Fix SQL injection vulnerability

ypnos · ypnos · commit 81929ad62d1e · 2017-10-24T18:33:18.000+02:00
Do not read column definitions from client (which included field names
passed to the database). Instead pass them in the controller.

To make ordering/filtering capabilities of DataTables work, find() needs
to be called with the column definition array as a fourth argument.
It is not needed for the use of DataTables without ordering/filtering or
without server-side processing (AJAX fetches coming from DataTables).
diff --git a/src/Controller/Component/DataTablesComponent.php b/src/Controller/Component/DataTablesComponent.php
@@ -4,6 +4,7 @@
 use Cake\Collection\Collection;
 use Cake\Controller\Component;
 use Cake\Core\Configure;
+use Cake\Network\Exception\BadRequestException;
 use Cake\ORM\Query;
 use Cake\ORM\Table;
 use Cake\ORM\TableRegistry;
@@ -77,104 +78,135 @@ private function _draw()
      * Process query data of ajax request regarding order
      * Alters $options if delegateOrder is set
      * In this case, the model needs to handle the 'customOrder' option.
-     * @param $options: Query options from the request
+     * @param $options: Query options
+     * @param $columns: Column definitions
      */
-    private function _order(array &$options)
+    private function _order(array &$options, array &$columns)
     {
         if (empty($this->request->query['order']))
             return;
 
-        // -- add custom order
         $order = $this->config('order');
-        foreach($this->request->query['order'] as $item) {
-            $order[$this->request->query['columns'][$item['column']]['name']] = $item['dir'];
+
+        /* extract custom ordering from request */
+        foreach ($this->request->query['order'] as $item) {
+            if (empty($columns))
+                throw new \InvalidArgumentException('Column ordering requested, but no column definitions provided.');
+
+            $dir = strtoupper($item['dir']);
+            if (!in_array($dir, ['ASC', 'DESC']))
+                throw new BadRequestException('Malformed order direction.');
+
+            $c = $columns[$item['column']] ?? null;
+            if (!$c || !($c['orderable'] ?? true)) // orderable is true by default
+                throw new BadRequestException('Illegal column ordering.');
+
+            if (empty($c['field']))
+                throw new \InvalidArgumentException('Column description misses field name.');
+
+            $order[$c['field']] = $dir;
         }
+
+        /* apply ordering */
         if (!empty($options['delegateOrder'])) {
             $options['customOrder'] = $order;
         } else {
             $this->config('order', $order);
         }
 
-        // -- remove default ordering as we have a custom one
+        /* remove default ordering in favor of our custom one */
         unset($options['order']);
     }
 
     /**
      * Process query data of ajax request regarding filtering
      * Alters $options if delegateSearch is set
      * In this case, the model needs to handle the 'globalSearch' option.
-     * @param $options: Query options from the request
-     * @return: returns true if additional filtering takes place
+     * @param $options: Query options
+     * @param $columns: Column definitions
+     * @return: true if additional filtering takes place
      */
-    private function _filter(array &$options) : bool
+    private function _filter(array &$options, array &$columns) : bool
     {
-        // -- add limit
+        /* add limit and offset */
         if (!empty($this->request->query['length'])) {
             $this->config('length', $this->request->query['length']);
         }
-
-        // -- add offset
         if (!empty($this->request->query['start'])) {
             $this->config('start', (int)$this->request->query['start']);
         }
 
-        // -- don't support any search if columns data missing
-        if (empty($this->request->query['columns']))
-            return false;
-
-        // -- check table search field
         $haveFilters = false;
+        $delegateSearch = !empty($options['delegateSearch']);
+
+        /* add global filter (general search field) */
         $globalSearch = $this->request->query['search']['value'] ?? false;
+        if ($globalSearch) {
+            if (empty($columns))
+                throw new \InvalidArgumentException('Filtering requested, but no column definitions provided.');
 
