mirror of
https://github.com/InvoiceShelf/InvoiceShelf.git
synced 2026-07-17 14:25:21 +00:00
fix(security): block ORDER BY SQL injection via orderByField (GHSA-cp8p) (#670)
v3 port. orderByField/orderBy were passed straight into Eloquent's orderBy() in every model's scopeWhereOrder (and Invoice::scopeApplyFilters), allowing arbitrary SQL in the ORDER BY clause. Adds App\Support\SafeOrderBy::apply() (plain/table-qualified column identifier only, asc/desc clamp) and routes all 10 model sort sinks through it. Aliased sorts (e.g. estimates by customers.name) stay valid. Adds unit tests for injection rejection, plain + aliased columns, direction clamp.
This commit is contained in:
committed by
GitHub
parent
e56b6b4fe5
commit
ca6dd57bf9
31
app/Support/SafeOrderBy.php
Normal file
31
app/Support/SafeOrderBy.php
Normal file
@@ -0,0 +1,31 @@
|
||||
<?php
|
||||
|
||||
namespace App\Support;
|
||||
|
||||
class SafeOrderBy
|
||||
{
|
||||
/**
|
||||
* Apply a safe ORDER BY clause.
|
||||
*
|
||||
* The orderByField / orderBy values originate from user-supplied query
|
||||
* parameters and were previously passed straight into Eloquent's orderBy(),
|
||||
* allowing arbitrary SQL expressions in the ORDER BY clause (boolean-based
|
||||
* blind injection). Only a plain, optionally table-qualified column
|
||||
* identifier is accepted as the sort target; anything containing SQL syntax
|
||||
* (parentheses, whitespace, sub-selects, ...) falls back to a safe default.
|
||||
* The direction is clamped to asc/desc. Column aliases such as a joined
|
||||
* "customers.name" remain valid, so legitimate sorts are unaffected.
|
||||
*/
|
||||
public static function apply($query, $orderByField, $orderBy = 'desc', string $default = 'created_at')
|
||||
{
|
||||
$direction = strtolower((string) $orderBy) === 'asc' ? 'asc' : 'desc';
|
||||
|
||||
$field = is_string($orderByField) ? $orderByField : '';
|
||||
|
||||
if (! preg_match('/^[A-Za-z_][A-Za-z0-9_]*(\.[A-Za-z_][A-Za-z0-9_]*)?$/', $field)) {
|
||||
$field = $default;
|
||||
}
|
||||
|
||||
return $query->orderBy($field, $direction);
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user