Security fixes: FormFlash traversal, salt leak, user-overwrite hardening

- GHSA-hmcx-ch82-3fv2 (high, unauth): FormFlash::__construct now sanitizes
  session_id/unique_id through a strict allowlist before they reach any
  filesystem path; invalid values blank out and disable flash for the
  request, blocking the __form-flash-id arbitrary-directory-create attack.

- GHSA-3f29-pqwf-v4j4 (medium): the HMAC key used for CSRF nonce signing
  and admin rate-limit hashing has moved out of Config into a new
  Security::getNonceKey() backed by user/config/security-private.php (a
  .php file, blocked by the default user/*.php htaccess rule and returning
  empty on direct exec). Existing sites are migrated transparently on
  first call — the value is preserved, then scrubbed from the live Config
  and the on-disk security.yaml so sandboxed Twig can no longer leak it
  via grav.config.get('security.salt'). Auto-gen of security.salt removed
  from Setup.php; system/config/security.yaml placeholder dropped.

- GHSA-rr73-568v-28f8 (high): tightened the new-user uniqueness guard in
  UserObject::save. strpos(...,'@@') replaced with str_contains (the old
  form was falsy when the marker sat at position 0, silently bypassing
  the check) and the instanceof FileStorage gate dropped so the check
  runs for every FlexStorageInterface backend.

- GHSA-58hj-46fw-rcfm: verified covered by the new Twig sandbox
  (UserCollection::load/save/set are not in the allowlist); regression
  test pinned in TwigSandboxTest.

Three new test files covering the FormFlash, nonce-key, and user-overwrite
fixes; .gitignore updated to keep the per-environment private key file
and its tmp sibling out of version control. Full unit suite: 629 tests,
2417 assertions.

Author: rhukster

.gitignore

@@ -26,6 +26,8 @@ user/plugins/*
 user/themes/*
 !user/themes/.*
 user/**/config/security.yaml
+user/**/config/security-private.php
+user/**/config/security-private.php.tmp
 
 # Environments
 .env

CHANGELOG.md

@@ -9,6 +9,10 @@
     * Smarter dangerous-Twig filter — fixes false positives like `{{ page.header.user.mail }}` getting blocked because they happened to contain a dangerous function name.
     * Soft-fail on sandbox violations — the rest of the page still renders, visitors see a small placeholder, admins see a pointer to the log entry.
     * Escape hatch — the sandbox can be disabled from the admin UI (or YAML) if a site genuinely needs the old, unrestricted behaviour.
+1. [](#bugfix)
+    * [security] Fixed unauthenticated path traversal in `FormFlash` (GHSA-hmcx-ch82-3fv2): `session_id` and `unique_id` now pass through a strict allowlist before being used to build on-disk paths, preventing arbitrary directory creation via the `__form-flash-id` parameter.
+    * [security] Fixed salt disclosure via sandboxed Twig (GHSA-3f29-pqwf-v4j4): the HMAC key used for CSRF nonces and admin rate-limit hashing has moved out of Config into `user/config/security-private.php` (blocked from web access by the default `user/*.php` htaccess rule), so `{{ grav.config.get('security.salt') }}` no longer leaks it. Existing sites are migrated automatically on first request — existing nonces and sessions survive the upgrade.
+    * [security] Hardened the new-user uniqueness guard in `UserObject::save` (GHSA-rr73-568v-28f8): `strpos(..., '@@')` replaced with `str_contains` (the old form was falsy when the transient-key marker was at position 0, silently bypassing the check) and the check now runs for every `FlexStorageInterface` backend rather than only `FileStorage`. A low-privileged user with `admin.users.create` can no longer disrupt a super-admin account by submitting the admin's username through the "add user" form.
 
