mirror of
https://github.com/silverstripe/silverstripe-restfulserver
synced 2024-10-22 14:05:58 +02:00
Merge pull request #2 from silverstripe-security/pulls/1.0/sort-only-on-fields
[CVE-2019-12149] Fixed potential SQL injection vulnerability in RestfulServer
This commit is contained in:
commit
c7ad63d29f
@ -177,16 +177,22 @@ class RestfulServer extends Controller
|
||||
*/
|
||||
protected function getHandler($className, $id, $relationName)
|
||||
{
|
||||
$sort = '';
|
||||
$sort = array('ID' => 'ASC');
|
||||
|
||||
if ($this->request->getVar('sort')) {
|
||||
$dir = $this->request->getVar('dir');
|
||||
$sort = array($this->request->getVar('sort') => ($dir ? $dir : 'ASC'));
|
||||
if ($sortQuery = $this->request->getVar('sort')) {
|
||||
/** @var DataObject $singleton */
|
||||
$singleton = singleton($className);
|
||||
// Only apply a sort filter if it is a valid field on the DataObject
|
||||
if ($singleton && $singleton->hasDatabaseField($sortQuery)) {
|
||||
$sort = array(
|
||||
$sortQuery => $this->request->getVar('dir') === 'DESC' ? 'DESC' : 'ASC',
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
$limit = array(
|
||||
'start' => $this->request->getVar('start'),
|
||||
'limit' => $this->request->getVar('limit')
|
||||
'start' => (int) $this->request->getVar('start'),
|
||||
'limit' => (int) $this->request->getVar('limit'),
|
||||
);
|
||||
|
||||
$params = $this->request->getVars();
|
||||
|
@ -492,6 +492,43 @@ class RestfulServerTest extends SapphireTest
|
||||
unset($_SERVER['PHP_AUTH_USER']);
|
||||
unset($_SERVER['PHP_AUTH_PW']);
|
||||
}
|
||||
|
||||
/** @group wip */
|
||||
public function testGetWithSortDescending()
|
||||
{
|
||||
$url = '/api/v1/RestfulServerTest_Author?sort=FirstName&dir=DESC&fields=FirstName';
|
||||
$response = Director::test($url);
|
||||
$results = Convert::xml2array($response->getBody());
|
||||
$this->assertSame('Author 4', $results['RestfulServerTest_Author'][0]['FirstName']);
|
||||
$this->assertSame('Author 3', $results['RestfulServerTest_Author'][1]['FirstName']);
|
||||
$this->assertSame('Author 2', $results['RestfulServerTest_Author'][2]['FirstName']);
|
||||
$this->assertSame('Author 1', $results['RestfulServerTest_Author'][3]['FirstName']);
|
||||
}
|
||||
|
||||
/** @group wip */
|
||||
public function testGetWithSortAscending()
|
||||
{
|
||||
$url = '/api/v1/RestfulServerTest_Author?sort=FirstName&dir=ASC&fields=FirstName';
|
||||
$response = Director::test($url);
|
||||
$results = Convert::xml2array($response->getBody());
|
||||
$this->assertSame('Author 1', $results['RestfulServerTest_Author'][0]['FirstName']);
|
||||
$this->assertSame('Author 2', $results['RestfulServerTest_Author'][1]['FirstName']);
|
||||
$this->assertSame('Author 3', $results['RestfulServerTest_Author'][2]['FirstName']);
|
||||
$this->assertSame('Author 4', $results['RestfulServerTest_Author'][3]['FirstName']);
|
||||
}
|
||||
|
||||
/** @group wip */
|
||||
public function testGetSortsByIdWhenInvalidSortColumnIsProvided()
|
||||
{
|
||||
$url = '/api/v1/RestfulServerTest_Author?sort=Surname&dir=DESC&fields=FirstName';
|
||||
$response = Director::test($url);
|
||||
$results = Convert::xml2array($response->getBody());
|
||||
$this->assertSame('Author 1', $results['RestfulServerTest_Author'][0]['FirstName']);
|
||||
$this->assertSame('Author 2', $results['RestfulServerTest_Author'][1]['FirstName']);
|
||||
$this->assertSame('Author 3', $results['RestfulServerTest_Author'][2]['FirstName']);
|
||||
$this->assertSame('Author 4', $results['RestfulServerTest_Author'][3]['FirstName']);
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
/**
|
||||
@ -591,7 +628,7 @@ class RestfulServerTest_Author extends DataObject implements TestOnly
|
||||
public static $api_access = true;
|
||||
|
||||
public static $db = array(
|
||||
'Name' => 'Text',
|
||||
'FirstName' => 'Text',
|
||||
);
|
||||
|
||||
public static $many_many = array(
|
||||
|
@ -46,7 +46,7 @@ RestfulServerTest_Author:
|
||||
author2:
|
||||
FirstName: Author 2
|
||||
author3:
|
||||
Firstname: Author 3
|
||||
FirstName: Author 3
|
||||
author4:
|
||||
FirstName: Author 4
|
||||
RelatedAuthors: =>RestfulServerTest_Author.author2,=>RestfulServerTest_Author.author3
|
||||
|
Loading…
Reference in New Issue
Block a user