Permalink
Show file tree
Hide file tree
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
bug #222 [Security] Dql injection through sorting parameters blocked …
…(TheMilek) This PR was merged into the 1.10 branch. Discussion ---------- Commits ------- b702009 Dql injection through sorting parameters blocked
- Loading branch information
Showing
10 changed files
with
265 additions
and
28 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,28 @@ | ||
| <?php | ||
|
|
||
| /* | ||
| * This file is part of the Sylius package. | ||
| * | ||
| * (c) Paweł Jędrzejewski | ||
| * | ||
| * For the full copyright and license information, please view the LICENSE | ||
| * file that was distributed with this source code. | ||
| */ | ||
|
|
||
| declare(strict_types=1); | ||
|
|
||
| namespace Sylius\Component\Grid\Validation; | ||
|
|
||
| use Symfony\Component\HttpKernel\Exception\BadRequestHttpException; | ||
|
|
||
| final class FieldValidator implements FieldValidatorInterface | ||
| { | ||
| public function validateFieldName(string $fieldName, array $enabledFields): void | ||
| { | ||
| $enabledFieldsNames = array_keys($enabledFields); | ||
|
|
||
| if (!in_array($fieldName, $enabledFieldsNames, true)) { | ||
| throw new BadRequestHttpException(sprintf('%s is not valid field, did you mean one of these: %s?', $fieldName, implode(', ', $enabledFieldsNames))); | ||
| } | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,19 @@ | ||
| <?php | ||
|
|
||
| /* | ||
| * This file is part of the Sylius package. | ||
| * | ||
| * (c) Paweł Jędrzejewski | ||
| * | ||
| * For the full copyright and license information, please view the LICENSE | ||
| * file that was distributed with this source code. | ||
| */ | ||
|
|
||
| declare(strict_types=1); | ||
|
|
||
| namespace Sylius\Component\Grid\Validation; | ||
|
|
||
| interface FieldValidatorInterface | ||
| { | ||
| public function validateFieldName(string $fieldName, array $enabledFields): void; | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,28 @@ | ||
| <?php | ||
|
|
||
| /* | ||
| * This file is part of the Sylius package. | ||
| * | ||
| * (c) Paweł Jędrzejewski | ||
| * | ||
| * For the full copyright and license information, please view the LICENSE | ||
| * file that was distributed with this source code. | ||
| */ | ||
|
|
||
| declare(strict_types=1); | ||
|
|
||
| namespace Sylius\Component\Grid\Validation; | ||
|
|
||
| use Symfony\Component\HttpKernel\Exception\BadRequestHttpException; | ||
|
|
||
| final class SortingParametersValidator implements SortingParametersValidatorInterface | ||
| { | ||
| public function validateSortingParameters(array $sorting, array $enabledFields): void | ||
| { | ||
| foreach (array_keys($enabledFields) as $key) { | ||
| if (array_key_exists($key, $sorting) && !in_array($sorting[$key], ['asc', 'desc'])) { | ||
| throw new BadRequestHttpException(sprintf('%s is not valid, use asc or desc instead.', $sorting[$key])); | ||
| } | ||
| } | ||
| } | ||
| } |
19 changes: 19 additions & 0 deletions
19
src/Component/Validation/SortingParametersValidatorInterface.php
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,19 @@ | ||
| <?php | ||
|
|
||
| /* | ||
| * This file is part of the Sylius package. | ||
| * | ||
| * (c) Paweł Jędrzejewski | ||
| * | ||
| * For the full copyright and license information, please view the LICENSE | ||
| * file that was distributed with this source code. | ||
| */ | ||
|
|
||
| declare(strict_types=1); | ||
|
|
||
| namespace Sylius\Component\Grid\Validation; | ||
|
|
||
| interface SortingParametersValidatorInterface | ||
| { | ||
| public function validateSortingParameters(array $sorting, array $enabledFields): void; | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,56 @@ | ||
| <?php | ||
|
|
||
| /* | ||
| * This file is part of the Sylius package. | ||
| * | ||
| * (c) Paweł Jędrzejewski | ||
| * | ||
| * For the full copyright and license information, please view the LICENSE | ||
| * file that was distributed with this source code. | ||
