From 83fe4b10c440d69a47fe2f8616e290ba2bd3a27c Mon Sep 17 00:00:00 2001
From: Jellyfrog <Jellyfrog@users.noreply.github.com>
Date: Tue, 16 Apr 2024 17:38:17 +0200
Subject: [PATCH] Improve order validation in list_devices function to prevent
 SQL injection (#15885)

---
 includes/html/api_functions.inc.php | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/includes/html/api_functions.inc.php b/includes/html/api_functions.inc.php
index 4f8beaef3451..89930652b9af 100644
--- a/includes/html/api_functions.inc.php
+++ b/includes/html/api_functions.inc.php
@@ -313,12 +313,10 @@ function list_devices(Illuminate\Http\Request $request)
     $query = $request->get('query');
     $param = [];
 
-    if (empty($order)) {
-        $order = 'hostname';
-    }
-
-    if (stristr($order, ' desc') === false && stristr($order, ' asc') === false) {
-        $order = 'd.`' . $order . '` ASC';
+    if (preg_match('/^([a-z_]+)(?: (desc|asc))?$/i', $order, $matches)) {
+        $order = "d.`$matches[1]` " . ($matches[2] ?? 'ASC');
+    } else {
+        $order = 'd.`hostname` ASC';
     }
 
     $select = ' d.*, GROUP_CONCAT(dd.device_id) AS dependency_parent_id, GROUP_CONCAT(dd.hostname) AS dependency_parent_hostname, `location`, `lat`, `lng` ';