T.ME/BIBIL_0DAY
CasperSecurity


Server : Apache/2
System : Linux server-15-235-50-60 5.15.0-164-generic #174-Ubuntu SMP Fri Nov 14 20:25:16 UTC 2025 x86_64
User : gositeme ( 1004)
PHP Version : 8.2.29
Disable Function : exec,system,passthru,shell_exec,proc_close,proc_open,dl,popen,show_source,posix_kill,posix_mkfifo,posix_getpwuid,posix_setpgid,posix_setsid,posix_setuid,posix_setgid,posix_seteuid,posix_setegid,posix_uname
Directory :  /home/gositeme/domains/soundstudiopro.com/public_html/

Upload File :
current_dir [ Writeable ] document_root [ Writeable ]

 

Current File : /home/gositeme/domains/soundstudiopro.com/public_html/COMPREHENSIVE_BUG_AUDIT.md
# Comprehensive Bug Audit - API.Box Integration

## Executive Summary
This audit identifies additional bugs beyond the title/duration/tags/model_name extraction issues. These bugs affect error handling, data consistency, and edge cases in the API.Box integration.

---

## 🔴 Critical Bug #1: Image URL Not Saved for Main Track

**Location:** `callback.php` throughout

**Issue:** Variations save `image_url` (line 945), but the main track never saves its `image_url` from the API response. The main track only saves audio_url, but not the cover image.

**Current Code:**
```php
// Variations save image_url
$stmt->execute([
    // ...
    $variation['image_url'] ?? null,  // ✅ Saved for variations
    // ...
]);

// Main track update - NO image_url
updateMusicTrack($taskId, 'complete', $localAudioUrl ?: $audioUrl, null, null, $metadata, $duration, $title, $tags, $modelName);
// ❌ image_url is never extracted or saved for main track
```

**Missing Logic:**
- No extraction of `image_url` from API response for main track
- `updateMusicTrack` function doesn't accept `image_url` parameter
- Main tracks lose their cover images

**Impact:** HIGH - Users can't see cover images for their tracks, only variations have images.

**Fix Required:**
1. Add `extractImageUrlFromCallback()` helper function
2. Add `$imageUrl` parameter to `updateMusicTrack` function
3. Extract and save image_url in all callback handlers
4. Add `image_url` column update in `updateMusicTrack`

---

## 🔴 Critical Bug #2: Task ID Not Updated When API Call Fails

**Location:** `create_music.php`, `create_track_extension.php`, `create_music_video.php`, `create_lyrics.php`, etc.

**Issue:** When API call fails (non-200 response, curl error, or invalid response), the track remains with `temp_task_id` and is never updated. This means callbacks can't find the track.

**Current Code:**
```php
// create_music.php lines 328-345
if ($curl_error) {
    error_log("CURL Error: " . $curl_error);
    $_SESSION['success'] = 'Music generation started! Processing may take a few minutes.';
    // ❌ NO task_id update - track stays with temp_task_id
} else {
    $api_result = json_decode($response, true);
    
    if ($http_code === 200 && $api_result) {
        $real_task_id = $api_result['taskId'] ?? $api_result['id'] ?? $api_result['data']['taskId'] ?? $temp_task_id;
        // ✅ Only updates if response is valid
        $stmt = $pdo->prepare("UPDATE music_tracks SET task_id = ? WHERE id = ?");
        $stmt->execute([$real_task_id, $track_id]);
    } else {
        // ❌ NO task_id update if http_code !== 200
        $_SESSION['success'] = 'Music generation queued! Processing may take a few minutes.';
    }
}
```

**Impact:** HIGH - Tracks with failed API calls can't be matched by callbacks, leading to orphaned tracks.

**Fix Required:**
1. Always update task_id even if API call fails (use temp_task_id as fallback)
2. Set status to 'failed' if API returns error
3. Log failed API calls for monitoring

---

## 🟡 Bug #3: Inconsistent Task ID Extraction Logic

**Location:** Multiple files (`create_music.php`, `create_track_extension.php`, `create_music_video.php`, `create_lyrics.php`, `api.php`, etc.)

**Issue:** Each file has slightly different logic for extracting task_id from API response, leading to inconsistencies.

**Current Code Examples:**
```php
// create_music.php line 336
$real_task_id = $api_result['taskId'] ?? $api_result['id'] ?? $api_result['data']['taskId'] ?? $temp_task_id;

// create_track_extension.php line 121
$real_task_id = $result['taskId'] ?? $result['id'] ?? $result['data']['taskId'] ?? $temp_task_id;

// api.php line 277
$real_task_id = $api_result['taskId'] ?? $api_result['id'] ?? $api_result['data']['taskId'] ?? null;
// ❌ Different fallback (null vs temp_task_id)
```

**Impact:** MEDIUM - Some files might miss task_id extraction if API response format changes.

**Fix Required:**
1. Create centralized `extractTaskIdFromResponse()` helper function
2. Use helper function in all files that extract task_id
3. Consistent fallback behavior

---

## 🟡 Bug #4: No Validation on Task ID Updates

**Location:** All files that update task_id

**Issue:** Task IDs are updated without validation. If API returns invalid task_id (empty string, null, or same as temp_task_id), it still gets saved.

**Current Code:**
```php
// No validation before update
$stmt = $pdo->prepare("UPDATE music_tracks SET task_id = ? WHERE id = ?");
$stmt->execute([$real_task_id, $track_id]);
// ❌ Could save empty string, null, or invalid task_id
```

**Impact:** MEDIUM - Invalid task_ids could break callback matching.

**Fix Required:**
1. Validate task_id before updating (not empty, not null, different from temp_task_id)
2. Only update if task_id is valid
3. Log when task_id update is skipped due to validation

---

## 🟡 Bug #5: Race Condition in Callback Processing

**Location:** `callback.php`

**Issue:** Multiple callbacks for the same task_id could arrive simultaneously, causing race conditions when updating the same track.

