mirror of
https://github.com/silverstripe/silverstripe-restfulserver
synced 2024-10-22 14:05:58 +02:00
[CVE-2019-12149] Fixed potential SQL injection vulnerability in RestfulServer
This commit is contained in:
parent
9e923d6f9e
commit
dbb8e18644
@ -2,20 +2,20 @@
|
|||||||
|
|
||||||
namespace SilverStripe\RestfulServer;
|
namespace SilverStripe\RestfulServer;
|
||||||
|
|
||||||
use SilverStripe\ORM\ArrayList;
|
use SilverStripe\CMS\Model\SiteTree;
|
||||||
use SilverStripe\Core\Config\Config;
|
|
||||||
use SilverStripe\Control\Controller;
|
use SilverStripe\Control\Controller;
|
||||||
use SilverStripe\ORM\DataList;
|
|
||||||
use SilverStripe\ORM\DataObject;
|
|
||||||
use SilverStripe\Control\Director;
|
use SilverStripe\Control\Director;
|
||||||
use SilverStripe\Control\HTTPRequest;
|
use SilverStripe\Control\HTTPRequest;
|
||||||
|
use SilverStripe\Core\Config\Config;
|
||||||
|
use SilverStripe\Core\Injector\Injector;
|
||||||
|
use SilverStripe\ORM\ArrayList;
|
||||||
|
use SilverStripe\ORM\DataList;
|
||||||
|
use SilverStripe\ORM\DataObject;
|
||||||
use SilverStripe\ORM\SS_List;
|
use SilverStripe\ORM\SS_List;
|
||||||
use SilverStripe\ORM\ValidationException;
|
use SilverStripe\ORM\ValidationException;
|
||||||
use SilverStripe\ORM\ValidationResult;
|
use SilverStripe\ORM\ValidationResult;
|
||||||
use SilverStripe\Security\Member;
|
use SilverStripe\Security\Member;
|
||||||
use SilverStripe\Security\Security;
|
use SilverStripe\Security\Security;
|
||||||
use SilverStripe\CMS\Model\SiteTree;
|
|
||||||
use SilverStripe\Core\Injector\Injector;
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Generic RESTful server, which handles webservice access to arbitrary DataObjects.
|
* Generic RESTful server, which handles webservice access to arbitrary DataObjects.
|
||||||
@ -205,23 +205,29 @@ class RestfulServer extends Controller
|
|||||||
* @todo Access checking
|
* @todo Access checking
|
||||||
*
|
*
|
||||||
* @param string $className
|
* @param string $className
|
||||||
* @param Int $id
|
* @param int $id
|
||||||
* @param string $relation
|
* @param string $relation
|
||||||
* @return string The serialized representation of the requested object(s) - usually XML or JSON.
|
* @return string The serialized representation of the requested object(s) - usually XML or JSON.
|
||||||
*/
|
*/
|
||||||
protected function getHandler($className, $id, $relationName)
|
protected function getHandler($className, $id, $relationName)
|
||||||
{
|
{
|
||||||
$sort = '';
|
$sort = ['ID' => 'ASC'];
|
||||||
|
|
||||||
if ($this->request->getVar('sort')) {
|
if ($sortQuery = $this->request->getVar('sort')) {
|
||||||
$dir = $this->request->getVar('dir');
|
/** @var DataObject $singleton */
|
||||||
$sort = array($this->request->getVar('sort') => ($dir ? $dir : 'ASC'));
|
$singleton = singleton($className);
|
||||||
|
// Only apply a sort filter if it is a valid field on the DataObject
|
||||||
|
if ($singleton && $singleton->hasDatabaseField($sortQuery)) {
|
||||||
|
$sort = [
|
||||||
|
$sortQuery => $this->request->getVar('dir') === 'DESC' ? 'DESC' : 'ASC',
|
||||||
|
];
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
$limit = array(
|
$limit = [
|
||||||
'start' => $this->request->getVar('start'),
|
'start' => (int) $this->request->getVar('start'),
|
||||||
'limit' => $this->request->getVar('limit')
|
'limit' => (int) $this->request->getVar('limit'),
|
||||||
);
|
];
|
||||||
|
|
||||||
$params = $this->request->getVars();
|
$params = $this->request->getVars();
|
||||||
|
|
||||||
|
@ -49,7 +49,7 @@ class RestfulServerTest extends SapphireTest
|
|||||||
{
|
{
|
||||||
parent::setUp();
|
parent::setUp();
|
||||||
Director::config()->set('alternate_base_url', $this->baseURI);
|
Director::config()->set('alternate_base_url', $this->baseURI);
