Fixed phpstan issues

Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 5 to 6.
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/codecov/codecov-action/compare/v5...v6)

---
updated-dependencies:
- dependency-name: codecov/codecov-action
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

.env

@@ -121,6 +121,10 @@ SAML_SP_PRIVATE_KEY="MIIE..."
 # In demo mode things it is not possible for a user to change his password and his settings.
 DEMO_MODE=0
 
+# When this is set to 1, users can make Part-DB directly download a file specified as a URL from the local network and create it as a local file.
+# This allows users access to all resources available in the local network, which could be a security risk, so use this only if you trust your users and have a secure local network.
+ALLOW_ATTACHMENT_DOWNLOADS_FROM_LOCALNETWORK=0
+
 # Change this to true, if no url rewriting (like mod_rewrite for Apache) is available
 # In that case all URL contains the index.php front controller in URL
 NO_URL_REWRITE_AVAILABLE=0

.github/workflows/assets_artifact_build.yml

@@ -67,7 +67,7 @@ jobs:
       - name: Setup node
         uses: actions/setup-node@v6
         with:
-          node-version: '20'
+          node-version: '22'
 
       - name: Install yarn dependencies
         run: yarn install

.github/workflows/tests.yml

@@ -106,7 +106,7 @@ jobs:
       - name: Setup node
         uses: actions/setup-node@v6
         with:
-          node-version: '20'
+          node-version: '22'
 
       - name: Install yarn dependencies
         run: yarn install
@@ -129,7 +129,7 @@ jobs:
         run: ./bin/phpunit --coverage-clover=coverage.xml
 
       - name: Upload coverage
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@v6
         with:
           env_vars: PHP_VERSION,DB_TYPE
           token: ${{ secrets.CODECOV_TOKEN }}

Dockerfile-frankenphp

@@ -62,7 +62,7 @@ RUN yarn build
 RUN yarn cache clean && rm -rf node_modules/
 
 # FrankenPHP base stage
-FROM dunglas/frankenphp:1-php8.4 AS frankenphp_upstream
+FROM dunglas/frankenphp:1-php8.4-bookworm AS frankenphp_upstream
 ARG TARGETARCH
 RUN --mount=type=cache,id=apt-cache-$TARGETARCH,target=/var/cache/apt \
     --mount=type=cache,id=apt-lists-$TARGETARCH,target=/var/lib/apt/lists \

README.md

@@ -74,11 +74,11 @@ Part-DB is also used by small companies and universities for managing their inve
 ## Requirements
 
 * A **web server** (like Apache2 or nginx) that is capable of
-  running [Symfony 6](https://symfony.com/doc/current/reference/requirements.html),
+  running [Symfony 7](https://symfony.com/doc/current/reference/requirements.html),
   this includes a minimum PHP version of **PHP 8.2**
 * A **MySQL** (at least 5.7) /**MariaDB** (at least 10.4) database server, or **PostgreSQL** 10+ if you do not want to use SQLite.
 * Shell access to your server is highly recommended!
-* For building the client-side assets **yarn** and **nodejs** (>= 20.0) is needed.
+* For building the client-side assets **yarn** and **nodejs** (>= 22.0) is needed.
 
 ## Installation
 

config/parameters.yaml

@@ -105,6 +105,8 @@ parameters:
 
   env(DATABASE_EMULATE_NATURAL_SORT): 0
 
+  env(ALLOW_ATTACHMENT_DOWNLOADS_FROM_LOCALNETWORK): 0
+
   ######################################################################################################################
   # Bulk Info Provider Import Configuration
   ######################################################################################################################

