Merge branch '4.10' into 4.11

src/Forms/GridField/GridFieldSortableHeader.php

@@ -11,6 +11,7 @@
 use SilverStripe\View\ArrayData;
 use SilverStripe\View\SSViewer;
 use LogicException;
+use SilverStripe\Core\Injector\Injector;
 
 /**
  * GridFieldSortableHeader adds column headers to a {@link GridField} that can
@@ -271,6 +272,16 @@ public function getManipulatedData(GridField $gridField, SS_List $dataList)
             return $dataList;
         }
 
+        // Prevent SQL Injection by validating that SortColumn exists
+        /** @var GridFieldDataColumns $columns */
+        $columns = $gridField->getConfig()->getComponentByType(GridFieldDataColumns::class);
+        $fields = $columns->getDisplayFields($gridField);
+        if (!array_key_exists($state->SortColumn, $fields) &&
+            !in_array($state->SortColumn, $this->getFieldSorting())
+        ) {
+            throw new LogicException('Invalid SortColumn: ' . $state->SortColumn);
+        }
+
         return $dataList->sort($state->SortColumn, $state->SortDirection('asc'));
     }
 

tests/php/Forms/GridField/GridFieldSortableHeaderTest.php

@@ -71,13 +71,14 @@ public function testGetManipulatedData()
         $list = Team::get()->filter([ 'ClassName' => Team::class ]);
         $config = new GridFieldConfig_RecordEditor();
         $gridField = new GridField('testfield', 'testfield', $list, $config);
+        $component = $gridField->getConfig()->getComponentByType(GridFieldSortableHeader::class);
 
         // Test normal sorting
+        $component->setFieldSorting(['Name' => 'City']);
         $state = $gridField->State->GridFieldSortableHeader;
         $state->SortColumn = 'City';
         $state->SortDirection = 'asc';
 
-        $component = $gridField->getConfig()->getComponentByType(GridFieldSortableHeader::class);
         $listA = $component->getManipulatedData($gridField, $list);
 
         $state->SortDirection = 'desc';
@@ -93,6 +94,7 @@ public function testGetManipulatedData()
         );
 
         // Test one relation 'deep'
+        $component->setFieldSorting(['Name' => 'Cheerleader.Name']);
         $state->SortColumn = 'Cheerleader.Name';
         $state->SortDirection = 'asc';
         $relationListA = $component->getManipulatedData($gridField, $list);
@@ -110,6 +112,7 @@ public function testGetManipulatedData()
         );
 
         // Test two relations 'deep'
+        $component->setFieldSorting(['Name' => 'Cheerleader.Hat.Colour']);
         $state->SortColumn = 'Cheerleader.Hat.Colour';
         $state->SortDirection = 'asc';
         $relationListC = $component->getManipulatedData($gridField, $list);
@@ -139,6 +142,7 @@ public function testInheritedGetManiplatedData()
         $component = $gridField->getConfig()->getComponentByType(GridFieldSortableHeader::class);
 
         // Test that inherited dataobjects will work correctly
+        $component->setFieldSorting(['Name' => 'Cheerleader.Hat.Colour']);
         $state->SortColumn = 'Cheerleader.Hat.Colour';
         $state->SortDirection = 'asc';
         $relationListA = $component->getManipulatedData($gridField, $list);
@@ -179,6 +183,7 @@ public function testInheritedGetManiplatedData()
         );
 
         // Test subclasses of tables
+        $component->setFieldSorting(['Name' => 'CheerleadersMom.Hat.Colour']);
         $state->SortColumn = 'CheerleadersMom.Hat.Colour';
         $state->SortDirection = 'asc';
         $relationListB = $component->getManipulatedData($gridField, $list);
@@ -229,4 +234,21 @@ public function testInheritedGetManiplatedData()
             $relationListBdesc->column('City')
         );
     }
+
+    public function testSortColumnValidation()
+    {
+        $this->expectException(\LogicException::class);
+        $this->expectExceptionMessage('Invalid SortColumn: INVALID');
+
+        $list = Team::get()->filter([ 'ClassName' => Team::class ]);
+        $config = new GridFieldConfig_RecordEditor();
+        $gridField = new GridField('testfield', 'testfield', $list, $config);
+        $component = $gridField->getConfig()->getComponentByType(GridFieldSortableHeader::class);
+
+        $state = $gridField->State->GridFieldSortableHeader;
+        $state->SortColumn = 'INVALID';
+        $state->SortDirection = 'asc';
+
+        $component->getManipulatedData($gridField, $list);
+    }
 }