Files
InvoiceShelf/app/Support/SafeOrderBy.php
Darko Gjorgjijoski e92b08ef6a fix(security): block ORDER BY SQL injection via orderByField (GHSA-cp8p) (#663)
The orderByField/orderBy query params were passed straight into Eloquent's
orderBy() in every model's scopeWhereOrder (and Invoice::scopeApplyFilters),
allowing arbitrary SQL in the ORDER BY clause (boolean-based blind injection).

Adds App\Support\SafeOrderBy::apply() which only accepts a plain, optionally
table-qualified column identifier as the sort target (rejecting expressions,
sub-selects, etc.) and clamps the direction to asc/desc. Routed all 10 model
sort sinks through it. Table-qualified columns stay valid, so joined/aliased
sorts (e.g. estimates by customers.name) are unaffected.

Adds unit tests covering injection rejection, plain + aliased columns, and
direction clamping.
2026-06-12 09:18:29 +02:00

32 lines
1.2 KiB
PHP

<?php
namespace App\Support;
class SafeOrderBy
{
/**
* Apply a safe ORDER BY clause.
*
* The orderByField / orderBy values originate from user-supplied query
* parameters and were previously passed straight into Eloquent's orderBy(),
* allowing arbitrary SQL expressions in the ORDER BY clause (boolean-based
* blind injection). Only a plain, optionally table-qualified column
* identifier is accepted as the sort target; anything containing SQL syntax
* (parentheses, whitespace, sub-selects, ...) falls back to a safe default.
* The direction is clamped to asc/desc. Column aliases such as a joined
* "customers.name" remain valid, so legitimate sorts are unaffected.
*/
public static function apply($query, $orderByField, $orderBy = 'desc', string $default = 'created_at')
{
$direction = strtolower((string) $orderBy) === 'asc' ? 'asc' : 'desc';
$field = is_string($orderByField) ? $orderByField : '';
if (! preg_match('/^[A-Za-z_][A-Za-z0-9_]*(\.[A-Za-z_][A-Za-z0-9_]*)?$/', $field)) {
$field = $default;
}
return $query->orderBy($field, $direction);
}
}