config/reference.php

@@ -1550,7 +1550,7 @@ use Symfony\Component\Config\Loader\ParamConfigurator as Param;
  *     template_parameters?: array{ // Default parameters to be passed to the template
  *         className?: scalar|Param|null, // Default class attribute to apply to the root table elements // Default: "table table-bordered"
  *         columnFilter?: "thead"|"tfoot"|"both"|Param|null, // If and where to enable the DataTables Filter module // Default: null
- *         ...<mixed>
+ *         ...<string, mixed>
  *     },
  *     translation_domain?: scalar|Param|null, // Default translation domain to be used // Default: "messages"
  * }
@@ -1705,14 +1705,14 @@ use Symfony\Component\Config\Loader\ParamConfigurator as Param;
  *             use_underscore?: bool|Param, // Default: true
  *             unordered_list_markers?: list<scalar|Param|null>,
  *         },
- *         ...<mixed>
+ *         ...<string, mixed>
  *     },
  * }
  * @psalm-type GregwarCaptchaConfig = array{
  *     length?: scalar|Param|null, // Default: 5
  *     width?: scalar|Param|null, // Default: 130
  *     height?: scalar|Param|null, // Default: 50
- *     font?: scalar|Param|null, // Default: "E:\\PHP\\Part-DB-server\\vendor\\gregwar\\captcha-bundle\\DependencyInjection/../Generator/Font/captcha.ttf"
+ *     font?: scalar|Param|null, // Default: "/home/jan/php/Part-DB-server/vendor/gregwar/captcha-bundle/DependencyInjection/../Generator/Font/captcha.ttf"
  *     keep_value?: scalar|Param|null, // Default: false
  *     charset?: scalar|Param|null, // Default: "abcdefhjkmnprstuvwxyz23456789"
  *     as_file?: scalar|Param|null, // Default: false
@@ -2649,7 +2649,7 @@ use Symfony\Component\Config\Loader\ParamConfigurator as Param;
  *             cast_fn?: mixed,
  *             default?: mixed,
  *             filter_class?: mixed,
- *             ...<mixed>
+ *             ...<string, mixed>
  *         }>,
  *         strict_query_parameter_validation?: mixed,
  *         hide_hydra_operation?: mixed,
@@ -2669,7 +2669,7 @@ use Symfony\Component\Config\Loader\ParamConfigurator as Param;
  *         name?: mixed,
  *         allow_create?: mixed,
  *         item_uri_template?: mixed,
- *         ...<mixed>
+ *         ...<string, mixed>
  *     },
  * }
  * @psalm-type ConfigType = array{

docs/configuration.md

@@ -86,6 +86,7 @@ bundled with Part-DB. Set `DATABASE_MYSQL_SSL_VERIFY_CERT` if you want to accept
 * `ATTACHMENT_DOWNLOAD_BY_DEFAULT`: When this is set to 1, the "download external file" checkbox is checked by default
   when adding a new attachment. Otherwise, it is unchecked by default. Use this if you wanna download all attachments
   locally by default. Attachment download is only possible, when `ALLOW_ATTACHMENT_DOWNLOADS` is set to 1.
+* `ALLOW_ATTACHMENT_DOWNLOADS_FROM_LOCALNETWORK` (default `0`): When this is set to 1, users can make Part-DB directly download a file specified as a URL from the local network and create it as a local file. This allows users access to all resources available in the local network, which could be a security risk, so use this only if you trust your users and have a secure local network.
 * `ATTACHMENT_SHOW_HTML_FILES`: When enabled, user uploaded HTML attachments can be viewed directly in the browser. 
   Many potential malicious functions are restricted, still this is a potential security risk and should only be enabled,
   if you trust the users who can upload files. When set to 0, HTML files are rendered as plain text.

docs/installation/installation_docker.md

@@ -95,6 +95,11 @@ services:
    docker-compose up -d
 ```    
 
+{: .warning }
+> If you run a root console inside the docker container, and wanna execute commands on the webserver behalf, be sure to use `sudo -E` command (with the `-E` flag) to preserve env variables from the current shell.
+> Otherwise Part-DB console might use the wrong configuration to execute commands.
+
+
 6. Create the initial database with
 
  ```bash

docs/upgrade/1_to_2.md

@@ -18,7 +18,7 @@ fulfilled by the official Part-DB docker image.*
 
 Part-DB 2.0 requires at least PHP 8.2 (newer versions are recommended). So if your existing Part-DB installation is still
 running PHP 8.1, you will have to upgrade your PHP version first.
-The minimum required version of node.js is now 20.0 or newer, so if you are using 18.0, you will have to upgrade it too.
+The minimum required version of node.js is now 22.0 or newer, so if you are using 18.0, you will have to upgrade it too.
 
