) and that legacy_model_binding (the older swappable EloquentModelSynth) is off since config/livewire.php does not exist. Confirmed plain arrays (ArraySynth) and scalar ints (IntSynth) ARE fully client-replaceable.
outcome
Established that model-typed props (e.g. InitialVodSelector::$account) are NOT swappable, but plain array/scalar public props are fully attacker-controllable, grounding which findings are valid.
next steps
—
key decisions
- Dropped the suspected $account model-swap finding as a false positive because ModelSynth re-hydrates from the checksummed snapshot key and legacy_model_binding is disabled (no config/livewire.php).
- Confirmed plain-array (ArraySynth) and plain-int (IntSynth) properties are the genuinely client-replaceable attack surface.
open questions
—
2 days ago → 2 days ago
segment 3 of 3
Review Livewire 4 components for security vulnerabilities and finalize findings report
The assistant examined components including InitialVodSelector, TwitchScopePicker, WrappedMonth/Year, and others. It verified that model-typed properties are protected by Livewire's checksum, but found that plain array and plain integer properties are client-replaceable, leading to two confirmed vulnerabilities. The report was output with findings and methodology notes. All other reviewed components are clean.
outcome
Two confirmed security findings reported, all other reviewed components are clean.
next steps
—
key decisions
- Dropped a false positive finding about model-typed account property because it is safe due to Livewire checksum protection.
open questions
—
2 days ago → 2 days ago