-        // -- if delegate option set, defer search to the model and bail out
-        if (!empty($options['delegateSearch'])) {
-            if ($globalSearch) {
+            if ($delegateSearch) {
                 $options['globalSearch'] = $globalSearch;
                 $haveFilters = true;
-            }
-            foreach ($this->request->query['columns'] as $column) {
-                $localSearch = $column['search']['value'];
-                if (!empty($localSearch)) {
-                    $options['localSearch'][$column['name']] = $localSearch;
+            } else {
+                foreach ($columns as $c) {
+                    if (!($c['searchable'] ?? true)) // searchable is true by default
+                        continue;
+
+                    if (empty($c['field']))
+                        throw new \InvalidArgumentException('Column description misses field name.');
+
+                    $this->_addCondition($c['field'], $globalSearch, 'or');
                     $haveFilters = true;
                 }
             }
-            return $haveFilters;
         }
 
-        // -- add conditions for both table-wide and column search fields
-        foreach ($this->request->query['columns'] as $column) {
-            if ($globalSearch && $column['searchable'] == 'true') {
-                $this->_addCondition($column['name'], $globalSearch, 'or');
-                $haveFilters = true;
-            }
-            $localSearch = $column['search']['value'];
+        /* add local filters (column search fields) */
+        foreach ($this->request->query['columns'] ?? [] as $index => $column) {
+            $localSearch = $column['search']['value'] ?? null;
             if (!empty($localSearch)) {
-                $this->_addCondition($column['name'], $column['search']['value']);
+                if (empty($columns))
+                    throw new \InvalidArgumentException('Filtering requested, but no column definitions provided.');
+
+                $c = $columns[$index] ?? null;
+                if (!$c || !($c['searchable'] ?? true)) // searchable is true by default
+                    throw new BadRequestException('Illegal filter request.');
+
+                if (empty($c['field']))
+                    throw new \InvalidArgumentException('Column description misses field name.');
+
+                if ($delegateSearch) {
+                    $options['localSearch'][$c['field']] = $localSearch;
+                } else {
+                    $this->_addCondition($c['field'], $localSearch);
+                }
                 $haveFilters = true;
             }
         }
+
         return $haveFilters;
     }
 
     /**
      * Find data
      *
-     * @param $tableName
-     * @param $finder
-     * @param array $options
-     * @return array|\Cake\ORM\Query
+     * @param $tableName: ORM table name
+     * @param $finder: Finder name (as in Table::find())
+     * @param array $options: Finder options (as in Table::find())
+     * @param array $columns: Column definitions needed for filter/order operations
+     * @return Query to be evaluated (Query::count() may have already been called)
      */
-    public function find($tableName, $finder = 'all', array $options = [])
+    public function find(string $tableName, string $finder = 'all', array $options = [], array $columns = []) : Query
     {
-        $delegateSearch = !empty($options['delegateSearch']);
+        $delegateSearch = $options['delegateSearch'] ?? false;
 
         // -- get table object
         $this->_table = TableRegistry::get($tableName);
 
         // -- process draw & ordering options
         $this->_draw();
-        $this->_order($options);
+        $this->_order($options, $columns);
 
         // -- call table's finder w/o filters
         $data = $this->_table->find($finder, $options);
@@ -183,10 +215,10 @@ public function find($tableName, $finder = 'all', array $options = [])
         $this->_viewVars['recordsTotal'] = $data->count();
 
         // -- process filter options
-        $filters = $this->_filter($options);
+        $haveFilters = $this->_filter($options, $columns);
 
         // -- apply filters
-        if ($filters) {
+        if ($haveFilters) {
             if ($delegateSearch) {
                 // call finder again to process filters (provided in $options)
                 $data = $this->_table->find($finder, $options);
diff --git a/src/View/Helper/DataTablesHelper.php b/src/View/Helper/DataTablesHelper.php
@@ -98,6 +98,10 @@ public function draw(string $selector, array $options = [])
         // fill-in missing language options, in case some were customized
         $options['language'] += $this->config('language');
 
+        // remove field names, which are an internal/server-side setting
+        foreach ($options['columns'] as $name => $column)
+            unset($options['columns'][$name]['field']);
+
         // prepare javascript object from the config, including method calls
         $json = CallbackFunction::resolve(json_encode($options));
 