| */ | ||
|
|
||
| declare(strict_types=1); | ||
|
|
||
| namespace spec\Sylius\Component\Grid\Validation; | ||
|
|
||
| use PhpSpec\ObjectBehavior; | ||
| use Sylius\Component\Grid\Definition\Field; | ||
| use Sylius\Component\Grid\Definition\Grid; | ||
| use Symfony\Component\HttpKernel\Exception\BadRequestHttpException; | ||
| use Sylius\Component\Grid\Validation\FieldValidatorInterface; | ||
|
|
||
| final class FieldValidatorSpec extends ObjectBehavior | ||
| { | ||
| function it_implements_field_validator_interface(): void | ||
| { | ||
| $this->shouldImplement(FieldValidatorInterface::class); | ||
| } | ||
|
|
||
| function it_throws_exception_if_wrong_field_name_provided( | ||
| Grid $grid, | ||
| Field $field, | ||
| Field $anotherField | ||
| ): void { | ||
| $grid->getEnabledFields()->willReturn(['name' => $field , 'code' => $anotherField]); | ||
| $grid->getSorting()->willReturn(['sorting' => ['non_sortable_field' => 'desc']]); | ||
|
|
||
| $this | ||
| ->shouldThrow(new BadRequestHttpException('non_sortable_field is not valid field, did you mean one of these: name, code?')) | ||
| ->during('validateFieldName', ['non_sortable_field', ['name' => $field , 'code' => $anotherField]]) | ||
| ; | ||
| } | ||
|
|
||
| function it_passes_if_valid_sorting_parameter_provided( | ||
| Grid $grid, | ||
| Field $field, | ||
| Field $anotherField | ||
| ): void { | ||
| $grid->getEnabledFields()->willReturn(['name' => $field , 'code' => $anotherField]); | ||
| $grid->getSorting()->willReturn(['sorting' => ['sortable_field' => 'desc']]); | ||
|
|
||
| $this | ||
| ->shouldNotThrow(new BadRequestHttpException()) | ||
| ->during('validateFieldName', ['sortable_field', ['sortable_field' => $field , 'code' => $anotherField]]) | ||
| ; | ||
| } | ||
| } |
56 changes: 56 additions & 0 deletions
56
src/Component/spec/Validation/SortingParametersValidatorSpec.php
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,56 @@ | ||
| <?php | ||
|
|
||
| /* | ||
| * This file is part of the Sylius package. | ||
| * | ||
| * (c) Paweł Jędrzejewski | ||
| * | ||
| * For the full copyright and license information, please view the LICENSE | ||
| * file that was distributed with this source code. | ||
| */ | ||
|
|
||
| declare(strict_types=1); | ||
|
|
||
| namespace spec\Sylius\Component\Grid\Validation; | ||
|
|
||
| use PhpSpec\ObjectBehavior; | ||
| use Sylius\Component\Grid\Definition\Field; | ||
| use Sylius\Component\Grid\Definition\Grid; | ||
| use Sylius\Component\Grid\Validation\SortingParametersValidatorInterface; | ||
| use Symfony\Component\HttpKernel\Exception\BadRequestHttpException; | ||
|
|
||
| final class SortingParametersValidatorSpec extends ObjectBehavior | ||
| { | ||
| function it_implements_grid_data_source_sorting_validator_interface(): void | ||
| { | ||
| $this->shouldImplement(SortingParametersValidatorInterface::class); | ||
| } | ||
|
|
||
| function it_throws_exception_if_wrong_sorting_parameter_provided( | ||
| Grid $grid, | ||
| Field $field, | ||
| Field $anotherField | ||
| ): void { | ||
| $grid->getEnabledFields()->willReturn(['name' => $field , 'code' => $anotherField]); | ||
| $grid->getSorting()->willReturn(['name' => 'non_sortable_parameter']); | ||
|
|
||
| $this | ||
| ->shouldThrow(new BadRequestHttpException('non_sortable_parameter is not valid, use asc or desc instead.')) | ||
| ->during('validateSortingParameters', [['name' => 'non_sortable_parameter'], ['name' => $field , 'code' => $anotherField]]) | ||
| ; | ||
| } | ||
|
|
||
| function it_passes_if_valid_sorting_parameter_provided( | ||
| Grid $grid, | ||
| Field $field, | ||
| Field $anotherField | ||
| ): void { | ||
| $grid->getEnabledFields()->willReturn(['name' => $field , 'code' => $anotherField]); | ||
| $grid->getSorting()->willReturn(['name' => 'asc']); | ||
|
|
||
| $this | ||
| ->shouldNotThrow(new BadRequestHttpException()) | ||
| ->during('validateSortingParameters', [['name' => 'asc'], ['name' => $field , 'code' => $anotherField]]) | ||
| ; | ||
| } | ||
| } |