fix(security): patch auth bypass, XSS, RCE, path traversal, arbitrary file write

- Validate JWT signature in SecurityPlugin.isAuthenticated() instead of
  accepting any Bearer header (CVE: unauthenticated admin access)
- Sanitize iconClass to CSS-safe characters and escape with
  htmlspecialchars() in sidebar rendering (stored XSS via module settings)
- Add ALLOWED_WRITE_DIRECTORIES whitelist in FilesManagementProcessor
  with pre-write path traversal rejection and directory confinement
- Sanitize firmware version parameter to [a-zA-Z0-9._-] and add
  escapeshellarg() in DownloadNewFirmwareAction (command injection)
- Add escapeshellarg() to mv command in ConvertAudioFileAction (command
  injection via temp_filename)
- Add realpath() + directory confinement in all four syslog actions to
  prevent path traversal outside CORE_LOGS_DIR, plus escapeshellarg()
  on decompression and erase shell commands
- Add translated error messages (rest_err_file_*, rest_err_syslog_*,
  rest_err_firmware_*) across all 26 languages
- Add comprehensive TDD security test suite (15 tests)

Author: jorikfon

src/AdminCabinet/Controllers/PbxExtensionModulesController.php

@@ -149,7 +149,7 @@ public function saveAction(): void
             'uniqid' => $data['uniqid'],
             'href' => $data['href'],
             'group' => $data['menu-group'],
-            'iconClass' => $data['iconClass'],
+            'iconClass' => preg_replace('/[^a-zA-Z0-9\s\-_]/', '', $data['iconClass'] ?? ''),
             'caption' => $data['caption'],
             'showAtSidebar' => $data['show-at-sidebar'] === 'on',
         ];

src/AdminCabinet/Library/Elements.php

@@ -328,7 +328,8 @@ public function getMenu(): void
                 $groupHtml .= '<div class="item">';
                 $groupHtml .= '<div class="header">';
                 if (array_key_exists('iconclass', $groupparams) && !empty($groupparams['iconclass'])) {
-                    $groupHtml .= "<i class='{$groupparams['iconclass']} icon'></i>";
+                    $escapedIconClass = htmlspecialchars($groupparams['iconclass'], ENT_QUOTES, 'UTF-8');
+                    $groupHtml .= "<i class='{$escapedIconClass} icon'></i>";
                 }
                 $groupHtml .= $this->translation->_($groupparams['caption']) . '</div>';
                 $groupHtml .= "<div class='menu' data-group='$group'>";
@@ -340,8 +341,9 @@ public function getMenu(): void
                         if (isset($option['data-value'])) {
                             $groupHtml .= " data-value='{$option['data-value']}'";
                         }
+                        $escapedIconClass = htmlspecialchars($option['iconclass'], ENT_QUOTES, 'UTF-8');
                         $groupHtml .= ">
-                    		<i class='{$option['iconclass']} icon'></i>{$caption}
+                    		<i class='{$escapedIconClass} icon'></i>{$caption}
                     	 </a>";
 
                         $addToHTML = true;
@@ -352,8 +354,9 @@ public function getMenu(): void
             } elseif ($this->ifItPossibleToShowThisElement($group, $groupparams['action'] ?? 'index')) {
                     $link = $this->getLinkToControllerAction($group, $groupparams['action'], $groupparams['param']);
                     $caption = $this->translation->_($groupparams['caption']);
+                    $escapedIconClass = htmlspecialchars($groupparams['iconclass'], ENT_QUOTES, 'UTF-8');
                     $groupHtml .= "<a class='item {$groupparams['style']}' href='$link'>
-                    	    <i class='{$groupparams['iconclass']} icon'></i>{$caption}
+                    	    <i class='{$escapedIconClass} icon'></i>{$caption}
                         </a>";
                     $addToHTML = true;
             }
@@ -381,7 +384,8 @@ public function getIconByController($controllerClass): string
                 && array_key_exists('iconclass', $group)
                 && !empty($group['iconclass'])
             ) {
-                $result = "<i class='{$group['iconclass']} icon'></i>";
+                $escapedIconClass = htmlspecialchars($group['iconclass'], ENT_QUOTES, 'UTF-8');
+                $result = "<i class='{$escapedIconClass} icon'></i>";
                 break;
             }
             // Group with submenu - search inside submenu
@@ -391,7 +395,8 @@ public function getIconByController($controllerClass): string
                         $index2 === $controllerClass
                         && !empty($submenu['iconclass'])
                     ) {
-                        $result = "<i class='{$submenu['iconclass']} icon'></i>";
+                        $escapedIconClass = htmlspecialchars($submenu['iconclass'], ENT_QUOTES, 'UTF-8');
+                        $result = "<i class='{$escapedIconClass} icon'></i>";
                         break;
                     }
                 }