**Current Code:**
```php
// No locking mechanism
updateMusicTrack($taskId, 'complete', $localAudioUrl ?: $audioUrl, null, null, $metadata, $duration, $title, $tags, $modelName);
// ❌ Multiple callbacks could update simultaneously
```

**Impact:** MEDIUM - Could lead to data corruption or lost updates if multiple callbacks arrive at once.

**Fix Required:**
1. Use database transactions with row-level locking
2. Check if track is already complete before updating
3. Use optimistic locking with version numbers

---

## 🟡 Bug #6: Missing Error Status Updates on API Failure

**Location:** `create_music.php`, `create_track_extension.php`, etc.

**Issue:** When API call fails, tracks remain in 'processing' status instead of being marked as 'failed'.

**Current Code:**
```php
// create_music.php - API call fails but status stays 'processing'
if ($curl_error) {
    error_log("CURL Error: " . $curl_error);
    $_SESSION['success'] = 'Music generation started! Processing may take a few minutes.';
    // ❌ Track status remains 'processing', never marked as 'failed'
}
```

**Impact:** MEDIUM - Failed tracks stay in processing state forever, cluttering the UI.

**Fix Required:**
1. Update track status to 'failed' when API call fails
2. Store error message in metadata
3. Notify user of failure

---

## 🟡 Bug #7: Image URL Extraction Missing for Main Track

**Location:** `callback.php` - all callback handlers

**Issue:** Image URLs are extracted and saved for variations, but never for the main track.

**Current Code:**
```php
// Variations get image_url
$variation['image_url'] ?? null,  // ✅ Saved for variations

// Main track - NO image_url extraction
$title = extractTitleFromCallback($data);
$duration = extractDurationFromCallback($data);
// ❌ No extractImageUrlFromCallback() call
```

**Impact:** MEDIUM - Main tracks don't have cover images, only variations do.

**Fix Required:**
1. Create `extractImageUrlFromCallback()` helper function
2. Extract image_url in all callback handlers
3. Add `$imageUrl` parameter to `updateMusicTrack`
4. Save image_url for main track

---

## 🟡 Bug #8: No Handling for Duplicate Callbacks

**Location:** `callback.php`

**Issue:** If the same callback is received multiple times (API retries, network issues), the system processes it multiple times, potentially causing duplicate downloads or updates.

**Current Code:**
```php
// No check if callback was already processed
updateMusicTrack($taskId, 'complete', $localAudioUrl ?: $audioUrl, ...);
// ❌ Could process same callback multiple times
```

**Impact:** LOW-MEDIUM - Wasted resources, potential duplicate data.

**Fix Required:**
1. Check if track is already complete before processing
2. Use idempotency keys or callback deduplication
3. Log duplicate callback attempts

---

## 🟡 Bug #9: Missing Error Handling in updateMusicTrack

**Location:** `config/database.php` - `updateMusicTrack` function

**Issue:** If `updateMusicTrack` fails (e.g., database error), the callback still returns success, and there's no retry mechanism.

**Current Code:**
```php
$result = $stmt->execute($params);

if ($result) {
    error_log("✅ Successfully updated music track...");
} else {
    error_log("❌ Failed to update music track...");
    // ❌ No retry, no alert, callback still returns success
}

return $result;
```

**Impact:** MEDIUM - Silent failures could lead to data loss.

**Fix Required:**
1. Implement retry logic for failed updates
2. Alert/notify on persistent failures
3. Store failed updates for manual review

---

## 🟡 Bug #10: Inconsistent Error Response Handling

**Location:** `callback.php` - error handlers

**Issue:** Error callbacks (code 400, 531) don't extract or save title, duration, tags, etc., even if they're present in the error response.

**Current Code:**
```php
// Error handlers - no field extraction
updateMusicTrack($taskId, 'failed', null, null, null, $metadata);
// ❌ Doesn't extract title, duration, etc. from error response
```

**Impact:** LOW - Error responses might contain useful metadata that's lost.

**Fix Required:**
1. Extract available fields from error responses too
2. Save partial data even on errors

---

## 📋 Recommended Fixes Priority

### HIGH Priority
1. **Fix Bug #1:** Add image_url extraction and saving for main track
2. **Fix Bug #2:** Always update task_id, mark as failed on API errors

### MEDIUM Priority
3. **Fix Bug #3:** Centralize task_id extraction logic
4. **Fix Bug #4:** Add validation for task_id updates
5. **Fix Bug #6:** Update status to 'failed' on API failures
6. **Fix Bug #7:** Extract image_url for main track

### LOW Priority
7. **Fix Bug #5:** Add locking for callback processing
8. **Fix Bug #8:** Handle duplicate callbacks
9. **Fix Bug #9:** Improve error handling in updateMusicTrack
10. **Fix Bug #10:** Extract fields from error responses

---

## 📝 Files Affected

- `callback.php` - Add image_url extraction, improve error handling
- `config/database.php` - Add image_url parameter to updateMusicTrack
- `create_music.php` - Fix task_id update on errors
- `create_track_extension.php` - Fix task_id update on errors
- `create_music_video.php` - Fix task_id update on errors
- `create_lyrics.php` - Fix task_id update on errors
- `api.php` - Fix task_id update on errors
- New file: `helpers/api_response_helpers.php` - Centralized extraction functions

---

## 🔗 Related Code References

- Image URL in variations: `callback.php:945`
- Task ID extraction: `create_music.php:336`
- Error handling: `create_music.php:328-345`
- updateMusicTrack function: `config/database.php:681`

CasperSecurity Mini