From 0ac43ce025274345c80773b57a09a48a8fa70a08 Mon Sep 17 00:00:00 2001 From: Guy Marriott Date: Tue, 12 Feb 2019 15:28:03 +1300 Subject: [PATCH 1/3] FIX Caching the result of counting a foreign list for performance --- src/ORM/FieldType/DBForeignKey.php | 24 ++++++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) diff --git a/src/ORM/FieldType/DBForeignKey.php b/src/ORM/FieldType/DBForeignKey.php index f40cfe041..109eb3846 100644 --- a/src/ORM/FieldType/DBForeignKey.php +++ b/src/ORM/FieldType/DBForeignKey.php @@ -43,6 +43,13 @@ class DBForeignKey extends DBInt private static $default_search_filter_class = 'ExactMatchFilter'; + /** + * Cache for multiple subsequent calls to scaffold form fields with the same foreign key object + * + * @var array + */ + protected static $foreignListCache = []; + public function __construct($name, $object = null) { $this->object = $object; @@ -74,8 +81,21 @@ class DBForeignKey extends DBInt // Don't scaffold a dropdown for large tables, as making the list concrete // might exceed the available PHP memory in creating too many DataObject instances $threshold = self::config()->get('dropdown_field_threshold'); - if ($list->count() < $threshold) { - $field = new DropdownField($this->name, $title, $list->map('ID', $titleField)); + + // Add the count of the list to a cache for subsequent calls + if (!isset(static::$foreignListCache[$hasOneClass])) { + static::$foreignListCache[$hasOneClass] = [ + 'count' => $list->count(), + ]; + } + + if (static::$foreignListCache[$hasOneClass]['count'] < $threshold) { + // Add the mapped list for the cache + if (!isset(static::$foreignListCache[$hasOneClass]['map'])) { + static::$foreignListCache[$hasOneClass]['map'] = $list->map('ID', $titleField); + } + + $field = new DropdownField($this->name, $title, static::$foreignListCache[$hasOneClass]['map']); $field->setEmptyString(' '); } else { $field = new NumericField($this->name, $title); From 25bba49923a5a2cc90afcc64c58184b2fb0f2e20 Mon Sep 17 00:00:00 2001 From: Maxime Rainville Date: Tue, 18 Dec 2018 16:46:56 +1300 Subject: [PATCH 2/3] [SS-2018-021] Fix potential SQL vulnerability in non-scalar value hyrdation --- src/ORM/DataObject.php | 27 ++++++++++ src/ORM/FieldType/DBComposite.php | 5 ++ src/ORM/FieldType/DBField.php | 23 ++++++--- src/ORM/FieldType/DBString.php | 2 +- src/ORM/ManyManyList.php | 14 ++++++ tests/php/ORM/DBFieldTest.php | 63 ++++++++++++++++++++++++ tests/php/ORM/DataObjectTest.php | 18 +++++++ tests/php/ORM/DataObjectTest/Company.php | 4 +- tests/php/ORM/DataObjectTest/Team.php | 4 +- 9 files changed, 150 insertions(+), 10 deletions(-) diff --git a/src/ORM/DataObject.php b/src/ORM/DataObject.php index a47034381..85ad5d8f1 100644 --- a/src/ORM/DataObject.php +++ b/src/ORM/DataObject.php @@ -1450,6 +1450,7 @@ class DataObject extends ViewableData implements DataObjectInterface, i18nEntity * @param string $baseTable Base table * @param string $now Timestamp to use for the current time * @param bool $isNewRecord If this is a new record + * @throws InvalidArgumentException */ protected function writeManipulation($baseTable, $now, $isNewRecord) { @@ -1468,6 +1469,20 @@ class DataObject extends ViewableData implements DataObjectInterface, i18nEntity $manipulation[$baseTable]['command'] = 'update'; } + // Make sure none of our field assignment are arrays + foreach ($manipulation as $tableManipulation) { + if (!isset($tableManipulation['fields'])) { + continue; + } + foreach ($tableManipulation['fields'] as $fieldValue) { + if (is_array($fieldValue)) { + throw new InvalidArgumentException( + 'DataObject::writeManipulation: parameterised field assignments are disallowed' + ); + } + } + } + // Perform the manipulation DB::manipulate($manipulation); } @@ -2627,6 +2642,18 @@ class DataObject extends ViewableData implements DataObjectInterface, i18nEntity throw new InvalidArgumentException('DataObject::setField: passed an object that is not a DBField'); } + if (!empty($val) && !is_scalar($val)) { + $dbField = $this->dbObject($fieldName); + if ($dbField && $dbField->scalarValueOnly()) { + throw new InvalidArgumentException( + sprintf( + 'DataObject::setField: %s only accepts scalars', + $fieldName + ) + ); + } + } + // if a field is not existing or has strictly changed if (!isset($this->record[$fieldName]) || $this->record[$fieldName] !== $val) { // TODO Add check for php-level defaults which are not set in the db diff --git a/src/ORM/FieldType/DBComposite.php b/src/ORM/FieldType/DBComposite.php index 781cd200c..c8c2bb4f0 100644 --- a/src/ORM/FieldType/DBComposite.php +++ b/src/ORM/FieldType/DBComposite.php @@ -329,4 +329,9 @@ abstract class DBComposite extends DBField ]; } } + + public function scalarValueOnly() + { + return false; + } } diff --git a/src/ORM/FieldType/DBField.php b/src/ORM/FieldType/DBField.php index 70aa13cb4..73d7172d4 100644 --- a/src/ORM/FieldType/DBField.php +++ b/src/ORM/FieldType/DBField.php @@ -335,18 +335,16 @@ abstract class DBField extends ViewableData implements DBIndexable * will be escaped automatically by the prepared query processor, so it * should not be escaped or quoted at all. * - * The field values could also be in paramaterised format, such as - * array('MAX(?,?)' => array(42, 69)), allowing the use of raw SQL values such as - * array('NOW()' => array()). - * - * @see SQLWriteExpression::addAssignments for syntax examples - * * @param $value mixed The value to check * @return mixed The raw value, or escaped parameterised details */ public function prepValueForDB($value) { - if ($value === null || $value === "" || $value === false) { + if ($value === null || + $value === "" || + $value === false || + ($this->scalarValueOnly() && !is_scalar($value)) + ) { return null; } else { return $value; @@ -653,4 +651,15 @@ DBG; } return null; } + + /** + * Whether or not this DBField only accepts scalar values. + * + * Composite DBFields can override this method and return `false` so they can accept arrays of values. + * @return boolean + */ + public function scalarValueOnly() + { + return true; + } } diff --git a/src/ORM/FieldType/DBString.php b/src/ORM/FieldType/DBString.php index 3732c0952..d40481dd7 100644 --- a/src/ORM/FieldType/DBString.php +++ b/src/ORM/FieldType/DBString.php @@ -94,7 +94,7 @@ abstract class DBString extends DBField public function prepValueForDB($value) { // Cast non-empty value - if (strlen($value)) { + if (is_scalar($value) && strlen($value)) { return (string)$value; } diff --git a/src/ORM/ManyManyList.php b/src/ORM/ManyManyList.php index ee77bb557..2477ea574 100644 --- a/src/ORM/ManyManyList.php +++ b/src/ORM/ManyManyList.php @@ -300,6 +300,20 @@ class ManyManyList extends RelationList $manipulation[$this->joinTable]['fields'][$this->localKey] = $itemID; $manipulation[$this->joinTable]['fields'][$this->foreignKey] = $foreignID; + // Make sure none of our field assignments are arrays + foreach ($manipulation as $tableManipulation) { + if (!isset($tableManipulation['fields'])) { + continue; + } + foreach ($tableManipulation['fields'] as $fieldValue) { + if (is_array($fieldValue)) { + throw new InvalidArgumentException( + 'ManyManyList::add: parameterised field assignments are disallowed' + ); + } + } + } + DB::manipulate($manipulation); } } diff --git a/tests/php/ORM/DBFieldTest.php b/tests/php/ORM/DBFieldTest.php index 8946d72c9..fb3bb6bf4 100644 --- a/tests/php/ORM/DBFieldTest.php +++ b/tests/php/ORM/DBFieldTest.php @@ -2,17 +2,32 @@ namespace SilverStripe\ORM\Tests; +use SilverStripe\Assets\Image; use SilverStripe\ORM\FieldType\DBBigInt; use SilverStripe\ORM\FieldType\DBBoolean; +use SilverStripe\ORM\FieldType\DBCurrency; +use SilverStripe\ORM\FieldType\DBDate; +use SilverStripe\ORM\FieldType\DBDatetime; use SilverStripe\ORM\FieldType\DBDecimal; use SilverStripe\ORM\FieldType\DBDouble; +use SilverStripe\ORM\FieldType\DBEnum; use SilverStripe\ORM\FieldType\DBFloat; +use SilverStripe\ORM\FieldType\DBForeignKey; use SilverStripe\ORM\FieldType\DBHTMLText; +use SilverStripe\ORM\FieldType\DBHTMLVarchar; +use SilverStripe\ORM\FieldType\DBInt; +use SilverStripe\ORM\FieldType\DBLocale; +use SilverStripe\ORM\FieldType\DBMoney; +use SilverStripe\ORM\FieldType\DBMultiEnum; +use SilverStripe\ORM\FieldType\DBPercentage; +use SilverStripe\ORM\FieldType\DBPolymorphicForeignKey; +use SilverStripe\ORM\FieldType\DBPrimaryKey; use SilverStripe\ORM\FieldType\DBString; use SilverStripe\ORM\FieldType\DBTime; use SilverStripe\ORM\FieldType\DBVarchar; use SilverStripe\ORM\FieldType\DBText; use SilverStripe\Dev\SapphireTest; +use SilverStripe\ORM\FieldType\DBYear; /** * Tests for DBField objects. @@ -189,6 +204,54 @@ class DBFieldTest extends SapphireTest $this->assertEquals(PHP_INT_MAX, $bigInt->getValue()); } + /** + * @dataProvider dataProviderPrepValueForDBArrayValue + */ + public function testPrepValueForDBArrayValue($dbFieldName, $scalarValueOnly, $extraArgs = []) + { + $reflection = new \ReflectionClass($dbFieldName); + /** + * @var DBField + */ + $dbField = $reflection->newInstanceArgs($extraArgs); + $dbField->setName('SomeField'); + $payload = ['GREATEST(0,?)' => '2']; + $preparedValue = $dbField->prepValueForDB($payload); + $this->assertTrue( + !$scalarValueOnly || !is_array($preparedValue), + '`prepValueForDB` can not return an array if scalarValueOnly is true' + ); + $this->assertEquals($scalarValueOnly, $dbField->scalarValueOnly()); + } + + public function dataProviderPrepValueForDBArrayValue() + { + return [ + [DBBigInt::class, true], + [DBBoolean::class, true], + [DBCurrency::class, true], + [DBDate::class, true], + [DBDatetime::class, true], + [DBDecimal::class, true], + [DBDouble::class, true], + [DBEnum::class, true], + [DBFloat::class, true], + [DBForeignKey::class, true, ['SomeField']], + [DBHTMLText::class, true], + [DBHTMLVarchar::class, true], + [DBInt::class, true], + [DBLocale::class, true], + [DBMoney::class, false], + [DBMultiEnum::class, true, ['SomeField', ['One', 'Two', 'Three']]], + [DBPercentage::class, true], + [DBPolymorphicForeignKey::class, false, ['SomeField']], + [DBText::class, true], + [DBTime::class, true], + [DBVarchar::class, true], + [DBYear::class, true], + ]; + } + public