src/AdminCabinet/Plugins/SecurityPlugin.php

@@ -169,9 +169,16 @@ public static function isAuthenticated(
         // Check for JWT Bearer token in Authorization header (AJAX requests)
         $authHeader = $request->getHeader('Authorization');
         if ($authHeader && str_starts_with($authHeader, 'Bearer ')) {
-            // TODO: можно добавить валидацию JWT токена здесь
-            // Но AuthenticationMiddleware уже проверяет его для API запросов
-            return true;
+            $token = substr($authHeader, 7);
+            $di = \Phalcon\Di\Di::getDefault();
+            if ($di !== null) {
+                $jwt = $di->getShared(JwtProvider::SERVICE_NAME);
+                $payload = $jwt->validate($token);
+                if ($payload !== null) {
+                    return true;
+                }
+            }
+            // Invalid or expired token — fall through to cookie check
         }
 
         // For browser page requests: check for refreshToken cookie

src/Common/Messages/az/RestApi.php

@@ -2306,4 +2306,18 @@
     'rest_schema_provider_secret' => 'Provayderlə identifikasiya üçün parol',
     'API Keys' => 'API açarı',
     'Asterisk Managers' => 'AMI istifadəçisi',
+
+    // Syslog: packet capture and log retrieval
+    'rest_syslog_GetCaptureStatus' => 'Paket tutma vəziyyətini al',
+    'rest_syslog_GetCaptureStatusDesc' => 'Şəbəkə paket tutmasının (tcpdump) hal-hazırda işlədiyini yoxlayın',
+
+    // Security: file operation and path validation errors
+    'rest_err_file_write_not_permitted' => 'Bu yola yazma icazəsi yoxdur',
+    'rest_err_file_invalid_target_dir' => 'Yanlış hədəf qovluğu',
+    'rest_err_file_filename_required' => 'Fayl adı tələb olunur',
+    'rest_err_file_content_required' => 'Fayl məzmunu tələb olunur',
+    'rest_err_file_mkdir_failed' => 'Qovluq yaratmaq alınmadı',
+    'rest_err_file_write_failed' => 'Fayl yazmaq alınmadı',
+    'rest_err_syslog_invalid_path' => 'Jurnal faylının yolu yanlışdır',
+    'rest_err_firmware_invalid_version' => 'Proqram təminatı versiyasının formatı yanlışdır',
 ];

src/Common/Messages/cs/RestApi.php

@@ -2306,4 +2306,18 @@
     'rest_cf_GetList' => 'Získejte seznam uživatelských souborů',
     'rest_cf_GetRecord' => 'Získání uživatelského souboru podle ID',
     'rest_cf_GetRecordDesc' => 'Získejte podrobné informace o uživatelském souboru, včetně jeho cesty, obsahu a režimu použití.',
+
+    // Syslog: packet capture and log retrieval
+    'rest_syslog_GetCaptureStatus' => 'Získat stav zachytávání paketů',
+    'rest_syslog_GetCaptureStatusDesc' => 'Zkontrolujte, zda zachytávání síťových paketů (tcpdump) právě probíhá',
+
+    // Security: file operation and path validation errors
+    'rest_err_file_write_not_permitted' => 'Zápis do této cesty není povolen',
+    'rest_err_file_invalid_target_dir' => 'Neplatný cílový adresář',
+    'rest_err_file_filename_required' => 'Název souboru je povinný',
+    'rest_err_file_content_required' => 'Obsah souboru je povinný',
+    'rest_err_file_mkdir_failed' => 'Vytvoření adresáře se nezdařilo',
+    'rest_err_file_write_failed' => 'Zápis souboru se nezdařil',
+    'rest_err_syslog_invalid_path' => 'Neplatná cesta k souboru protokolu',
+    'rest_err_firmware_invalid_version' => 'Neplatný formát verze firmwaru',
 ];