 # v2.0.0-beta.1
 ## 04/16/2026

system/config/security.yaml

@@ -298,4 +298,7 @@ twig_sandbox:
     # Wildcard on stdClass for {{ page.header.<any_yaml_key> }}
     - class: 'stdClass'
       methods: '*'
-salt: SbmgUJQ62MqNc0
+# NOTE: `salt:` was removed in v2.0.0-beta.2 (GHSA-3f29-pqwf-v4j4). The equivalent
+# HMAC key is now stored in `user/config/security-private.php`, outside the Config
+# tree, so sandboxed Twig cannot read it via `grav.config.get(...)`. On upgrade,
+# any legacy `salt:` in `user/config/security.yaml` is migrated automatically.

system/src/Grav/Common/Config/Setup.php

@@ -12,7 +12,6 @@
 use BadMethodCallException;
 use Grav\Common\File\CompiledYamlFile;
 use Grav\Common\Data\Data;
-use Grav\Common\Utils;
 use InvalidArgumentException;
 use Pimple\Container;
 use Psr\Http\Message\ServerRequestInterface;
@@ -407,21 +406,9 @@ protected function check(UniformResourceLocator $locator)
                 $this->initializeLocator($locator);
             }
 
-            // Create security.yaml salt if it doesn't exist into existing configuration environment if possible.
-            $securityFile = Utils::basename(static::$securityFile);
-            $securityFolder = substr(static::$securityFile, 0, -\strlen($securityFile));
-            $securityFolder = $locator->findResource($securityFolder, true) ?: $locator->findResource($securityFolder, true, true);
-            $filename = "{$securityFolder}/{$securityFile}";
-
-            $security_file = CompiledYamlFile::instance($filename);
-            $security_content = (array)$security_file->content();
-
-            if (!isset($security_content['salt'])) {
-                $security_content = array_merge($security_content, ['salt' => Utils::generateRandomString(14)]);
-                $security_file->content($security_content);
-                $security_file->save();
-                $security_file->free();
-            }
+            // Legacy `security.salt` auto-gen was removed in v2.0 (GHSA-3f29-pqwf-v4j4);
+            // Security::getNonceKey() now manages the equivalent value in a private
+            // PHP file outside the Config tree so sandboxed Twig cannot read it.
         } catch (RuntimeException $e) {
             throw new RuntimeException(sprintf('Grav failed to initialize: %s', $e->getMessage()), 500, $e);
         }

system/src/Grav/Common/Flex/Types/Users/UserObject.php

@@ -37,7 +37,6 @@
 use Grav\Framework\Filesystem\Filesystem;
 use Grav\Framework\Flex\Flex;
 use Grav\Framework\Flex\FlexDirectory;
-use Grav\Framework\Flex\Storage\FileStorage;
 use Grav\Framework\Flex\Traits\FlexMediaTrait;
 use Grav\Framework\Flex\Traits\FlexRelationshipsTrait;
 use Grav\Framework\Form\FormFlashFile;
@@ -599,20 +598,24 @@ public function save()
     {
         // TODO: We may want to handle this in the storage layer in the future.
         $key = $this->getStorageKey();
-        $isNewUser = !$key || strpos($key, '@@');
+        // `@@` is Flex's marker for an in-memory (not-yet-persisted) storage key.
+        // `str_contains` is the correct predicate here — `strpos` returns 0 when
+        // the marker is at position 0 (e.g. `@@hash`), which is falsy and would
+        // have skipped the uniqueness check below.
+        $isNewUser = $key === '' || str_contains($key, '@@');
 
         if ($isNewUser) {
-            $storage = $this->getFlexDirectory()->getStorage();
-            if ($storage instanceof FileStorage) {
-                $newKey = $this->getKey();
-
-                // Check if a user with this username already exists (prevent overwriting)
-                if ($storage->hasKey($newKey)) {
-                    throw new RuntimeException('User account with this username already exists');
-                }
+            $newKey = $this->getKey();
 
-                $this->setStorageKey($newKey);
+            // Prevent overwriting an existing account when a low-privileged user
+            // creates a new user with an already-taken username (GHSA-rr73-568v-28f8).
+            // Applies to every storage implementation, not just FileStorage.
+            $storage = $this->getFlexDirectory()->getStorage();
+            if ($storage->hasKey($newKey)) {
+                throw new RuntimeException('User account with this username already exists');
             }
+
+            $this->setStorageKey($newKey);
         }
 
