Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
[5.8] Correctly escape single quotes in json paths #28160
There's a potential SQL injection vulnerability with the JSON query syntax. This PR fixes that.
Laravel will parse JSON paths to
This will be parsed to:
The actual parsing is done in
It is however possible to provide a single quote as the "field" value, which will close the
lang->**"')), migrations.* FROM users RIGHT OUTER JOIN migrations ON migrations.id <> null #
By manually inserting
SELECT JSON_UNQUOTE(JSON_EXTRACT(`lang`, '$."**"')), migrations.* FROM users RIGHT OUTER JOIN migrations ON migrations.id <> null #"')) from `users`
In this example we're joining on the migrations table, but it's possible to join on anything.
In order for this attack to work, two requirements have to be met:
The solution is to escape all single quotes passed as
I decided to use a HEREDOC in the tests, for clarity. If this is not ok for Laravel, I'll be happy to change it.
@jmarcher This vulnerability has been disclosed and discussed privately a while ago.
Taylor decided not to fix it, so it's public now: https://murze.be/an-important-security-release-for-laravel-query-builder
@taylorotwell I agree that these kinds of scenarios should be avoided at all costs. Have you considered adding a general warning to the docs?
Doctrine, for example, states the following:
The Laravel documentation states the follwing:
This statement can be confusing for beginners and even seasoned developers (our query builder package is a good example of that).
I think it would be good to add a clear warning about the use of user input as column names.