src/Common/Messages/da/RestApi.php

@@ -2306,4 +2306,18 @@
     'rest_cq_GetRecord' => 'Hent kø efter ID',
     'rest_schema_s3_access_key' => 'S3-adgangsnøgle-ID (synlig i svar)',
     'rest_S3Storage_ApiDescription' => 'Administrer S3-kompatibel cloud-lagring til arkivering af opkaldsoptagelser. Denne singleton-ressource leverer konfiguration til AWS S3, MinIO, Wasabi og andre S3-kompatible lagringstjenester. Funktionerne omfatter automatisk upload af optagelser til cloud-lagring efter udløbet af den lokale opbevaringsperiode, transparent afspilning fra S3-cache og en todelt lagringsstrategi (hot local storage + cold cloud archive). Legitimationsoplysninger krypteres automatisk før lagring.',
+
+    // Syslog: packet capture and log retrieval
+    'rest_syslog_GetCaptureStatus' => 'Hent pakkefangststatus',
+    'rest_syslog_GetCaptureStatusDesc' => 'Kontroller om netværkspakkefangst (tcpdump) kører i øjeblikket',
+
+    // Security: file operation and path validation errors
+    'rest_err_file_write_not_permitted' => 'Skrivning til denne sti er ikke tilladt',
+    'rest_err_file_invalid_target_dir' => 'Ugyldig målmappe',
+    'rest_err_file_filename_required' => 'Filnavn er påkrævet',
+    'rest_err_file_content_required' => 'Filindhold er påkrævet',
+    'rest_err_file_mkdir_failed' => 'Det lykkedes ikke at oprette mappen',
+    'rest_err_file_write_failed' => 'Det lykkedes ikke at skrive filen',
+    'rest_err_syslog_invalid_path' => 'Ugyldig sti til logfil',
+    'rest_err_firmware_invalid_version' => 'Ugyldigt format for firmwareversion',
 ];

src/Common/Messages/de/RestApi.php

@@ -2306,4 +2306,18 @@
     'rest_pvd_UpdateStatus' => 'Anbieterstatus aktualisieren',
     'rest_param_emp_export_format' => 'Exportformat: Minimal (7 Felder), Standard (13 Felder), Vollständig (15 Felder)',
     'rest_ms_RefreshToken' => 'OAuth2-Token aktualisieren',
+
+    // Syslog: packet capture and log retrieval
+    'rest_syslog_GetCaptureStatus' => 'Paketerfassungsstatus abrufen',
+    'rest_syslog_GetCaptureStatusDesc' => 'Prüfen, ob die Netzwerkpaketerfassung (tcpdump) derzeit läuft',
+
+    // Security: file operation and path validation errors
+    'rest_err_file_write_not_permitted' => 'Schreiben in diesen Pfad ist nicht erlaubt',
+    'rest_err_file_invalid_target_dir' => 'Ungültiges Zielverzeichnis',
+    'rest_err_file_filename_required' => 'Dateiname ist erforderlich',
+    'rest_err_file_content_required' => 'Dateiinhalt ist erforderlich',
+    'rest_err_file_mkdir_failed' => 'Verzeichnis konnte nicht erstellt werden',
+    'rest_err_file_write_failed' => 'Datei konnte nicht geschrieben werden',
+    'rest_err_syslog_invalid_path' => 'Ungültiger Pfad zur Protokolldatei',
+    'rest_err_firmware_invalid_version' => 'Ungültiges Format der Firmware-Version',
 ];

