Merge pull request #549 from dpgaspar/hotfix-sqlinjection-rework

#544 fix for possible sql injection on order by clauses
dpgaspar · Jul 13, 2017 · 46770c6 · 46770c6
2 parents 38de84b + 0379d55
commit 46770c6
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 4 deletions.
diff --git a/flask_appbuilder/models/base.py b/flask_appbuilder/models/base.py
@@ -38,7 +38,23 @@ class BaseInterface(object):
     def __init__(self, obj):
         self.obj = obj
 
-    def _get_attr_value(self, item, col):
+    def _get_attr(self, col_name):
+        if not hasattr(self.obj, col_name):
+            # it's an inner obj attr
+            try:
+                _obj = self.obj
+                for i in col_name.split('.'):
+                    try:
+                        _obj = self.get_related_model(i)
+                    except Exception as e:
+                        _obj = getattr(_obj, i)
+                return _obj
+            except Exception as e:
+                return None
+        return getattr(self.obj, col_name)
+
+    @staticmethod
+    def _get_attr_value(item, col):
         if not hasattr(item, col):
             # it's an inner obj attr
             try:

diff --git a/flask_appbuilder/models/mongoengine/interface.py b/flask_appbuilder/models/mongoengine/interface.py
@@ -50,7 +50,7 @@ def query(self, filters=None, order_column='', order_direction='',
         # order the data
         if order_column != '':
             if hasattr(getattr(self.obj, order_column), '_col_name'):
-                order_column = getattr(getattr(self.obj, order_column),'_col_name')
+                order_column = getattr(getattr(self.obj, order_column), '_col_name')
             if order_direction == 'asc':
                 objs = objs.order_by('-{0}'.format(order_column))
             else:

diff --git a/flask_appbuilder/models/sqla/interface.py b/flask_appbuilder/models/sqla/interface.py
@@ -66,8 +66,11 @@ def _get_base_query(self, query=None, filters=None, order_column='', order_direc
             # this decorator will add a property to the method named *_col_name*
             if hasattr(self.obj, order_column):
                 if hasattr(getattr(self.obj, order_column), '_col_name'):
-                    order_column = getattr(getattr(self.obj, order_column), '_col_name')
-            query = query.order_by("%s %s" % (order_column, order_direction))
+                    order_column = getattr(self._get_attr(order_column), '_col_name')
+            if order_direction == 'asc':
+                query = query.order_by(self._get_attr(order_column).asc())
+            else:
+                query = query.order_by(self._get_attr(order_column).desc())
         return query
 
     def query(self, filters=None, order_column='', order_direction='',