         $password = $this->getProperty('password') ?? $this->getProperty('password1');

system/src/Grav/Common/Security.php

@@ -15,6 +15,9 @@
 use Grav\Common\Page\Pages;
 use Grav\Common\Twig\Sandbox\GravSecurityPolicy;
 use Rhukster\DomSanitizer\DOMSanitizer;
+use RocketTheme\Toolbox\File\YamlFile;
+use RocketTheme\Toolbox\ResourceLocator\UniformResourceLocator;
+use RuntimeException;
 use Twig\Sandbox\SecurityPolicyInterface;
 use function chr;
 use function count;
@@ -808,4 +811,95 @@ private static function splitMethodNames($methods, bool $lowercase = true): arra
         }
         return $clean;
     }
+
+    /** @var string|null in-process cache for the nonce key */
+    private static ?string $nonceKey = null;
+
+    /**
+     * Per-site HMAC key used for CSRF nonce signing, admin rate-limit key hashing,
+     * and (when configured) session-name derivation. Backed by a local PHP file
+     * outside the Config tree, so sandboxed Twig cannot reach it via
+     * `grav.config.get('security.salt')` or `Config::toArray()` (GHSA-3f29-pqwf-v4j4).
+     *
+     * Migration: if the legacy `security.salt` key is present in the loaded Config
+     * (i.e. from an older install's `user/config/security.yaml`), its value is
+     * copied into the private file on first call and scrubbed from both the live
+     * Config and the on-disk YAML. Existing CSRF nonces and sessions survive the
+     * upgrade because the key value is preserved.
+     *
+     * To rotate the key manually, delete `user/config/security-private.php`; the
+     * next request generates a fresh 64-char random value. Rotation invalidates
+     * in-flight CSRF nonces and — if `system.session.uniqueness` is set to
+     * `security` — existing sessions.
+     */
+    public static function getNonceKey(): string
+    {
+        if (self::$nonceKey !== null) {
+            return self::$nonceKey;
+        }
+
+        $grav = Grav::instance();
+        /** @var UniformResourceLocator $locator */
+        $locator = $grav['locator'];
+        $configFolder = $locator->findResource('config://', true) ?: $locator->findResource('config://', true, true);
+        $privateFile = "{$configFolder}/security-private.php";
+
+        if (is_file($privateFile)) {
+            $value = @include $privateFile;
+            if (is_string($value) && $value !== '') {
+                return self::$nonceKey = $value;
+            }
+            // Corrupt/empty file — fall through to regenerate.
+        }
+
+        // One-time migration out of Config for sites upgrading from <= v2.0.0-beta.2.
+        /** @var Config $config */
+        $config = $grav['config'];
+        $legacy = $config->get('security.salt');
+        if (is_string($legacy) && $legacy !== '') {
+            self::writeNonceKey($privateFile, $legacy);
+            $config->set('security.salt', null);
+
+            $securityYaml = "{$configFolder}/security.yaml";
+            if (is_file($securityYaml)) {
+                $file = YamlFile::instance($securityYaml);
+                $content = (array) $file->content();
+                if (array_key_exists('salt', $content)) {
+                    unset($content['salt']);
+                    $file->content($content);
+                    $file->save();
+                    $file->free();
+                }
+            }
+
+            return self::$nonceKey = $legacy;
+        }
+
+        $generated = bin2hex(random_bytes(32));
+        self::writeNonceKey($privateFile, $generated);
+
+        return self::$nonceKey = $generated;
+    }
+
+    private static function writeNonceKey(string $path, string $value): void
+    {
+        $escaped = var_export($value, true);
+        $contents = "<?php\n\n// Auto-generated private secret. Do NOT commit to version control.\n// Used for CSRF nonce signing and admin rate-limit hashing. Regenerate by\n// deleting this file; the next request will write a new value.\n\nreturn {$escaped};\n";
+
+        $dir = dirname($path);
+        if (!is_dir($dir)) {
+            Folder::create($dir);
+        }
+
+        // Atomic write: stage to a temp file, fsync via rename.
+        $tmp = $path . '.tmp';
+        if (@file_put_contents($tmp, $contents, LOCK_EX) === false) {
+            throw new RuntimeException('Failed to write nonce key file');
+        }
+        @chmod($tmp, 0600);
+        if (!@rename($tmp, $path)) {
+            @unlink($tmp);
+            throw new RuntimeException('Failed to commit nonce key file');
+        }
+    }
 }

