fix(files): validate firmware download input and repair UI param name (#1004)

DownloadNewFirmwareAction read $data['url']/['md5']/['size'] with no checks,
producing "Undefined array key" warnings (Sentry #27054, 48 events). The
frontend was also sending params.updateLink while the backend expected url,
so downloads triggered from the UI never actually worked.

Validate url (http/https) and md5 (32 hex) up-front and return HTTP 400 on
bad input. Normalize md5 to lowercase since WorkerDownloader compares against
md5_file() output. Drop the dead 'size' field from download_settings.json:
WorkerDownloader reads file size from the Content-Length header and never
touches settings['size']. Update the UI to send params.url, and mark md5 as
required in the OpenAPI attribute to match actual worker behavior.

Author: Alexey Portnov

sites/admin-cabinet/assets/js/pbx/Update/update-index.js

@@ -184,10 +184,9 @@ const updatePBX = {
                             // Prepare parameters for firmware download
                             const params = {};
                             const $aLink = $(e.target).closest('a');
-                            params.updateLink = $aLink.attr('href');
+                            params.url = $aLink.attr('href');
                             params.md5 = $aLink.attr('data-md5');
                             params.version = $aLink.attr('data-version');
-                            params.size = $aLink.attr('data-size');
                             $aLink.find('i').addClass('loading');
                             updatePBX.upgradeInProgress = true;
                             FilesAPI.downloadFirmware(params, updatePBX.cbAfterStartDownloadFirmware);

sites/admin-cabinet/assets/js/src/Update/update-index.js

@@ -247,7 +247,7 @@ public function uploadStatus(): void
         operationId: 'downloadFirmware'
     )]
     #[ApiParameterRef('url', required: true)]
-    #[ApiParameterRef('md5')]
+    #[ApiParameterRef('md5', required: true)]
     #[ApiResponse(200, 'rest_response_200_firmware_downloading')]
     #[ApiResponse(400, 'rest_response_400_bad_request', 'PBXApiResult')]
     #[ApiResponse(401, 'rest_response_401_unauthorized', 'PBXApiResult')]

src/PBXCoreREST/Controllers/Files/RestController.php

@@ -39,25 +39,51 @@ class DownloadNewFirmwareAction extends Injectable
      * Downloads the firmware file from the provided URL.
      *
      * @param array $data The data array containing the following parameters:
-     *   - Md5: The MD5 hash of the file.
-     *   - size: The size of the file.
-     *   - version: The version of the file.
-     *   - Url: The download URL of the file.
+     *   - url: The download URL of the file (required).
+     *   - md5: The MD5 hash of the file (required, used for integrity verification).
+     *   - version: The version of the file (optional, used as directory name).
      *
      * @return PBXApiResult An object containing the result of the API call.
      */
     public static function main(array $data): PBXApiResult
     {
+        $res = new PBXApiResult();
+        $res->processor = __METHOD__;
+
+        $url = is_string($data['url'] ?? null) ? trim($data['url']) : '';
+        $md5 = is_string($data['md5'] ?? null) ? trim($data['md5']) : '';
+
+        if ($url === '') {
+            $res->success = false;
+            $res->messages['error'][] = 'Download URL is required';
+            $res->httpCode = 400;
+            return $res;
+        }
+        if (!filter_var($url, FILTER_VALIDATE_URL) || !preg_match('#^https?://#i', $url)) {
+            $res->success = false;
+            $res->messages['error'][] = 'Download URL must be a valid http(s) URL';
+            $res->httpCode = 400;
+            return $res;
+        }
+        if ($md5 === '' || !preg_match('/^[a-f0-9]{32}$/i', $md5)) {
+            $res->success = false;
+            $res->messages['error'][] = 'A valid MD5 hash (32 hex characters) is required';
+            $res->httpCode = 400;
+            return $res;
+        }
+        // Normalize to lowercase: WorkerDownloader compares against md5_file() which returns lowercase.
+        $md5 = strtolower($md5);
+
         $di = Di::getDefault();
         if ($di !== null) {
             $uploadDir = $di->getConfig()->path('www.uploadDir');
         } else {
             $uploadDir = '/tmp';
         }
-        $version = $data['version'] ?? $data['md5'] ?? (string)time();
+        $version = $data['version'] ?? $md5;
         // Security: sanitize version to prevent shell injection via directory path
-        $version = preg_replace('/[^a-zA-Z0-9._\-]/', '', $version);
-        if (empty($version)) {
+        $version = preg_replace('/[^a-zA-Z0-9._\-]/', '', (string)$version);
+        if ($version === '') {
             $version = (string)time();
         }
         $firmwareDirTmp = "$uploadDir/{$version}";
@@ -71,9 +97,8 @@ public static function main(array $data): PBXApiResult
 
         $download_settings = [
             'res_file' => "$firmwareDirTmp/update.img",
-            'url'      => $data['url'],
-            'size'     => $data['size'],
-            'md5'      => $data['md5'],
+            'url'      => $url,
+            'md5'      => $md5,
         ];
 
         $workerDownloaderPath = Util::getFilePathByClassName(WorkerDownloader::class);
@@ -84,8 +109,6 @@ public static function main(array $data): PBXApiResult
         $php = Util::which('php');
         Processes::mwExecBg("$php -f $workerDownloaderPath start " . escapeshellarg("$firmwareDirTmp/download_settings.json"));
 
-        $res                   = new PBXApiResult();
-        $res->processor        = __METHOD__;
         $res->success          = true;
         $res->data['filename'] = $download_settings['res_file'];
         $res->data[FilesConstants::D_STATUS] = FilesConstants::DOWNLOAD_IN_PROGRESS;