flower
/

review · segments

Livewire 4 security review of VOD Manager components

claude 101 events 3 segments main

segment 1 of 3

Security-review Livewire components across seven directories

Done

Enumerated all 10 Livewire component classes in the in-scope directories (Dashboard, Onboarding, Wrapped, Actions, Activity, Auth, Marketing), read each PHP class and its paired Blade view, and cross-referenced the mounting routes in routes/web.php to confirm middleware (e.g. ActivityLog behind can:admin). Checked for missing authorization, IDOR/ownership scoping, unlocked sensitive props, mass assignment, XSS via {!! !!}, sensitive-data exposure, and file-upload validation. Found that most components correctly scope queries to Auth::id()/Auth::user(), lock sensitive props, and escape output.

outcome

All in-scope components read and assessed; most confirmed safe (proper scoping, #[Locked] on sensitive props, {{ }} escaping, static-only {!! !!} copy).

next steps

key decisions

  • Treat every public property as client-readable and writable and every public method as client-callable unless annotated #[Locked], per the stated Livewire threat model.
  • Verify each component's mounting route middleware via grep of routes/web.php rather than assuming route protection.

open questions

2 days ago 2 days ago

segment 2 of 3

Verify Livewire v4 hydration behavior for model/array/scalar props in vendor source

Done

To distinguish real vulnerabilities from false positives, inspected the livewire/livewire v4.1 source: ModelSynth::hydrate() plus Checksum::verify() in HandleComponents.php, ArraySynth, IntSynth, BaseLocked, and the SupportModels/SupportLegacyModels providers. Confirmed model-typed properties are re-hydrated from the checksum-protected key in the prior snapshot (client-supplied value ignored) and that legacy_model_binding (the older swappable EloquentModelSynth) is off since config/livewire.php does not exist. Confirmed plain arrays (ArraySynth) and scalar ints (IntSynth) ARE fully client-replaceable.

outcome

Established that model-typed props (e.g. InitialVodSelector::$account) are NOT swappable, but plain array/scalar public props are fully attacker-controllable, grounding which findings are valid.

next steps

key decisions

  • Dropped the suspected $account model-swap finding as a false positive because ModelSynth re-hydrates from the checksummed snapshot key and legacy_model_binding is disabled (no config/livewire.php).
  • Confirmed plain-array (ArraySynth) and plain-int (IntSynth) properties are the genuinely client-replaceable attack surface.

open questions

2 days ago 2 days ago

segment 3 of 3

Review Livewire 4 components for security vulnerabilities and finalize findings report

Done

The assistant examined components including InitialVodSelector, TwitchScopePicker, WrappedMonth/Year, and others. It verified that model-typed properties are protected by Livewire's checksum, but found that plain array and plain integer properties are client-replaceable, leading to two confirmed vulnerabilities. The report was output with findings and methodology notes. All other reviewed components are clean.

outcome

Two confirmed security findings reported, all other reviewed components are clean.

next steps

key decisions

  • Dropped a false positive finding about model-typed account property because it is safe due to Livewire checksum protection.

open questions

2 days ago 2 days ago