From 6bff4ff490cad0c828a1a2467f460b722ee746cc Mon Sep 17 00:00:00 2001 From: ClawdBot Date: Thu, 26 Mar 2026 21:13:17 +0000 Subject: [PATCH 1/2] feat: add Saloon v4 support (CVE-2026-33182, CVE-2026-33183) - Update saloonphp/saloon constraint to ^3.10|^4.0 - Update pagination-plugin to ^2.2|^2.3 and rate-limit-plugin to ^2.0|^2.5 - Fix Administrations endpoints: use relative paths instead of absolute URLs (absolute URLs are blocked in Saloon v4 to prevent SSRF) --- composer.json | 6 +++--- src/Api/Administrations/GetAdministrationRequest.php | 6 +++--- src/Api/Administrations/GetAdministrationsRequest.php | 6 +++--- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/composer.json b/composer.json index 518648e..ec993a9 100644 --- a/composer.json +++ b/composer.json @@ -22,9 +22,9 @@ "php": "^8.2", "guzzlehttp/guzzle": "^7.9", "kelunik/link-header-rfc5988": "^1.0", - "saloonphp/pagination-plugin": "^2.2", - "saloonphp/rate-limit-plugin": "^2.0", - "saloonphp/saloon": "^3.10" + "saloonphp/pagination-plugin": "^2.2|^2.3", + "saloonphp/rate-limit-plugin": "^2.0|^2.5", + "saloonphp/saloon": "^3.10|^4.0" }, "require-dev": { "laravel/pint": "^1.17", diff --git a/src/Api/Administrations/GetAdministrationRequest.php b/src/Api/Administrations/GetAdministrationRequest.php index 741af3c..e59ff28 100644 --- a/src/Api/Administrations/GetAdministrationRequest.php +++ b/src/Api/Administrations/GetAdministrationRequest.php @@ -16,12 +16,12 @@ public function __construct( } /** - * Returns the full URL to bypass the connector's base URL. - * The Administrations endpoint does not use an administration ID in the path. + * The Administrations endpoint does not use an administration ID in the path, + * so we navigate up from the connector's base URL (which includes the admin ID). */ public function resolveEndpoint(): string { - return 'https://moneybird.com/api/v2/administrations/'.$this->id; + return '/../administrations/'.$this->id; } public function createDtoFromResponse(Response $response): Administration diff --git a/src/Api/Administrations/GetAdministrationsRequest.php b/src/Api/Administrations/GetAdministrationsRequest.php index 471aa61..01cbe25 100644 --- a/src/Api/Administrations/GetAdministrationsRequest.php +++ b/src/Api/Administrations/GetAdministrationsRequest.php @@ -10,12 +10,12 @@ class GetAdministrationsRequest extends BaseJsonGetRequest { /** - * Returns the full URL to bypass the connector's base URL. - * The Administrations endpoint does not use an administration ID in the path. + * The Administrations endpoint does not use an administration ID in the path, + * so we navigate up from the connector's base URL (which includes the admin ID). */ public function resolveEndpoint(): string { - return 'https://moneybird.com/api/v2/administrations'; + return '/../administrations'; } public function createDtoFromResponse(Response $response): Administration From ca0d9d3f6fd046b3cfb769ce949da04994695416 Mon Sep 17 00:00:00 2001 From: sandervanhooft <7265703+sandervanhooft@users.noreply.github.com> Date: Thu, 26 Mar 2026 21:13:40 +0000 Subject: [PATCH 2/2] Fix styling --- src/Api/Support/BaseEndpoint.php | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/Api/Support/BaseEndpoint.php b/src/Api/Support/BaseEndpoint.php index f7fc2cc..3c2b977 100644 --- a/src/Api/Support/BaseEndpoint.php +++ b/src/Api/Support/BaseEndpoint.php @@ -4,6 +4,8 @@ namespace Sandorian\Moneybird\Api\Support; +use Saloon\Exceptions\Request\FatalRequestException; +use Saloon\Exceptions\Request\RequestException; use Saloon\Http\Request; use Saloon\PaginationPlugin\Paginator; use Sandorian\Moneybird\Api\MoneybirdApiClient; @@ -17,8 +19,8 @@ public function __construct( /** * @return mixed * - * @throws \Saloon\Exceptions\Request\FatalRequestException - * @throws \Saloon\Exceptions\Request\RequestException + * @throws FatalRequestException + * @throws RequestException */ public function create(array $data): BaseDto {