mirror of
https://github.com/InvoiceShelf/InvoiceShelf.git
synced 2026-07-16 22:05:20 +00:00
fix(security): block ORDER BY SQL injection via orderByField (GHSA-cp8p) (#670)
v3 port. orderByField/orderBy were passed straight into Eloquent's orderBy() in every model's scopeWhereOrder (and Invoice::scopeApplyFilters), allowing arbitrary SQL in the ORDER BY clause. Adds App\Support\SafeOrderBy::apply() (plain/table-qualified column identifier only, asc/desc clamp) and routes all 10 model sort sinks through it. Aliased sorts (e.g. estimates by customers.name) stay valid. Adds unit tests for injection rejection, plain + aliased columns, direction clamp.
This commit is contained in:
committed by
GitHub
parent
e56b6b4fe5
commit
ca6dd57bf9
@@ -5,6 +5,7 @@ namespace App\Models;
|
||||
use App\Services\Document\InvoiceService;
|
||||
use App\Support\Pdf\PdfHtmlSanitizer;
|
||||
use App\Support\Pdf\PdfTemplateUtils;
|
||||
use App\Support\SafeOrderBy;
|
||||
use App\Traits\GeneratesPdfTrait;
|
||||
use App\Traits\HasCustomFieldsTrait;
|
||||
use Carbon\Carbon;
|
||||
@@ -257,7 +258,7 @@ class Invoice extends Model implements HasMedia
|
||||
|
||||
public function scopeWhereOrder($query, $orderByField, $orderBy)
|
||||
{
|
||||
$query->orderBy($orderByField, $orderBy);
|
||||
SafeOrderBy::apply($query, $orderByField, $orderBy);
|
||||
}
|
||||
|
||||
public function scopeApplyFilters($query, array $filters)
|
||||
@@ -286,7 +287,8 @@ class Invoice extends Model implements HasMedia
|
||||
$query->where('customer_id', $customerId);
|
||||
})->when($filters['orderByField'] ?? null, function ($query, $orderByField) use ($filters) {
|
||||
$orderBy = $filters['orderBy'] ?? 'desc';
|
||||
$query->orderBy($orderByField, $orderBy);
|
||||
|
||||
SafeOrderBy::apply($query, $orderByField, $orderBy);
|
||||
}, function ($query) {
|
||||
$query->orderBy('sequence_number', 'desc');
|
||||
});
|
||||
|
||||
Reference in New Issue
Block a user