Skip to content

Comments

Fix activitylog cleanup to require integer days input#1448

Open
sandeep728 wants to merge 1 commit intospatie:mainfrom
sandeep728:main
Open

Fix activitylog cleanup to require integer days input#1448
sandeep728 wants to merge 1 commit intospatie:mainfrom
sandeep728:main

Conversation

@sandeep728
Copy link

Summary

This PR prevents accidental full cleanup in activitylog:clean when an invalid days value is provided.

Problem

CleanActivitylogCommand previously used the days value directly in Carbon::now()->subDays($maxAgeInDays). When days is invalid (for example false), Carbon effectively treats it like 0 days in this flow, so subDays(...) returns the current date/time. That makes the cutoff become “now”, and the cleanup query can match almost all existing records (created_at < now), causing unintended mass deletion.

While callers of the command should ideally validate inputs before invoking the command, this command performs a destructive operation. For safety, I think we should also enforce validation at the command boundary.

Fix

Added strict integer validation before calculating the cutoff date:

  • Validate days using FILTER_VALIDATE_INT
  • If invalid: print a clear error and exit with status code 1. Do not delete anything.
  • If valid, cast to int and continue as before
  • This applies whether the value comes from config or CLI option.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant