Downloads
A downloads directory for Convoro — organise files into categories, link a GitHub release or upload a .zip/.exe, with per-download counts. Free first-party extension.
A downloads directory for Convoro — organise files into categories, link a GitHub release or upload a .zip/.exe, with per-download counts. Free first-party extension.
AI security review
✓
Reviewed safe · 90/100
A first-party downloads directory extension with proper permission gating on all management actions, parameterized Eloquent queries, output escaping, and same-origin URL validation for images/icons. No RCE, SQLi, command execution, hardcoded secrets, or exfiltration found.
- low · GitHub source resolution / external redirect — resolveSource() in src/Extension.php accepts arbitrary http(s) URLs and the /downloads/{slug}/get route does redirect()->away($d->external_url). This is gated behind downloads.manage and only stores/follows manager-supplied links, so SSRF/redirect risk is limited to privileged users, but the GitHub API fetch and stored external URLs are not host-restricted.
- low · Executable file types allowed for upload — ALLOWED_EXT in src/Extension.php permits exe/msi/apk/etc. Files are stored privately under storage/app with randomized names and served only as download attachments (response()->download), never executed, so this is by-design for a downloads directory rather than a server-side risk.
- low · Screenshot/cover URLs embedded into inline style background-image — detailPage() and indexPage() interpolate user-provided screenshot URLs into inline style background-image:url('...') using htmlspecialchars (ENT_QUOTES). Quotes are escaped so breakout is prevented; values originate from same-origin image uploads via safeImage(). Low residual risk only.
Automated review of v1.0.0 by claude-opus-4-8 1 week ago. This is an automated signal to aid your judgment — not a guarantee.