 Most distributions should have the possibility to get backports for PHP 8.4 and modern nodejs, so you should be able to
 easily upgrade your system to the new requirements. Otherwise, you can use the official Part-DB docker image, which
@@ -60,6 +60,8 @@ The `php bin/console partdb:backup` command can help you with this.
 If you want to change them, you must migrate them to the settings interface as described below.
 
 ### Docker installation
+**When running the console commands from inside a docker container's shell as root, be sure to use `sudo -E` to preserve the environment variables, so that they are correctly passed to the command.**
+
 1. Make a backup of your existing Part-DB installation, including the database, data directories and the configuration files and the file where you configure the docker environment variables.
 2. Stop the existing Part-DB container with `docker compose down`
 3. Ensure that your docker compose file uses the new latest images (either `latest` or `2` tag).

package.json

@@ -9,16 +9,16 @@
         "@symfony/stimulus-bridge": "^4.0.0",
         "@symfony/ux-translator": "file:vendor/symfony/ux-translator/assets",
         "@symfony/ux-turbo": "file:vendor/symfony/ux-turbo/assets",
-        "@symfony/webpack-encore": "^5.1.0",
+        "@symfony/webpack-encore": "^6.0.0",
         "bootstrap": "^5.1.3",
         "core-js": "^3.38.0",
-        "intl-messageformat": "^10.2.5",
+        "intl-messageformat": "^10.5.11",
         "jquery": "^3.5.1",
         "popper.js": "^1.14.7",
-        "regenerator-runtime": "^0.13.9",
+        "regenerator-runtime": "^0.14.1",
         "webpack": "^5.74.0",
         "webpack-bundle-analyzer": "^5.1.1",
-        "webpack-cli": "^5.1.0",
+        "webpack-cli": "^6.0.0",
         "webpack-notifier": "^1.15.0"
     },
     "license": "AGPL-3.0-or-later",
@@ -30,14 +30,14 @@
         "build": "encore production --progress"
     },
     "engines": {
-        "node": ">=20.0.0"
+        "node": ">=22.0.0"
     },
     "dependencies": {
         "@algolia/autocomplete-js": "^1.17.0",
         "@algolia/autocomplete-plugin-recent-searches": "^1.17.0",
         "@algolia/autocomplete-theme-classic": "^1.17.0",
-        "@ckeditor/ckeditor5-dev-translations": "^43.0.1",
-        "@ckeditor/ckeditor5-dev-utils": "^43.0.1",
+        "@ckeditor/ckeditor5-dev-translations": "^53",
+        "@ckeditor/ckeditor5-dev-utils": "^53",
         "@jbtronics/bs-treeview": "^1.0.1",
         "@part-db/html5-qrcode": "^4.0.0",
         "@zxcvbn-ts/core": "^3.0.2",
@@ -69,11 +69,11 @@
         "marked": "^17.0.1",
         "marked-gfm-heading-id": "^4.1.1",
         "marked-mangle": "^1.0.1",
-        "pdfmake": "^0.2.2",
+        "pdfmake": "^0.3.7",
         "stimulus-use": "^0.52.0",
         "tom-select": "^2.1.0",
         "ts-loader": "^9.2.6",
-        "typescript": "^5.7.2"
+        "typescript": "^6.0.2"
     },
     "resolutions": {
         "jquery": "^3.5.1"

src/Command/LoadFixturesCommand.php

@@ -56,13 +56,16 @@ class LoadFixturesCommand extends Command
         }
 
         $factory = new ResetAutoIncrementPurgerFactory();
-        $purger = $factory->createForEntityManager(null, $this->entityManager);
+
+        //Use truncate purging to fix compatibility with postgresql
+        $purger = $factory->createForEntityManager(null, $this->entityManager, purgeWithTruncate: true);
 
         $purger->purge();
 
         //Afterwards run the load fixtures command as normal, but with the --append option
         $new_input = new ArrayInput([
             'command' => 'doctrine:fixtures:load',
+            '--purge-with-truncate' => true,
             '--append' => true,
         ]);
 
