[CVE-2019-12149] Fixed potential SQL injection vulnerability in RestfulServer

This commit is contained in:
Robbie Averill 2019-05-20 15:42:44 +12:00
parent a737f67a13
commit 65239cd54d
3 changed files with 138 additions and 95 deletions

View File

@ -177,16 +177,22 @@ class RestfulServer extends Controller
*/ */
protected function getHandler($className, $id, $relationName) protected function getHandler($className, $id, $relationName)
{ {
$sort = ''; $sort = array('ID' => 'ASC');
if ($this->request->getVar('sort')) { if ($sortQuery = $this->request->getVar('sort')) {
$dir = $this->request->getVar('dir'); /** @var DataObject $singleton */
$sort = array($this->request->getVar('sort') => ($dir ? $dir : 'ASC')); $singleton = singleton($className);
// Only apply a sort filter if it is a valid field on the DataObject
if ($singleton && $singleton->hasDatabaseField($sortQuery)) {
$sort = array(
$sortQuery => $this->request->getVar('dir') === 'DESC' ? 'DESC' : 'ASC',
);
}
} }
$limit = array( $limit = array(
'start' => $this->request->getVar('start'), 'start' => (int) $this->request->getVar('start'),
'limit' => $this->request->getVar('limit') 'limit' => (int) $this->request->getVar('limit'),
); );
$params = $this->request->getVars(); $params = $this->request->getVars();

View File

@ -492,6 +492,43 @@ class RestfulServerTest extends SapphireTest
unset($_SERVER['PHP_AUTH_USER']); unset($_SERVER['PHP_AUTH_USER']);
unset($_SERVER['PHP_AUTH_PW']); unset($_SERVER['PHP_AUTH_PW']);
} }
/** @group wip */
public function testGetWithSortDescending()
{
$url = '/api/v1/RestfulServerTest_Author?sort=FirstName&dir=DESC&fields=FirstName';
$response = Director::test($url);
$results = Convert::xml2array($response->getBody());
$this->assertSame('Author 4', $results['RestfulServerTest_Author'][0]['FirstName']);
$this->assertSame('Author 3', $results['RestfulServerTest_Author'][1]['FirstName']);
$this->assertSame('Author 2', $results['RestfulServerTest_Author'][2]['FirstName']);
$this->assertSame('Author 1', $results['RestfulServerTest_Author'][3]['FirstName']);
}
/** @group wip */
public function testGetWithSortAscending()
{
$url = '/api/v1/RestfulServerTest_Author?sort=FirstName&dir=ASC&fields=FirstName';
$response = Director::test($url);
$results = Convert::xml2array($response->getBody());
$this->assertSame('Author 1', $results['RestfulServerTest_Author'][0]['FirstName']);
$this->assertSame('Author 2', $results['RestfulServerTest_Author'][1]['FirstName']);
$this->assertSame('Author 3', $results['RestfulServerTest_Author'][2]['FirstName']);
$this->assertSame('Author 4', $results['RestfulServerTest_Author'][3]['FirstName']);
}
/** @group wip */
public function testGetSortsByIdWhenInvalidSortColumnIsProvided()
{
$url = '/api/v1/RestfulServerTest_Author?sort=Surname&dir=DESC&fields=FirstName';
$response = Director::test($url);
$results = Convert::xml2array($response->getBody());
$this->assertSame('Author 1', $results['RestfulServerTest_Author'][0]['FirstName']);
$this->assertSame('Author 2', $results['RestfulServerTest_Author'][1]['FirstName']);
$this->assertSame('Author 3', $results['RestfulServerTest_Author'][2]['FirstName']);
$this->assertSame('Author 4', $results['RestfulServerTest_Author'][3]['FirstName']);
}
} }
/** /**
@ -591,7 +628,7 @@ class RestfulServerTest_Author extends DataObject implements TestOnly
public static $api_access = true; public static $api_access = true;
public static $db = array( public static $db = array(
'Name' => 'Text', 'FirstName' => 'Text',
); );
public static $many_many = array( public static $many_many = array(

View File

@ -46,7 +46,7 @@ RestfulServerTest_Author:
author2: author2:
FirstName: Author 2 FirstName: Author 2
author3: author3:
Firstname: Author 3 FirstName: Author 3
author4: author4:
FirstName: Author 4 FirstName: Author 4
RelatedAuthors: =>RestfulServerTest_Author.author2,=>RestfulServerTest_Author.author3 RelatedAuthors: =>RestfulServerTest_Author.author2,=>RestfulServerTest_Author.author3