Skip to content

Commit 6af2693

Browse files
opengeekopengeek
committed
Prevent sleep()/benchmark() usage in xPDO criteria
1 parent 6271aa9 commit 6af2693

File tree

2 files changed

+39
-0
lines changed

2 files changed

+39
-0
lines changed

src/xPDO/Om/xPDOQuery.php

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -101,6 +101,12 @@ public static function isValidClause($clause) {
101101
$output = preg_replace('/\\".*?\\"/', '{mask}', $output);
102102
$output = preg_replace("/'.*?'/", '{mask}', $output);
103103
$output = preg_replace('/".*?"/', '{mask}', $output);
104+
if (preg_match('/sleep\s*\(\s*\d+\s*\)/i', $output) > 0) {
105+
return false;
106+
}
107+
if (preg_match('/benchmark\s*\(\s*.+,.+\s*\)/i', $output) > 0) {
108+
return false;
109+
}
104110
return strpos($output, ';') === false && strpos(strtolower($output), 'union') === false;
105111
}
106112

test/xPDO/Test/Om/xPDOQueryTest.php

Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -549,13 +549,46 @@ public function testInvalidClauses($clause) {
549549

550550
$this->assertTrue($result === null, 'xPDOQuery allowed invalid clause');
551551
}
552+
552553
public function providerInvalidClauses() {
553554
return array(
554555
array("1=1;DROP TABLE `person`"),
555556
array("1=1 UNION SELECT * FROM `person` WHERE id = 2"),
556557
array("1=1 UNION SELECT * FROM `person` WHERE id = 2;"),
557558
array(array("1=1; DROP TABLE `person`;" => '')),
558559
array(array("1=1 UNION SELECT * FROM `person` WHERE id = 2" => '')),
560+
array("1=sleep(1)"),
561+
array(array("1=sleep(1)")),
562+
array("1 = sleep ( 69 )"),
563+
array("sleep ( 69 )"),
564+
array("1=1"),
565+
array("benchmark(999, 100+1)"),
566+
array("if(now()=sysdate(),sleep (20),0)"),
567+
);
568+
}
569+
570+
/**
571+
* @param $clause
572+
* @dataProvider providerInvalidClause
573+
*/
574+
public function testInvalidClauseReturnsFalse($clause) {
575+
$this->assertFalse(xPDOQuery::isValidClause($clause));
576+
}
577+
578+
public function providerInvalidClause() {
579+
return array(
580+
array("1=1;DROP TABLE `person`"),
581+
array("1=1 UNION SELECT * FROM `person` WHERE id = 2"),
582+
array("1=1 UNION SELECT * FROM `person` WHERE id = 2;"),
583+
array("1=1; DROP TABLE `person`;"),
584+
array("1=1 UNION SELECT * FROM `person` WHERE id = 2"),
585+
array("1=sleep(1)"),
586+
array("1 = sleep ( 69 )"),
587+
array("sleep ( 69 )"),
588+
array("1=benchmark(1000,1+1)"),
589+
array("1 =benchmark( 999,100+1)"),
590+
array("benchmark ( 999, 100+1 )"),
591+
array("if(now()=sysdate(),sleep (20),0)"),
559592
);
560593
}
561594
}

0 commit comments

Comments
 (0)