tonyair
/
silverstripe-restfulserver
mirror of https://github.com/silverstripe/silverstripe-restfulserver
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

[CVE-2019-12149] Fixed potential SQL injection vulnerability in RestfulServer

This commit is contained in:
Robbie Averill 2019-05-20 15:42:44 +12:00
parent a737f67a13
commit 65239cd54d
3 changed files with 138 additions and 95 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
code/RestfulServer.php
View File

@ -177,16 +177,22 @@ class RestfulServer extends Controller
*/
protected function getHandler($className, $id, $relationName)
{
$sort = '';
$sort = array('ID' => 'ASC');
if ($this->request->getVar('sort')) {
$dir = $this->request->getVar('dir');
$sort = array($this->request->getVar('sort') => ($dir ? $dir : 'ASC'));
if ($sortQuery = $this->request->getVar('sort')) {
/** @var DataObject $singleton */
$singleton = singleton($className);
// Only apply a sort filter if it is a valid field on the DataObject
if ($singleton && $singleton->hasDatabaseField($sortQuery)) {
$sort = array(
$sortQuery => $this->request->getVar('dir') === 'DESC' ? 'DESC' : 'ASC',
);
}
}
$limit = array(
'start' => $this->request->getVar('start'),
'limit' => $this->request->getVar('limit')
'start' => (int) $this->request->getVar('start'),
'limit' => (int) $this->request->getVar('limit'),
);
$params = $this->request->getVars();

39
tests/unit/RestfulServerTest.php
View File

@ -492,6 +492,43 @@ class RestfulServerTest extends SapphireTest
unset($_SERVER['PHP_AUTH_USER']);
unset($_SERVER['PHP_AUTH_PW']);
}
/** @group wip */
public function testGetWithSortDescending()
{
$url = '/api/v1/RestfulServerTest_Author?sort=FirstName&dir=DESC&fields=FirstName';
$response = Director::test($url);
$results = Convert::xml2array($response->getBody());
$this->assertSame('Author 4', $results['RestfulServerTest_Author'][0]['FirstName']);
$this->assertSame('Author 3', $results['RestfulServerTest_Author'][1]['FirstName']);
$this->assertSame('Author 2', $results['RestfulServerTest_Author'][2]['FirstName']);
$this->assertSame('Author 1', $results['RestfulServerTest_Author'][3]['FirstName']);
}
/** @group wip */
public function testGetWithSortAscending()
{
$url = '/api/v1/RestfulServerTest_Author?sort=FirstName&dir=ASC&fields=FirstName';
$response = Director::test($url);
$results = Convert::xml2array($response->getBody());
$this->assertSame('Author 1', $results['RestfulServerTest_Author'][0]['FirstName']);
$this->assertSame('Author 2', $results['RestfulServerTest_Author'][1]['FirstName']);
$this->assertSame('Author 3', $results['RestfulServerTest_Author'][2]['FirstName']);
$this->assertSame('Author 4', $results['RestfulServerTest_Author'][3]['FirstName']);
}
/** @group wip */
public function testGetSortsByIdWhenInvalidSortColumnIsProvided()
{
$url = '/api/v1/RestfulServerTest_Author?sort=Surname&dir=DESC&fields=FirstName';
$response = Director::test($url);
$results = Convert::xml2array($response->getBody());
$this->assertSame('Author 1', $results['RestfulServerTest_Author'][0]['FirstName']);
$this->assertSame('Author 2', $results['RestfulServerTest_Author'][1]['FirstName']);
$this->assertSame('Author 3', $results['RestfulServerTest_Author'][2]['FirstName']);
$this->assertSame('Author 4', $results['RestfulServerTest_Author'][3]['FirstName']);
}
}
/**
@ -591,7 +628,7 @@ class RestfulServerTest_Author extends DataObject implements TestOnly
public static $api_access = true;
public static $db = array(
'Name' => 'Text',
'FirstName' => 'Text',
);
public static $many_many = array(

2
tests/unit/RestfulServerTest.yml
View File

@ -46,7 +46,7 @@ RestfulServerTest_Author:
author2:
FirstName: Author 2
author3:
Firstname: Author 3
FirstName: Author 3
author4:
FirstName: Author 4
RelatedAuthors: =>RestfulServerTest_Author.author2,=>RestfulServerTest_Author.author3