@@ -70,4 +73,4 @@ class LoadFixturesCommand extends Command
 
         return $returnCode ?? Command::FAILURE;
     }
-}
+}

src/Form/Settings/TypeSynonymRowType.php

@@ -139,7 +139,7 @@ class TypeSynonymRowType extends AbstractType
      */
     private function getPreferredLocales(): array
     {
-        $fromSettings = $this->localizationSettings->languageMenuEntries ?? [];
+        $fromSettings = $this->localizationSettings->languageMenuEntries;
         return !empty($fromSettings) ? array_values($fromSettings) : array_values($this->preferredLanguagesParam);
     }
 

src/Services/Attachments/AttachmentSubmitHandler.php

@@ -44,6 +44,8 @@ use App\Exceptions\AttachmentDownloadException;
 use App\Settings\SystemSettings\AttachmentsSettings;
 use Hshn\Base64EncodedFile\HttpFoundation\File\Base64EncodedFile;
 use Hshn\Base64EncodedFile\HttpFoundation\File\UploadedBase64EncodedFile;
+use Symfony\Component\DependencyInjection\Attribute\Autowire;
+use Symfony\Component\HttpClient\NoPrivateNetworkHttpClient;
 use const DIRECTORY_SEPARATOR;
 use InvalidArgumentException;
 use RuntimeException;
@@ -76,6 +78,8 @@ class AttachmentSubmitHandler
         protected FileTypeFilterTools $filterTools,
         protected AttachmentsSettings $settings,
         protected readonly SVGSanitizer $SVGSanitizer,
+        #[Autowire(env: "bool:ALLOW_ATTACHMENT_DOWNLOADS_FROM_LOCALNETWORK")]
+        private readonly bool $allow_local_network_downloads = false,
     )
     {
         //The mapping used to determine which folder will be used for an attachment type
@@ -95,6 +99,10 @@ class AttachmentSubmitHandler
             UserAttachment::class => 'user',
             LabelAttachment::class => 'label_profile',
         ];
+
+        if (!$this->allow_local_network_downloads) {
+            $this->httpClient = new NoPrivateNetworkHttpClient($this->httpClient);
+        }
     }
 
     /**
@@ -373,6 +381,7 @@ class AttachmentSubmitHandler
                 ],
 
             ];
+
             $response = $this->httpClient->request('GET', $url, $opts);
             //Digikey wants TLSv1.3, so try again with that if we get a 403
             if ($response->getStatusCode() === 403) {
@@ -434,8 +443,8 @@ class AttachmentSubmitHandler
             $new_path = $this->pathResolver->realPathToPlaceholder($new_path);
             //Save the path to the attachment
             $attachment->setInternalPath($new_path);
-        } catch (TransportExceptionInterface) {
-            throw new AttachmentDownloadException('Transport error!');
+        } catch (TransportExceptionInterface $exception) {
+            throw new AttachmentDownloadException('Transport error: '.$exception->getMessage());
         }
 
         return $attachment;

src/Services/InfoProviderSystem/Providers/GenericWebProvider.php

@@ -42,6 +42,7 @@ use Brick\Schema\Interfaces\Thing;
 use Brick\Schema\SchemaReader;
 use Brick\Schema\SchemaTypeList;
 use Symfony\Component\DomCrawler\Crawler;
+use Symfony\Component\HttpClient\NoPrivateNetworkHttpClient;
 use Symfony\Contracts\HttpClient\HttpClientInterface;
 
 class GenericWebProvider implements InfoProviderInterface
@@ -55,7 +56,8 @@ class GenericWebProvider implements InfoProviderInterface
         private readonly ProviderRegistry $providerRegistry, private readonly PartInfoRetriever $infoRetriever,
     )
     {
-        $this->httpClient = (new RandomizeUseragentHttpClient($httpClient))->withOptions(
+        //Use NoPrivateNetworkHttpClient to prevent SSRF vulnerabilities, and RandomizeUseragentHttpClient to make it harder for servers to block us
+        $this->httpClient = (new RandomizeUseragentHttpClient(new NoPrivateNetworkHttpClient($httpClient)))->withOptions(
             [
                 'timeout' => 15,
             ]