system/src/Grav/Common/Service/SessionServiceProvider.php

@@ -11,6 +11,7 @@
 
 use Grav\Common\Config\Config;
 use Grav\Common\Debugger;
+use Grav\Common\Security;
 use Grav\Common\Session;
 use Grav\Common\Uri;
 use Grav\Common\Utils;
@@ -86,7 +87,7 @@ public function register(Container $container)
             }
 
             $session_prefix = $c['inflector']->hyphenize($config->get('system.session.name', 'grav-site'));
-            $session_uniqueness = $config->get('system.session.uniqueness', 'path') === 'path' ?  substr(md5(GRAV_ROOT), 0, 7) :  md5((string) $config->get('security.salt'));
+            $session_uniqueness = $config->get('system.session.uniqueness', 'path') === 'path' ?  substr(md5(GRAV_ROOT), 0, 7) :  md5(Security::getNonceKey());
 
             $session_name = $session_prefix . '-' . $session_uniqueness;
 

system/src/Grav/Common/Utils.php

@@ -1405,7 +1405,7 @@ private static function generateNonceString($action, $previousTick = false)
             $i--;
         }
 
-        return ($i . '|' . $action . '|' . $username . '|' . $token . '|' . $grav['config']->get('security.salt'));
+        return ($i . '|' . $action . '|' . $username . '|' . $token . '|' . Security::getNonceKey());
     }
 
     /**

system/src/Grav/Framework/Form/FormFlash.php

@@ -75,9 +75,14 @@ public function __construct($config)
             $config = array_filter($config, static fn($val) => $val !== null);
         }
 
-        $this->id = $config['id'] ?? '';
-        $this->sessionId = $config['session_id'] ?? '';
-        $this->uniqueId = $config['unique_id'] ?? '';
+        // Identifiers are used to build filesystem paths (tmp://forms/<sessionId>/<uniqueId>)
+        // and can reach this constructor from request input (e.g. __form-flash-id).
+        // Reject anything outside a strict alphanumeric+[,_-] allowlist to prevent path
+        // traversal into arbitrary directories. Invalid values blank out, which disables
+        // flash storage for the request rather than failing hard.
+        $this->id = self::sanitizeId($config['id'] ?? '');
+        $this->sessionId = self::sanitizeId($config['session_id'] ?? '');
+        $this->uniqueId = self::sanitizeId($config['unique_id'] ?? '');
 
         $this->setUser($config['user'] ?? null);
 
@@ -489,6 +494,22 @@ public function getTmpDir(): string
         return $this->folder && $this->uniqueId ? "{$this->folder}/{$this->uniqueId}" : '';
     }
 
+    /**
+     * Gate for identifiers used in filesystem paths. Accepts the character
+     * set produced by PHP session IDs and Grav's form unique-id generators
+     * (alphanumerics, comma, underscore, hyphen). Anything else — including
+     * empty/non-string values — collapses to an empty string, which causes
+     * save()/delete()/getTmpDir() to become no-ops.
+     */
+    private static function sanitizeId($id): string
+    {
+        if (!is_string($id) || $id === '') {
+            return '';
+        }
+
+        return preg_match('/^[A-Za-z0-9,_-]{1,64}$/', $id) ? $id : '';
+    }
+
     /**
      * @return ?YamlFile
      */

