fix: fixed invalid ordering errors

MISP · Sep 11, 2023 · d6ad402 · d6ad402
1 parent 53e16ce
commit d6ad402
Showing 1 changed file with 28 additions and 0 deletions.
diff --git a/app/Model/AppModel.php b/app/Model/AppModel.php
@@ -3989,4 +3989,32 @@ public function _remoteIp()
         }
         return $_SERVER['REMOTE_ADDR'] ?? null;
     }
+
+    public function find($type = 'first', $query = array()) {
+        if (!empty($query['order']) && $this->validOrderClause($query['order']) === false) {
+            throw new InvalidArgumentException('Invalid order clause');
+        }
+
+        return parent::find($type, $query);
+    }
+
+    private function validOrderClause($order){
+        $pattern = '/^[\w\_\-\.\(\) ]+$/';
+        if(is_string($order) && preg_match($pattern, $order)){
+            return true;
+        }
+
+        if (is_array($order)) {
+            foreach ($order as $key => $value) {
+                if (is_string($key) && is_string($value) && preg_match($pattern, $key) && in_array(strtolower($value), ['asc', 'desc'])) {
+                    return true;
+                }
+                if(is_numeric($key) && is_string($value) && preg_match($pattern, $value)){
+                    return true;
+                }
+            }
+        }
+
+        return false;
+    }
 }