review · segments
Verify HIGH/CRITICAL findings in Livewire security review for VOD Manager
claude 39 events 1 segments main
segment 1 of 1
Verify HIGH/CRITICAL security findings by reading source code
The assistant read Livewire v4.2.4 ModelSynth and Checksum source to confirm that model-typed properties are protected by HMAC checksums, debunking the Admin finder's claim of model-swap via tampered payload. Read admin routes and confirmed `can:admin` is persistent middleware, dismissing VodList zero-authz. Verified feature middleware is non-persistent and components do not re-check feature gates, confirming bypassable tier gates (Medium). Read StorageProfileForm and validator, confirmed SSRF via unrestricted endpoint_url in validation (High). Checked recovery codes blade and PurgeAccountBucketsJob for credentials exposure. Produced a final report with one High, two Medium, one Low, and several hardening notes.
outcome
Final security report produced with one HIGH (SSRF), two MEDIUM (plaintext credentials in queue, feature gate bypass), one LOW (recovery codes in DOM), and several hardening observations.
next steps
- Remediate H-1 SSRF by restricting endpoint_url with a firewall blocklist or URL host validation
- Implement encrypted job payloads for PurgeAccountBucketsJob (ShouldBeEncrypted)
- Add feature-gate re-checks in StreamAnalytics and StreamHighlights mount methods
key decisions
- Model-typed properties (public User $user) cannot be tampered despite earlier finder claims, because ModelSynth hydrate uses checksum-protected meta, not update payload.
- can:admin middleware is persistent (Authorize class) so update requests re-run gate check, rendering zero-authz finding non-exploitable.
- feature: middleware is not persistent; StreamAnalytics/Highlights do not re-check feature gate in mount/actions, so a downgraded user with an open tab could bypass for a narrow window.
- endpoint_url validation as url|max:255 is insufficient to prevent SSRF; validation should additionally block private IPs or restrict allowed hosts.
open questions
—
2 days ago → 2 days ago