Improve order validation in list_devices function to prevent SQL inje…

…ction (#15885)
librenms · Apr 16, 2024 · 83fe4b1 · 83fe4b1
1 parent 36dc9d3
commit 83fe4b1
Showing 1 changed file with 4 additions and 6 deletions.
diff --git a/includes/html/api_functions.inc.php b/includes/html/api_functions.inc.php
@@ -313,12 +313,10 @@ function list_devices(Illuminate\Http\Request $request)
     $query = $request->get('query');
     $param = [];
 
-    if (empty($order)) {
-        $order = 'hostname';
-    }
-
-    if (stristr($order, ' desc') === false && stristr($order, ' asc') === false) {
-        $order = 'd.`' . $order . '` ASC';
+    if (preg_match('/^([a-z_]+)(?: (desc|asc))?$/i', $order, $matches)) {
+        $order = "d.`$matches[1]` " . ($matches[2] ?? 'ASC');
+    } else {
+        $order = 'd.`hostname` ASC';
     }
 
     $select = ' d.*, GROUP_CONCAT(dd.device_id) AS dependency_parent_id, GROUP_CONCAT(dd.hostname) AS dependency_parent_hostname, `location`, `lat`, `lng` ';