processmaker Test/do not merge

trafficstars

DO NOT MERGE THIS IS A TEST

Apr 04 '25 12:04 agustinbusso

@CodiumAI-Agent /review

Apr 04 '25 12:04 agustinbusso

PR Reviewer Guide 🔍

(Review updated until commit https://github.com/ProcessMaker/processmaker/commit/dc70ddeacc9cd929467f7bca315fe0abae292727)

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 3 🔵🔵🔵⚪⚪

🧪 PR contains tests

🔒 No security concerns identified

⚡ Recommended focus areas for review

Regex Validation

Validate that the regex in hostIsValid properly escapes and matches the determined trusted pattern. It may be beneficial to ensure that edge cases in domain formatting are covered.

protected function hostIsValid(string $host, string $pattern): bool
{
    return preg_match('/' . str_replace('/', '\/', $pattern) . '/', $host) === 1;

Middleware Ordering

Confirm that the reordering of middleware entries, especially the shifted position of file_size_check and the addition of TrustHosts, adheres to the intended request processing order.

 */
protected $middleware = [
    \Illuminate\Foundation\Http\Middleware\PreventRequestsDuringMaintenance::class,
    \Illuminate\Foundation\Http\Middleware\ValidatePostSize::class,
    Middleware\TrimStrings::class,
    \Illuminate\Foundation\Http\Middleware\ConvertEmptyStringsToNull::class,
    Middleware\TrustHosts::class,
    Middleware\TrustProxies::class,
    Middleware\BrowserCache::class,
    ServerTimingMiddleware::class,
    Middleware\FileSizeCheck::class,

Apr 04 '25 12:04 CodiumAI-Agent

Persistent review updated to latest commit https://github.com/ProcessMaker/processmaker/commit/dc70ddeacc9cd929467f7bca315fe0abae292727

Apr 04 '25 12:04 CodiumAI-Agent

@CodiumAI-Agent /describe

Apr 04 '25 13:04 agustinbusso

Title

(Describe updated until commit https://github.com/ProcessMaker/processmaker/commit/dc70ddeacc9cd929467f7bca315fe0abae292727)

Test/do not merge

User description

DO NOT MERGE THIS IS A TEST

PR Type

Enhancement
Tests

Description

Introduce TrustHosts middleware in HTTP kernel.
Enforce trusted X-Forwarded-Host header check.
Add tests for TrustHosts middleware handling.
Update env example to disable AI agents.

Changes walkthrough 📝

Relevant files

Enhancement

Kernel.php `Inject TrustHosts middleware into kernel` ProcessMaker/Http/Kernel.php Insert TrustHosts into global middleware array. Adjust minor formatting for middleware list.	+2/-1
TrustHosts.php `Implement TrustHosts HTTP middleware` ProcessMaker/Http/Middleware/TrustHosts.php Create TrustHosts middleware class. Validate and enforce X-Forwarded-Host header. Log warnings and abort invalid requests.	+39/-0

Tests

TrustHostsTest.php

Add tests for TrustHosts middleware

tests/Feature/Http/Middleware/TrustHostsTest.php

Test valid trusted host handling.

Verify rejection for invalid host.

Confirm behavior when header is missing.

+61/-0

Configuration changes

.env.example

Update environment example configuration

.env.example

Add configuration for AI_ENABLE_AGENTS.

+1/-0

Need help?
Type /help how to ... in the comments thread for any questions about PR-Agent usage.
Check out the documentation for more information.

Apr 04 '25 13:04 CodiumAI-Agent

Persistent review updated to latest commit https://github.com/ProcessMaker/processmaker/commit/dc70ddeacc9cd929467f7bca315fe0abae292727

Apr 04 '25 13:04 agustinbusso

PR Code Suggestions ✨

Category	Suggestion	Impact
Possible issue	Enhance regex escaping Replace the manual slash escaping with preg_quote to securely escape all regex special characters. ProcessMaker/Http/Middleware/TrustHosts.php [37] `-return preg_match('/' . str_replace('/', '\/', $pattern) . '/', $host) === 1; +return preg_match('/' . preg_quote($pattern, '/') . '/', $host) === 1;` Suggestion importance[1-10]: 8 __ Why: Switching from a manual escape using str_replace to preg_quote more reliably escapes all regex special characters, enhancing both security and maintainability.	Medium