Files
InvoiceShelf/app/Models/Expense.php
Darko Gjorgjijoski e92b08ef6a fix(security): block ORDER BY SQL injection via orderByField (GHSA-cp8p) (#663)
The orderByField/orderBy query params were passed straight into Eloquent's
orderBy() in every model's scopeWhereOrder (and Invoice::scopeApplyFilters),
allowing arbitrary SQL in the ORDER BY clause (boolean-based blind injection).

Adds App\Support\SafeOrderBy::apply() which only accepts a plain, optionally
table-qualified column identifier as the sort target (rejecting expressions,
sub-selects, etc.) and clamps the direction to asc/desc. Routed all 10 model
sort sinks through it. Table-qualified columns stay valid, so joined/aliased
sorts (e.g. estimates by customers.name) are unaffected.

Adds unit tests covering injection rejection, plain + aliased columns, and
direction clamping.
2026-06-12 09:18:29 +02:00

285 lines
7.7 KiB
PHP

<?php
namespace App\Models;
use App\Support\SafeOrderBy;
use App\Traits\HasCustomFieldsTrait;
use Carbon\Carbon;
use Illuminate\Database\Eloquent\Factories\HasFactory;
use Illuminate\Database\Eloquent\Model;
use Illuminate\Database\Eloquent\Relations\BelongsTo;
use Illuminate\Support\Facades\DB;
use Spatie\MediaLibrary\HasMedia;
use Spatie\MediaLibrary\InteractsWithMedia;
class Expense extends Model implements HasMedia
{
use HasCustomFieldsTrait;
use HasFactory;
use InteractsWithMedia;
protected $dates = [
'expense_date',
];
protected $guarded = ['id'];
protected $appends = [
'formattedExpenseDate',
'formattedCreatedAt',
'receipt',
'receiptMeta',
];
protected function casts(): array
{
return [
'notes' => 'string',
'exchange_rate' => 'float',
];
}
public function category(): BelongsTo
{
return $this->belongsTo(ExpenseCategory::class, 'expense_category_id');
}
public function customer(): BelongsTo
{
return $this->belongsTo(Customer::class, 'customer_id');
}
public function company(): BelongsTo
{
return $this->belongsTo(Company::class, 'company_id');
}
public function paymentMethod(): BelongsTo
{
return $this->belongsTo(PaymentMethod::class);
}
public function currency(): BelongsTo
{
return $this->belongsTo(Currency::class, 'currency_id');
}
public function creator(): BelongsTo
{
return $this->belongsTo(User::class, 'creator_id');
}
public function getFormattedExpenseDateAttribute($value)
{
$dateFormat = CompanySetting::getSetting('carbon_date_format', $this->company_id);
return Carbon::parse($this->expense_date)->translatedFormat($dateFormat);
}
public function getFormattedCreatedAtAttribute($value)
{
$dateFormat = CompanySetting::getSetting('carbon_date_format', $this->company_id);
return Carbon::parse($this->created_at)->translatedFormat($dateFormat);
}
public function getReceiptUrlAttribute($value)
{
$media = $this->getFirstMedia('receipts');
if ($media) {
return [
'url' => $media->getFullUrl(),
'type' => $media->type,
];
}
return null;
}
public function getReceiptAttribute($value)
{
$media = $this->getFirstMedia('receipts');
if ($media) {
return $media->getPath();
}
return null;
}
public function getReceiptMetaAttribute($value)
{
$media = $this->getFirstMedia('receipts');
if ($media) {
return $media;
}
return null;
}
public function scopeExpensesBetween($query, $start, $end)
{
return $query->whereBetween(
'expenses.expense_date',
[$start->format('Y-m-d'), $end->format('Y-m-d')]
);
}
public function scopeWhereCategoryName($query, $search)
{
foreach (explode(' ', $search) as $term) {
$query->whereHas('category', function ($query) use ($term) {
$query->where('name', 'LIKE', '%'.$term.'%');
});
}
}
public function scopeWhereNotes($query, $search)
