From 76cc4b427ab409d850198ae5da4091dad00a4f26 Mon Sep 17 00:00:00 2001
From: Ambroise Maupate <ambroise@rezo-zero.com>
Date: Wed, 13 Sep 2023 17:16:19 +0200
Subject: [PATCH] fix(EntityListManager): Validate ordering field name before
 QueryBuilder rejects it

---
 .../src/ListManager/AbstractEntityListManager.php         | 8 ++++++++
 .../src/ListManager/EntityListManager.php                 | 1 +
 .../src/ListManager/QueryBuilderListManager.php           | 1 +
 3 files changed, 10 insertions(+)

diff --git a/lib/RoadizCoreBundle/src/ListManager/AbstractEntityListManager.php b/lib/RoadizCoreBundle/src/ListManager/AbstractEntityListManager.php
index ff2a3aac..6e54c0e3 100644
--- a/lib/RoadizCoreBundle/src/ListManager/AbstractEntityListManager.php
+++ b/lib/RoadizCoreBundle/src/ListManager/AbstractEntityListManager.php
@@ -213,4 +213,12 @@ public function getPageCount(): int
     {
         return (int) ceil($this->getItemCount() / $this->getItemPerPage());
     }
+
+    protected function validateOrderingFieldName(string $field): void
+    {
+        // check if field is a valid name without any SQL injection
+        if (\preg_match('/^[a-zA-Z0-9_.]+$/', $field) !== 1) {
+            throw new \InvalidArgumentException('Field name is not valid.');
+        }
+    }
 }
diff --git a/lib/RoadizCoreBundle/src/ListManager/EntityListManager.php b/lib/RoadizCoreBundle/src/ListManager/EntityListManager.php
index bfd47aa5..7822db82 100644
--- a/lib/RoadizCoreBundle/src/ListManager/EntityListManager.php
+++ b/lib/RoadizCoreBundle/src/ListManager/EntityListManager.php
@@ -125,6 +125,7 @@ public function handle(bool $disabled = false)
                 $this->request->query->get('field') &&
                 $this->request->query->get('ordering')
             ) {
+                $this->validateOrderingFieldName($this->request->query->get('field'));
                 $this->orderingArray = [
                     $this->request->query->get('field') => $this->request->query->get('ordering')
                 ];
diff --git a/lib/RoadizCoreBundle/src/ListManager/QueryBuilderListManager.php b/lib/RoadizCoreBundle/src/ListManager/QueryBuilderListManager.php
index ca55b02d..d220f474 100644
--- a/lib/RoadizCoreBundle/src/ListManager/QueryBuilderListManager.php
+++ b/lib/RoadizCoreBundle/src/ListManager/QueryBuilderListManager.php
@@ -49,6 +49,7 @@ public function handle(bool $disabled = false)
                 $this->request->query->get('field') &&
                 $this->request->query->get('ordering')
             ) {
+                $this->validateOrderingFieldName($this->request->query->get('field'));
                 $this->queryBuilder->addOrderBy(
                     sprintf('%s.%s', $this->identifier, $this->request->query->get('field')),
                     $this->request->query->get('ordering')