Skip to content
Permalink
Browse files Browse the repository at this point in the history
Merge pull request from GHSA-8r4m-5p6p-52rp
Fix arbitrary file ready through sql manager
  • Loading branch information
mflasquin committed Apr 25, 2023
2 parents 46408ae + 4692583 commit cddac41
Show file tree
Hide file tree
Showing 3 changed files with 97 additions and 1 deletion.
11 changes: 10 additions & 1 deletion classes/RequestSql.php
Expand Up @@ -59,7 +59,7 @@ class RequestSqlCore extends ObjectModel
],
'unauthorized' => [
'DELETE', 'ALTER', 'INSERT', 'REPLACE', 'CREATE', 'TRUNCATE', 'OPTIMIZE', 'GRANT', 'REVOKE', 'SHOW', 'HANDLER',
'LOAD', 'ROLLBACK', 'SAVEPOINT', 'UNLOCK', 'INSTALL', 'UNINSTALL', 'ANALZYE', 'BACKUP', 'CHECK', 'CHECKSUM', 'REPAIR', 'RESTORE', 'CACHE',
'LOAD', 'LOAD_FILE', 'ROLLBACK', 'SAVEPOINT', 'UNLOCK', 'INSTALL', 'UNINSTALL', 'ANALZYE', 'BACKUP', 'CHECK', 'CHECKSUM', 'REPAIR', 'RESTORE', 'CACHE',
'DESCRIBE', 'EXPLAIN', 'USE', 'HELP', 'SET', 'DUPLICATE', 'VALUES', 'INTO', 'RENAME', 'CALL', 'PROCEDURE', 'FUNCTION', 'DATABASE', 'SERVER',
'LOGFILE', 'DEFINER', 'RETURNS', 'EVENT', 'TABLESPACE', 'VIEW', 'TRIGGER', 'DATA', 'DO', 'PASSWORD', 'USER', 'PLUGIN', 'FLUSH', 'KILL',
'RESET', 'START', 'STOP', 'PURGE', 'EXECUTE', 'PREPARE', 'DEALLOCATE', 'LOCK', 'USING', 'DROP', 'FOR', 'UPDATE', 'BEGIN', 'BY', 'ALL', 'SHARE',
Expand Down Expand Up @@ -475,6 +475,15 @@ public function checkedSelect($select, $from, $in = false)
}
}
}

while (is_array($attribut['sub_tree'])) {
if ($attribut['expr_type'] === 'function' && in_array(strtoupper($attribut['base_expr']), $this->tested['unauthorized'])) {
$this->error_sql['checkedSelect']['function'] = $attribut['base_expr'];

return false;
}
$attribut = $attribut['sub_tree'][0];
}
} elseif ($in) {
$this->error_sql['checkedSelect']['*'] = false;

Expand Down
8 changes: 8 additions & 0 deletions src/Adapter/SqlManager/SqlQueryValidator.php
Expand Up @@ -182,6 +182,14 @@ private function getSelectKeywordError(array $legacyError)
];
}

if (isset($legacyError['function'])) {
return [
'key' => 'The "%function%" function is not allowed.',
'parameters' => ['%function%' => $legacyError['function']],
'domain' => 'Admin.Advparameters.Notification',
];
}

return [
'key' => 'Undefined "%s" error',
'parameters' => [
Expand Down
@@ -0,0 +1,79 @@
<?php
/**
* Copyright since 2007 PrestaShop SA and Contributors
* PrestaShop is an International Registered Trademark & Property of PrestaShop SA
*
* NOTICE OF LICENSE
*
* This source file is subject to the Open Software License (OSL 3.0)
* that is bundled with this package in the file LICENSE.md.
* It is also available through the world-wide-web at this URL:
* https://opensource.org/licenses/OSL-3.0
* If you did not receive a copy of the license and are unable to
* obtain it through the world-wide-web, please send an email
* to license@prestashop.com so we can send you a copy immediately.
*
* DISCLAIMER
*
* Do not edit or add to this file if you wish to upgrade PrestaShop to newer
* versions in the future. If you wish to customize PrestaShop for your
* needs please refer to https://devdocs.prestashop.com/ for more information.
*
* @author PrestaShop SA and Contributors <contact@prestashop.com>
* @copyright Since 2007 PrestaShop SA and Contributors
* @license https://opensource.org/licenses/OSL-3.0 Open Software License (OSL 3.0)
*/
declare(strict_types=1);

namespace Tests\Integration\Adapter\SqlManager\QueryHandler;

use PrestaShop\PrestaShop\Core\CommandBus\CommandBusInterface;
use PrestaShop\PrestaShop\Core\Domain\SqlManagement\Command\AddSqlRequestCommand;
use PrestaShop\PrestaShop\Core\Domain\SqlManagement\Exception\SqlRequestConstraintException;
use Symfony\Bundle\FrameworkBundle\Test\KernelTestCase;
use Tests\Resources\DatabaseDump;

class GetSqlRequestExecutionResultHandlerTest extends KernelTestCase
{
/**
* @var CommandBusInterface
*/
private $queryBus;

Check failure on line 41 in tests/Integration/Adapter/SqlManager/QueryHandler/GetSqlRequestExecutionResultHandlerTest.php

GitHub Actions / PHP Static Analysis (7.2)

Property Tests\Integration\Adapter\SqlManager\QueryHandler\GetSqlRequestExecutionResultHandlerTest::$queryBus is never read, only written.

Check failure on line 41 in tests/Integration/Adapter/SqlManager/QueryHandler/GetSqlRequestExecutionResultHandlerTest.php

GitHub Actions / PHP Static Analysis (7.3)

Property Tests\Integration\Adapter\SqlManager\QueryHandler\GetSqlRequestExecutionResultHandlerTest::$queryBus is never read, only written.

Check failure on line 41 in tests/Integration/Adapter/SqlManager/QueryHandler/GetSqlRequestExecutionResultHandlerTest.php

GitHub Actions / PHP Static Analysis (7.4)

Property Tests\Integration\Adapter\SqlManager\QueryHandler\GetSqlRequestExecutionResultHandlerTest::$queryBus is never read, only written.

Check failure on line 41 in tests/Integration/Adapter/SqlManager/QueryHandler/GetSqlRequestExecutionResultHandlerTest.php

GitHub Actions / PHP Static Analysis (8.0)

Property Tests\Integration\Adapter\SqlManager\QueryHandler\GetSqlRequestExecutionResultHandlerTest::$queryBus is never read, only written.

Check failure on line 41 in tests/Integration/Adapter/SqlManager/QueryHandler/GetSqlRequestExecutionResultHandlerTest.php

GitHub Actions / PHP Static Analysis (8.1)

Property Tests\Integration\Adapter\SqlManager\QueryHandler\GetSqlRequestExecutionResultHandlerTest::$queryBus is never read, only written.

/**
* @var CommandBusInterface
*/
private $commandBus;

public static function setUpBeforeClass(): void
{
parent::setUpBeforeClass();
static::resetDatabase();
}

public static function tearDownAfterClass(): void
{
parent::tearDownAfterClass();
static::resetDatabase();
}

protected static function resetDatabase(): void
{
DatabaseDump::restoreTables([
'request_sql',
]);
}

protected function setUp(): void
{
self::bootKernel();

$this->queryBus = self::$container->get('prestashop.core.query_bus');
$this->commandBus = self::$container->get('prestashop.core.command_bus');
}
public function testUnauthorizedFunctionInSelect(): void
{
$this->expectException(SqlRequestConstraintException::class);
$this->commandBus->handle(new AddSqlRequestCommand('request1', 'SELECT load_file(\'/etc/passwd\') FROM ps_zone;'));
}
}

0 comments on commit cddac41

Please sign in to comment.