Files
InvoiceShelf/app/Models/TaxType.php
Darko Gjorgjijoski e92b08ef6a fix(security): block ORDER BY SQL injection via orderByField (GHSA-cp8p) (#663)
The orderByField/orderBy query params were passed straight into Eloquent's
orderBy() in every model's scopeWhereOrder (and Invoice::scopeApplyFilters),
allowing arbitrary SQL in the ORDER BY clause (boolean-based blind injection).

Adds App\Support\SafeOrderBy::apply() which only accepts a plain, optionally
table-qualified column identifier as the sort target (rejecting expressions,
sub-selects, etc.) and clamps the direction to asc/desc. Routed all 10 model
sort sinks through it. Table-qualified columns stay valid, so joined/aliased
sorts (e.g. estimates by customers.name) are unaffected.

Adds unit tests covering injection rejection, plain + aliased columns, and
direction clamping.
2026-06-12 09:18:29 +02:00

94 lines
2.3 KiB
PHP

<?php
namespace App\Models;
use App\Support\SafeOrderBy;
use Illuminate\Database\Eloquent\Factories\HasFactory;
use Illuminate\Database\Eloquent\Model;
use Illuminate\Database\Eloquent\Relations\BelongsTo;
use Illuminate\Database\Eloquent\Relations\HasMany;
class TaxType extends Model
{
use HasFactory;
protected $guarded = [
'id',
];
protected function casts(): array
{
return [
'percent' => 'float',
'fixed_amount' => 'integer',
'compound_tax' => 'boolean',
];
}
public const TYPE_GENERAL = 'GENERAL';
public const TYPE_MODULE = 'MODULE';
public function taxes(): HasMany
{
return $this->hasMany(Tax::class);
}
public function company(): BelongsTo
{
return $this->belongsTo(Company::class);
}
public function scopeWhereCompany($query)
{
$query->where('company_id', request()->header('company'));
}
public function scopeWhereTaxType($query, $tax_type_id)
{
$query->orWhere('id', $tax_type_id);
}
public function scopeApplyFilters($query, array $filters)
{
$filters = collect($filters);
if ($filters->get('tax_type_id')) {
$query->whereTaxType($filters->get('tax_type_id'));
}
if ($filters->get('company_id')) {
$query->whereCompany($filters->get('company_id'));
}
if ($filters->get('search')) {
$query->whereSearch($filters->get('search'));
}
if ($filters->get('orderByField') || $filters->get('orderBy')) {
$field = $filters->get('orderByField') ? $filters->get('orderByField') : 'payment_number';
$orderBy = $filters->get('orderBy') ? $filters->get('orderBy') : 'asc';
$query->whereOrder($field, $orderBy);
}
}
public function scopeWhereOrder($query, $orderByField, $orderBy)
{
return SafeOrderBy::apply($query, $orderByField, $orderBy);
}
public function scopeWhereSearch($query, $search)
{
$query->where('name', 'LIKE', '%'.$search.'%');
}
public function scopePaginateData($query, $limit)
{
if ($limit == 'all') {
return $query->get();
}
return $query->paginate($limit);
}
}