fix(EntityListManager): Validate ordering field name before QueryBuil…

…der rejects it
roadiz · Sep 13, 2023 · 76cc4b4 · 76cc4b4
1 parent cf17707
commit 76cc4b4
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 0 deletions.
diff --git a/lib/RoadizCoreBundle/src/ListManager/AbstractEntityListManager.php b/lib/RoadizCoreBundle/src/ListManager/AbstractEntityListManager.php
@@ -213,4 +213,12 @@ public function getPageCount(): int
     {
         return (int) ceil($this->getItemCount() / $this->getItemPerPage());
     }
+
+    protected function validateOrderingFieldName(string $field): void
+    {
+        // check if field is a valid name without any SQL injection
+        if (\preg_match('/^[a-zA-Z0-9_.]+$/', $field) !== 1) {
+            throw new \InvalidArgumentException('Field name is not valid.');
+        }
+    }
 }
diff --git a/lib/RoadizCoreBundle/src/ListManager/EntityListManager.php b/lib/RoadizCoreBundle/src/ListManager/EntityListManager.php
@@ -125,6 +125,7 @@ public function handle(bool $disabled = false)
                 $this->request->query->get('field') &&
                 $this->request->query->get('ordering')
             ) {
+                $this->validateOrderingFieldName($this->request->query->get('field'));
                 $this->orderingArray = [
                     $this->request->query->get('field') => $this->request->query->get('ordering')
                 ];

diff --git a/lib/RoadizCoreBundle/src/ListManager/QueryBuilderListManager.php b/lib/RoadizCoreBundle/src/ListManager/QueryBuilderListManager.php
@@ -49,6 +49,7 @@ public function handle(bool $disabled = false)
                 $this->request->query->get('field') &&
                 $this->request->query->get('ordering')
             ) {
+                $this->validateOrderingFieldName($this->request->query->get('field'));
                 $this->queryBuilder->addOrderBy(
                     sprintf('%s.%s', $this->identifier, $this->request->query->get('field')),
                     $this->request->query->get('ordering')