mirror of
https://github.com/InvoiceShelf/InvoiceShelf.git
synced 2026-07-17 06:15:20 +00:00
fix(security): block ORDER BY SQL injection via orderByField (GHSA-cp8p) (#663)
The orderByField/orderBy query params were passed straight into Eloquent's orderBy() in every model's scopeWhereOrder (and Invoice::scopeApplyFilters), allowing arbitrary SQL in the ORDER BY clause (boolean-based blind injection). Adds App\Support\SafeOrderBy::apply() which only accepts a plain, optionally table-qualified column identifier as the sort target (rejecting expressions, sub-selects, etc.) and clamps the direction to asc/desc. Routed all 10 model sort sinks through it. Table-qualified columns stay valid, so joined/aliased sorts (e.g. estimates by customers.name) are unaffected. Adds unit tests covering injection rejection, plain + aliased columns, and direction clamping.
This commit is contained in:
committed by
GitHub
parent
5839d8385d
commit
e92b08ef6a
32
tests/Unit/SafeOrderByTest.php
Normal file
32
tests/Unit/SafeOrderByTest.php
Normal file
@@ -0,0 +1,32 @@
|
||||
<?php
|
||||
|
||||
use App\Support\SafeOrderBy;
|
||||
use Illuminate\Support\Facades\DB;
|
||||
|
||||
test('rejects sql expressions in the order-by field', function () {
|
||||
$sql = strtolower(
|
||||
SafeOrderBy::apply(DB::table('invoices'), '(CASE WHEN (SELECT 1)=1 THEN id ELSE total END)', 'asc')->toSql()
|
||||
);
|
||||
|
||||
expect($sql)->toContain('order by')
|
||||
->and($sql)->not->toContain('case')
|
||||
->and($sql)->not->toContain('select 1');
|
||||
});
|
||||
|
||||
test('allows a plain column', function () {
|
||||
$sql = strtolower(SafeOrderBy::apply(DB::table('invoices'), 'invoice_date', 'asc')->toSql());
|
||||
|
||||
expect($sql)->toContain('order by')->and($sql)->toContain('invoice_date');
|
||||
});
|
||||
|
||||
test('allows a table-qualified column so joined/aliased sorts keep working', function () {
|
||||
$sql = strtolower(SafeOrderBy::apply(DB::table('estimates'), 'customers.name', 'asc')->toSql());
|
||||
|
||||
expect($sql)->toContain('customers')->and($sql)->toContain('name');
|
||||
});
|
||||
|
||||
test('clamps the direction to asc/desc', function () {
|
||||
$sql = strtolower(SafeOrderBy::apply(DB::table('invoices'), 'id', 'asc); drop table users; --')->toSql());
|
||||
|
||||
expect($sql)->toContain('order by')->and($sql)->not->toContain('drop table');
|
||||
});
|
||||
Reference in New Issue
Block a user