Skip to content
Permalink
Browse files Browse the repository at this point in the history
Merge pull request from GHSA-8r4m-5p6p-52rp
Fix arbitrary file ready through sql manager
  • Loading branch information
mflasquin committed Apr 25, 2023
2 parents dc68219 + 74a5a16 commit d900806
Show file tree
Hide file tree
Showing 2 changed files with 18 additions and 1 deletion.
11 changes: 10 additions & 1 deletion classes/RequestSql.php
Expand Up @@ -59,7 +59,7 @@ class RequestSqlCore extends ObjectModel
],
'unauthorized' => [
'DELETE', 'ALTER', 'INSERT', 'REPLACE', 'CREATE', 'TRUNCATE', 'OPTIMIZE', 'GRANT', 'REVOKE', 'SHOW', 'HANDLER',
'LOAD', 'ROLLBACK', 'SAVEPOINT', 'UNLOCK', 'INSTALL', 'UNINSTALL', 'ANALZYE', 'BACKUP', 'CHECK', 'CHECKSUM', 'REPAIR', 'RESTORE', 'CACHE',
'LOAD', 'LOAD_FILE', 'ROLLBACK', 'SAVEPOINT', 'UNLOCK', 'INSTALL', 'UNINSTALL', 'ANALZYE', 'BACKUP', 'CHECK', 'CHECKSUM', 'REPAIR', 'RESTORE', 'CACHE',
'DESCRIBE', 'EXPLAIN', 'USE', 'HELP', 'SET', 'DUPLICATE', 'VALUES', 'INTO', 'RENAME', 'CALL', 'PROCEDURE', 'FUNCTION', 'DATABASE', 'SERVER',
'LOGFILE', 'DEFINER', 'RETURNS', 'EVENT', 'TABLESPACE', 'VIEW', 'TRIGGER', 'DATA', 'DO', 'PASSWORD', 'USER', 'PLUGIN', 'FLUSH', 'KILL',
'RESET', 'START', 'STOP', 'PURGE', 'EXECUTE', 'PREPARE', 'DEALLOCATE', 'LOCK', 'USING', 'DROP', 'FOR', 'UPDATE', 'BEGIN', 'BY', 'ALL', 'SHARE',
Expand Down Expand Up @@ -484,6 +484,15 @@ public function checkedSelect($select, $from, $in = false)
}
}
}

while (is_array($attribut['sub_tree'])) {
if ($attribut['expr_type'] === 'function' && in_array(strtoupper($attribut['base_expr']), $this->tested['unauthorized'])) {
$this->error_sql['checkedSelect']['function'] = $attribut['base_expr'];

return false;
}
$attribut = $attribut['sub_tree'][0];
}
} elseif ($in) {
$this->error_sql['checkedSelect']['*'] = false;

Expand Down
8 changes: 8 additions & 0 deletions src/Adapter/SqlManager/SqlQueryValidator.php
Expand Up @@ -187,6 +187,14 @@ private function getSelectKeywordError(array $legacyError)
];
}

if (isset($legacyError['function'])) {
return [
'key' => 'The "%function%" function is not allowed.',
'parameters' => ['%function%' => $legacyError['function']],
'domain' => 'Admin.Advparameters.Notification',
];
}

return [
'key' => 'Undefined "%s" error',
'parameters' => [
Expand Down

0 comments on commit d900806

Please sign in to comment.