src/Common/Messages/el/RestApi.php

@@ -2306,4 +2306,18 @@
     'rest_cf_GetDefault' => 'Λήψη προεπιλεγμένων τιμών',
     'rest_resource_license' => 'Αδεια',
     'rest_schema_file_filename' => 'Όνομα αρχείου',
+
+    // Syslog: packet capture and log retrieval
+    'rest_syslog_GetCaptureStatus' => 'Λήψη κατάστασης σύλληψης πακέτων',
+    'rest_syslog_GetCaptureStatusDesc' => 'Ελέγξτε αν η σύλληψη πακέτων δικτύου (tcpdump) εκτελείται αυτή τη στιγμή',
+
+    // Security: file operation and path validation errors
+    'rest_err_file_write_not_permitted' => 'Η εγγραφή σε αυτή τη διαδρομή δεν επιτρέπεται',
+    'rest_err_file_invalid_target_dir' => 'Μη έγκυρος κατάλογος προορισμού',
+    'rest_err_file_filename_required' => 'Το όνομα αρχείου είναι υποχρεωτικό',
+    'rest_err_file_content_required' => 'Το περιεχόμενο αρχείου είναι υποχρεωτικό',
+    'rest_err_file_mkdir_failed' => 'Αποτυχία δημιουργίας καταλόγου',
+    'rest_err_file_write_failed' => 'Αποτυχία εγγραφής αρχείου',
+    'rest_err_syslog_invalid_path' => 'Μη έγκυρη διαδρομή αρχείου καταγραφής',
+    'rest_err_firmware_invalid_version' => 'Μη έγκυρη μορφή έκδοσης firmware',
 ];

src/Common/Messages/en/RestApi.php

@@ -2042,4 +2042,18 @@
     'rest_err_system_query_exception' => 'Failed to execute SQL query',
     'rest_tag_S3Storage' => 'S3 Cloud Storage',
     'rest_schema_system_query' => 'Executed SQL query',
+
+    // Security: file operation error messages
+    'rest_err_file_write_not_permitted' => 'Write not permitted to this path',
+    'rest_err_file_invalid_target_dir' => 'Invalid target directory',
+    'rest_err_file_filename_required' => 'Filename is required',
+    'rest_err_file_content_required' => 'File content is required',
+    'rest_err_file_mkdir_failed' => 'Failed to create directory',
+    'rest_err_file_write_failed' => 'Failed to write file',
+
+    // Security: syslog path validation
+    'rest_err_syslog_invalid_path' => 'Invalid log file path',
+
+    // Security: firmware version validation
+    'rest_err_firmware_invalid_version' => 'Invalid firmware version format',
 ];

src/Common/Messages/es/RestApi.php

@@ -2306,4 +2306,18 @@
     'rest_cf_GetRecord' => 'Obtener archivo de usuario por ID',
     'rest_resource_file' => 'Archivo',
     'rest_param_pk_user_id' => 'ID de usuario',
+
+    // Syslog: packet capture and log retrieval
+    'rest_syslog_GetCaptureStatus' => 'Obtener estado de captura de paquetes',
+    'rest_syslog_GetCaptureStatusDesc' => 'Verificar si la captura de paquetes de red (tcpdump) está en ejecución actualmente',
+
+    // Security: file operation and path validation errors
+    'rest_err_file_write_not_permitted' => 'No se permite escribir en esta ruta',
+    'rest_err_file_invalid_target_dir' => 'Directorio de destino no válido',
+    'rest_err_file_filename_required' => 'El nombre de archivo es obligatorio',
+    'rest_err_file_content_required' => 'El contenido del archivo es obligatorio',
+    'rest_err_file_mkdir_failed' => 'No se pudo crear el directorio',
+    'rest_err_file_write_failed' => 'No se pudo escribir el archivo',
+    'rest_err_syslog_invalid_path' => 'Ruta de archivo de registro no válida',
+    'rest_err_firmware_invalid_version' => 'Formato de versión de firmware no válido',
 ];