|
||||||
Security::setCurrentUser(null);
|
$this->logOut();
|
||||||
}
|
}
|
||||||
|
|
||||||
public function testApiAccess()
|
public function testApiAccess()
|
||||||
@ -613,6 +613,49 @@ class RestfulServerTest extends SapphireTest
|
|||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public function testGetWithSortDescending()
|
||||||
|
{
|
||||||
|
$urlSafeClassname = $this->urlSafeClassname(RestfulServerTestAuthor::class);
|
||||||
|
$url = "{$this->baseURI}/api/v1/{$urlSafeClassname}?sort=FirstName&dir=DESC&fields=FirstName";
|
||||||
|
|
||||||
|
$response = Director::test($url);
|
||||||
|
$results = Convert::xml2array($response->getBody());
|
||||||
|
|
||||||
|
$this->assertSame('Author 4', $results[$urlSafeClassname][0]['FirstName']);
|
||||||
|
$this->assertSame('Author 3', $results[$urlSafeClassname][1]['FirstName']);
|
||||||
|
$this->assertSame('Author 2', $results[$urlSafeClassname][2]['FirstName']);
|
||||||
|
$this->assertSame('Author 1', $results[$urlSafeClassname][3]['FirstName']);
|
||||||
|
}
|
||||||
|
|
||||||
|
public function testGetWithSortAscending()
|
||||||
|
{
|
||||||
|
$urlSafeClassname = $this->urlSafeClassname(RestfulServerTestAuthor::class);
|
||||||
|
$url = "{$this->baseURI}/api/v1/{$urlSafeClassname}?sort=FirstName&dir=ASC&fields=FirstName";
|
||||||
|
|
||||||
|
$response = Director::test($url);
|
||||||
|
$results = Convert::xml2array($response->getBody());
|
||||||
|
|
||||||
|
$this->assertSame('Author 1', $results[$urlSafeClassname][0]['FirstName']);
|
||||||
|
$this->assertSame('Author 2', $results[$urlSafeClassname][1]['FirstName']);
|
||||||
|
$this->assertSame('Author 3', $results[$urlSafeClassname][2]['FirstName']);
|
||||||
|
$this->assertSame('Author 4', $results[$urlSafeClassname][3]['FirstName']);
|
||||||
|
}
|
||||||
|
|
||||||
|
public function testGetSortsByIdWhenInvalidSortColumnIsProvided()
|
||||||
|
{
|
||||||
|
$urlSafeClassname = $this->urlSafeClassname(RestfulServerTestAuthor::class);
|
||||||
|
$url = "{$this->baseURI}/api/v1/{$urlSafeClassname}?sort=Surname&dir=DESC&fields=FirstName";
|
||||||
|
|
||||||
|
$response = Director::test($url);
|
||||||
|
|
||||||
|
$results = Convert::xml2array($response->getBody());
|
||||||
|
|
||||||
|
$this->assertSame('Author 1', $results[$urlSafeClassname][0]['FirstName']);
|
||||||
|
$this->assertSame('Author 2', $results[$urlSafeClassname][1]['FirstName']);
|
||||||
|
$this->assertSame('Author 3', $results[$urlSafeClassname][2]['FirstName']);
|
||||||
|
$this->assertSame('Author 4', $results[$urlSafeClassname][3]['FirstName']);
|
||||||
|
}
|
||||||
|
|
||||||
public function testApiAccessWithPOST()
|
public function testApiAccessWithPOST()
|
||||||
{
|
{
|
||||||
$urlSafeClassname = $this->urlSafeClassname(RestfulServerTestAuthorRating::class);
|
$urlSafeClassname = $this->urlSafeClassname(RestfulServerTestAuthorRating::class);
|
||||||
|
@ -46,7 +46,7 @@ SilverStripe\RestfulServer\Tests\Stubs\RestfulServerTestAuthor:
|
|||||||
author2:
|
author2:
|
||||||
FirstName: Author 2
|
FirstName: Author 2
|
||||||
author3:
|
author3:
|
||||||
Firstname: Author 3
|
FirstName: Author 3
|
||||||
author4:
|
author4:
|
||||||
FirstName: Author 4
|
FirstName: Author 4
|
||||||
RelatedAuthors:
|
RelatedAuthors:
|
||||||
|
@ -12,7 +12,7 @@ class RestfulServerTestAuthor extends DataObject implements TestOnly
|
|||||||
private static $table_name = 'RestfulServerTestAuthor';
|
private static $table_name = 'RestfulServerTestAuthor';
|
||||||
|
|
||||||
private static $db = array(
|
private static $db = array(
|
||||||
'Name' => 'Text',
|
'FirstName' => 'Text',
|
||||||
);
|
);
|
||||||
|
|
||||||
private static $many_many = array(
|
private static $many_many = array(
|
||||||
|
Loading…
Reference in New Issue
Block a user