{
$query->where('notes', 'LIKE', '%'.$search.'%');
}
public function scopeWhereCategory($query, $categoryId)
{
return $query->where('expenses.expense_category_id', $categoryId);
}
public function scopeWhereUser($query, $customer_id)
{
return $query->where('expenses.customer_id', $customer_id);
}
public function scopeApplyFilters($query, array $filters)
{
$filters = collect($filters);
if ($filters->get('expense_category_id')) {
$query->whereCategory($filters->get('expense_category_id'));
}
if ($filters->get('customer_id')) {
$query->whereUser($filters->get('customer_id'));
}
if ($filters->get('expense_id')) {
$query->whereExpense($filters->get('expense_id'));
}
if ($filters->get('from_date') && $filters->get('to_date')) {
$start = Carbon::createFromFormat('Y-m-d', $filters->get('from_date'));
$end = Carbon::createFromFormat('Y-m-d', $filters->get('to_date'));
$query->expensesBetween($start, $end);
}
if ($filters->get('orderByField') || $filters->get('orderBy')) {
$field = $filters->get('orderByField') ? $filters->get('orderByField') : 'expense_date';
$orderBy = $filters->get('orderBy') ? $filters->get('orderBy') : 'asc';
$query->whereOrder($field, $orderBy);
}
if ($filters->get('search')) {
$query->whereSearch($filters->get('search'));
}
}
public function scopeWhereExpense($query, $expense_id)
{
$query->orWhere('id', $expense_id);
}
public function scopeWhereSearch($query, $search)
{
foreach (explode(' ', $search) as $term) {
$query->whereHas('category', function ($query) use ($term) {
$query->where('name', 'LIKE', '%'.$term.'%');
})
->orWhere('notes', 'LIKE', '%'.$term.'%');
}
}
public function scopeWhereOrder($query, $orderByField, $orderBy)
{
return SafeOrderBy::apply($query, $orderByField, $orderBy);
}
public function scopeWhereCompany($query)
{
$query->where('expenses.company_id', request()->header('company'));
}
public function scopeWhereCompanyId($query, $company)
{
$query->where('expenses.company_id', $company);
}
public function scopePaginateData($query, $limit)
{
if ($limit == 'all') {
return $query->get();
}
return $query->paginate($limit);
}
public function scopeExpensesAttributes($query)
{
$query->select(
DB::raw('
count(*) as expenses_count,
sum(base_amount) as total_amount,
expense_category_id')
)
->groupBy('expense_category_id');
}
public static function createExpense($request)
{
$expense = self::create($request->getExpensePayload());
$company_currency = CompanySetting::getSetting('currency', $request->header('company'));
if ((string) $expense['currency_id'] !== $company_currency) {
ExchangeRateLog::addExchangeRateLog($expense);
}
if ($request->hasFile('attachment_receipt')) {
$expense->addMediaFromRequest('attachment_receipt')->toMediaCollection('receipts');
}
if ($request->customFields) {
$expense->addCustomFields(json_decode($request->customFields));
}
return $expense;
}
public function updateExpense($request)
{
$data = $request->getExpensePayload();
$this->update($data);
$company_currency = CompanySetting::getSetting('currency', $request->header('company'));
if ((string) $data['currency_id'] !== $company_currency) {
ExchangeRateLog::addExchangeRateLog($this);
}
if (isset($request->is_attachment_receipt_removed) && (bool) $request->is_attachment_receipt_removed) {
$this->clearMediaCollection('receipts');
}
if ($request->hasFile('attachment_receipt')) {
$this->clearMediaCollection('receipts');
$this->addMediaFromRequest('attachment_receipt')->toMediaCollection('receipts');
}
if ($request->customFields) {
$this->updateCustomFields(json_decode($request->customFields));
}
return true;
}
}