tests/unit/Grav/Common/Security/FormFlashSecurityTest.php

@@ -0,0 +1,106 @@
+<?php
+
+use Codeception\Util\Fixtures;
+use Grav\Common\Grav;
+use Grav\Framework\Form\FormFlash;
+
+/**
+ * Class FormFlashSecurityTest
+ *
+ * Covers: GHSA-hmcx-ch82-3fv2 (unauthenticated path traversal / arbitrary
+ * directory creation via FormFlash session_id / unique_id).
+ *
+ * Naming convention: test{Method}_{GHSA_ID}_{description}
+ */
+class FormFlashSecurityTest extends \PHPUnit\Framework\TestCase
+{
+    /** @var Grav */
+    protected $grav;
+
+    protected function setUp(): void
+    {
+        parent::setUp();
+        $grav = Fixtures::get('grav');
+        $this->grav = $grav();
+    }
+
+    // =========================================================================
+    // GHSA-hmcx-ch82-3fv2: Unauthenticated path traversal in FormFlash
+    // =========================================================================
+
+    /**
+     * @dataProvider providerGHSAhmcx_TraversalIds
+     */
+    public function testConstruct_GHSAhmcx_RejectsTraversalSessionId(string $id, string $description): void
+    {
+        $flash = new FormFlash([
+            'session_id' => $id,
+            'unique_id' => 'abcdef1234567890',
+            'form_name' => 'test',
+        ]);
+
+        $this->assertSame('', $flash->getSessionId(), $description);
+        $this->assertSame('', $flash->getTmpDir(), "tmp dir must be empty when session id is rejected: {$description}");
+    }
+
+    /**
+     * @dataProvider providerGHSAhmcx_TraversalIds
+     */
+    public function testConstruct_GHSAhmcx_RejectsTraversalUniqueId(string $id, string $description): void
+    {
+        $flash = new FormFlash([
+            'session_id' => 'abcdef1234567890',
+            'unique_id' => $id,
+            'form_name' => 'test',
+        ]);
+
+        $this->assertSame('', $flash->getUniqueId(), $description);
+        $this->assertSame('', $flash->getTmpDir(), "tmp dir must be empty when unique id is rejected: {$description}");
+    }
+
+    /**
+     * @dataProvider providerGHSAhmcx_ValidIds
+     */
+    public function testConstruct_GHSAhmcx_AcceptsValidIds(string $id, string $description): void
+    {
+        $flash = new FormFlash([
+            'session_id' => $id,
+            'unique_id' => $id,
+            'form_name' => 'test',
+        ]);
+
+        $this->assertSame($id, $flash->getSessionId(), $description);
+        $this->assertSame($id, $flash->getUniqueId(), $description);
+    }
+
+    public static function providerGHSAhmcx_TraversalIds(): array
+    {
+        return [
+            ['../../user/config/proof_dir', 'parent-dir traversal (advisory PoC)'],
+            ['..', 'bare parent-dir'],
+            ['foo/../bar', 'embedded traversal'],
+            ['foo/bar', 'embedded forward slash'],
+            ['foo\\bar', 'embedded backslash'],
+            ['foo:bar', 'colon (stream prefix)'],
+            ['foo.bar', 'embedded dot'],
+            ['tmp://forms/abc', 'explicit stream url'],
+            ['%2e%2e%2f', 'url-encoded traversal'],
+            [str_repeat('a', 65), 'overlong (>64 chars)'],
+            ["abc\x00def", 'null byte'],
+            ["abc\ndef", 'newline'],
+            [' abc', 'leading space'],
+        ];
+    }
+
+    public static function providerGHSAhmcx_ValidIds(): array
+    {
+        return [
+            ['abc123', 'alphanumeric'],
+            ['ABCdef123', 'mixed case'],
+            ['session-id-with-dashes', 'hyphens'],
+            ['session_id_with_underscores', 'underscores'],
+            ['session,id,with,commas', 'commas (PHP 5-bit session id)'],
+            [str_repeat('a', 64), 'max length (64 chars)'],
+        ];
+    }
+}