fix(security): block ORDER BY SQL injection via orderByField (GHSA-cp8p) (#663)

The orderByField/orderBy query params were passed straight into Eloquent's
orderBy() in every model's scopeWhereOrder (and Invoice::scopeApplyFilters),
allowing arbitrary SQL in the ORDER BY clause (boolean-based blind injection).

Adds App\Support\SafeOrderBy::apply() which only accepts a plain, optionally
table-qualified column identifier as the sort target (rejecting expressions,
sub-selects, etc.) and clamps the direction to asc/desc. Routed all 10 model
sort sinks through it. Table-qualified columns stay valid, so joined/aliased
sorts (e.g. estimates by customers.name) are unaffected.

Adds unit tests covering injection rejection, plain + aliased columns, and
direction clamping.
This commit is contained in:
Darko Gjorgjijoski
2026-06-12 09:18:29 +02:00
committed by GitHub
parent 5839d8385d
commit e92b08ef6a
12 changed files with 85 additions and 11 deletions

View File

@@ -8,6 +8,7 @@ use App\Facades\PDF;
use App\Mail\SendInvoiceMail;
use App\Services\SerialNumberFormatter;
use App\Space\PdfTemplateUtils;
use App\Support\SafeOrderBy;
use App\Traits\GeneratesPdfTrait;
use App\Traits\HasCustomFieldsTrait;
use Carbon\Carbon;
@@ -259,7 +260,7 @@ class Invoice extends Model implements HasMedia
public function scopeWhereOrder($query, $orderByField, $orderBy)
{
$query->orderBy($orderByField, $orderBy);
return SafeOrderBy::apply($query, $orderByField, $orderBy);
}
public function scopeApplyFilters($query, array $filters)
@@ -288,7 +289,8 @@ class Invoice extends Model implements HasMedia
$query->where('customer_id', $customerId);
})->when($filters['orderByField'] ?? null, function ($query, $orderByField) use ($filters) {
$orderBy = $filters['orderBy'] ?? 'desc';
$query->orderBy($orderByField, $orderBy);
return SafeOrderBy::apply($query, $orderByField, $orderBy);
}, function ($query) {
$query->orderBy('sequence_number', 'desc');
});