fix(security): block ORDER BY SQL injection via orderByField (GHSA-cp8p) (#670)

v3 port. orderByField/orderBy were passed straight into Eloquent's orderBy()
in every model's scopeWhereOrder (and Invoice::scopeApplyFilters), allowing
arbitrary SQL in the ORDER BY clause.

Adds App\Support\SafeOrderBy::apply() (plain/table-qualified column identifier
only, asc/desc clamp) and routes all 10 model sort sinks through it. Aliased
sorts (e.g. estimates by customers.name) stay valid.

Adds unit tests for injection rejection, plain + aliased columns, direction clamp.
This commit is contained in:
Darko Gjorgjijoski
2026-06-12 11:02:15 +02:00
committed by GitHub
parent e56b6b4fe5
commit ca6dd57bf9
12 changed files with 85 additions and 11 deletions

View File

@@ -3,6 +3,7 @@
namespace App\Models;
use App\Notifications\MailResetPasswordNotification;
use App\Support\SafeOrderBy;
use App\Traits\HasCustomFieldsTrait;
use Carbon\Carbon;
use Illuminate\Database\Eloquent\Factories\HasFactory;
@@ -194,7 +195,7 @@ class User extends Authenticatable implements HasMedia
public function scopeWhereOrder($query, $orderByField, $orderBy)
{
$query->orderBy($orderByField, $orderBy);
SafeOrderBy::apply($query, $orderByField, $orderBy);
}
public function scopeWhereSearch($query, $search)