mirror of
https://github.com/InvoiceShelf/InvoiceShelf.git
synced 2026-07-17 14:25:21 +00:00
fix(security): block ORDER BY SQL injection via orderByField (GHSA-cp8p) (#663)
The orderByField/orderBy query params were passed straight into Eloquent's orderBy() in every model's scopeWhereOrder (and Invoice::scopeApplyFilters), allowing arbitrary SQL in the ORDER BY clause (boolean-based blind injection). Adds App\Support\SafeOrderBy::apply() which only accepts a plain, optionally table-qualified column identifier as the sort target (rejecting expressions, sub-selects, etc.) and clamps the direction to asc/desc. Routed all 10 model sort sinks through it. Table-qualified columns stay valid, so joined/aliased sorts (e.g. estimates by customers.name) are unaffected. Adds unit tests covering injection rejection, plain + aliased columns, and direction clamping.
This commit is contained in:
committed by
GitHub
parent
5839d8385d
commit
e92b08ef6a
@@ -2,6 +2,7 @@
|
||||
|
||||
namespace App\Models;
|
||||
|
||||
use App\Support\SafeOrderBy;
|
||||
use Carbon\Carbon;
|
||||
use Illuminate\Database\Eloquent\Factories\HasFactory;
|
||||
use Illuminate\Database\Eloquent\Model;
|
||||
@@ -32,7 +33,7 @@ class FileDisk extends Model
|
||||
|
||||
public function scopeWhereOrder($query, $orderByField, $orderBy)
|
||||
{
|
||||
$query->orderBy($orderByField, $orderBy);
|
||||
return SafeOrderBy::apply($query, $orderByField, $orderBy);
|
||||
}
|
||||
|
||||
public function scopeFileDisksBetween($query, $start, $end)
|
||||
|
||||
Reference in New Issue
Block a user