function testExists() { $varcharField = new DBVarchar("testfield"); diff --git a/tests/php/ORM/DataObjectTest.php b/tests/php/ORM/DataObjectTest.php index 8d2a1dec3..5f1fa961f 100644 --- a/tests/php/ORM/DataObjectTest.php +++ b/tests/php/ORM/DataObjectTest.php @@ -17,7 +17,9 @@ use SilverStripe\ORM\FieldType\DBField; use SilverStripe\ORM\FieldType\DBPolymorphicForeignKey; use SilverStripe\ORM\FieldType\DBVarchar; use SilverStripe\ORM\ManyManyList; +use SilverStripe\ORM\Tests\DataObjectTest\Company; use SilverStripe\ORM\Tests\DataObjectTest\Player; +use SilverStripe\ORM\Tests\DataObjectTest\Team; use SilverStripe\View\ViewableData; use stdClass; @@ -2235,4 +2237,20 @@ class DataObjectTest extends SapphireTest ['"DataObjectTest_TeamComment"."Name"' => 'does not exists'] )); } + + public function testSetFieldWithArrayOnScalarOnlyField() + { + $this->expectException(InvalidArgumentException::class); + $do = Company::singleton(); + $do->FoundationYear = '1984'; + $do->FoundationYear = array('Amount' => 123, 'Currency' => 'CAD'); + $this->assertEmpty($do->FoundationYear); + } + + public function testSetFieldWithArrayOnCompositeField() + { + $do = Company::singleton(); + $do->SalaryCap = array('Amount' => 123456, 'Currency' => 'CAD'); + $this->assertNotEmpty($do->SalaryCap); + } } diff --git a/tests/php/ORM/DataObjectTest/Company.php b/tests/php/ORM/DataObjectTest/Company.php index c17e47d40..a9107e263 100644 --- a/tests/php/ORM/DataObjectTest/Company.php +++ b/tests/php/ORM/DataObjectTest/Company.php @@ -10,7 +10,9 @@ class Company extends DataObject implements TestOnly private static $table_name = 'DataObjectTest_Company'; private static $db = [ - 'Name' => 'Varchar' + 'Name' => 'Varchar', + 'MarketValue' => 'Money', + 'FoundationYear' => 'Year' ]; private static $has_one = [ diff --git a/tests/php/ORM/DataObjectTest/Team.php b/tests/php/ORM/DataObjectTest/Team.php index 014ef9595..12de9b467 100644 --- a/tests/php/ORM/DataObjectTest/Team.php +++ b/tests/php/ORM/DataObjectTest/Team.php @@ -10,6 +10,8 @@ use SilverStripe\ORM\ManyManyList; /** * @property string Title * @property string DatabaseField + * @property array SalaryCap + * @property string FoundationYear * @method Player Captain() * @method Player Founder() * @method Player HasOneRelationship() @@ -27,7 +29,7 @@ class Team extends DataObject implements TestOnly private static $db = array( 'Title' => 'Varchar', - 'DatabaseField' => 'HTMLVarchar' + 'DatabaseField' => 'HTMLVarchar', ); private static $has_one = array( From 70fc2d6f1d92a834649214bd80126ebc6c2dcb86 Mon Sep 17 00:00:00 2001 From: Aaron Carlino Date: Mon, 18 Feb 2019 16:47:33 +1300 Subject: [PATCH 3/3] Add 4.3.1 changelog --- docs/en/04_Changelogs/4.3.1.md | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 docs/en/04_Changelogs/4.3.1.md diff --git a/docs/en/04_Changelogs/4.3.1.md b/docs/en/04_Changelogs/4.3.1.md new file mode 100644 index 000000000..33ebab20f --- /dev/null +++ b/docs/en/04_Changelogs/4.3.1.md @@ -0,0 +1,9 @@ +# 4.3.1 + + + +## Change Log + +### Security + + * 2018-12-18 [c0338d191](https://github.com/silverstripe/silverstripe-framework/commit/c0338d191d8be0000ddb16b74832ed8e05ba7ff5) Fix potential SQL vulnerability in non-scalar value hyrdation (Maxime Rainville) - See [ss-2018-021](https://www.silverstripe.org/download/security-releases/ss-2018-021)