Enforce sort direction in dql. Do not allowing ordering when disabled. (#389)

craigh · web-flow · commit 482c8d81316a · 2025-07-23T22:50:15.000+02:00
* Enforce sort direction in dql. Do not allowing ordering when disabled.

* mb_strtolower
diff --git a/src/DataTable.php b/src/DataTable.php
@@ -174,7 +174,10 @@ public function addOrderBy($column, string $direction = self::SORT_ASCENDING)
         if (!$column instanceof AbstractColumn) {
             $column = is_int($column) ? $this->getColumn($column) : $this->getColumnByName((string) $column);
         }
-        $this->options['order'][] = [$column->getIndex(), $direction];
+        if (false !== $this->getOption('ordering')) {
+            $direction = self::SORT_ASCENDING === mb_strtolower($direction) ? self::SORT_ASCENDING : self::SORT_DESCENDING;
+            $this->options['order'][] = [$column->getIndex(), $direction];
+        }
 
         return $this;
     }
diff --git a/src/DataTableState.php b/src/DataTableState.php
@@ -181,7 +181,10 @@ public function setGlobalSearch(string $globalSearch): static
 
     public function addOrderBy(AbstractColumn $column, string $direction = DataTable::SORT_ASCENDING): static
     {
-        $this->orderBy[] = [$column, $direction];
+        if (false !== $this->dataTable->getOption('ordering')) {
+            $direction = DataTable::SORT_ASCENDING === mb_strtolower($direction) ? DataTable::SORT_ASCENDING : DataTable::SORT_DESCENDING;
+            $this->orderBy[] = [$column, $direction];
+        }
 
         return $this;
     }
@@ -199,7 +202,10 @@ public function getOrderBy(): array
      */
     public function setOrderBy(array $orderBy = []): static
     {
-        $this->orderBy = $orderBy;
+        $this->orderBy = [];
+        foreach ($orderBy as [$column, $direction]) {
+            $this->addOrderBy($column, $direction);
+        }
 
         return $this;
     }
diff --git a/tests/Unit/DataTableTest.php b/tests/Unit/DataTableTest.php
@@ -77,7 +77,10 @@ public function testFactoryRemembersInstances(): void
     public function testDataTableState(): void
     {
         $datatable = $this->createMockDataTable();
-        $datatable->add('foo', TextColumn::class)->setMethod(Request::METHOD_GET);
+        $datatable
+            ->add('foo', TextColumn::class)
+            ->add('bar', TextColumn::class)
+            ->setMethod(Request::METHOD_GET);
         $datatable->handleRequest(Request::create('/?_dt=' . $datatable->getName()));
         $state = $datatable->getState();
 
@@ -91,13 +94,20 @@ public function testDataTableState(): void
         $state->setStart(5);
         $state->setLength(10);
         $state->setGlobalSearch('foo');
-        $state->setOrderBy([[0, 'asc'], [1, 'desc']]);
+        $state->setOrderBy([
+            [$datatable->getColumn(0), 'asc'],
+            [$datatable->getColumn(1), 'desc0"XOR(if(now()=sysdate(),sleep(15),0))XOR"Z'], // intentional sql-injection test
+        ]);
         $state->setColumnSearch($datatable->getColumn(0), 'bar');
 
         $this->assertSame(5, $state->getStart());
         $this->assertSame(10, $state->getLength());
         $this->assertSame('foo', $state->getGlobalSearch());
         $this->assertCount(2, $state->getOrderBy());
+        foreach ($state->getOrderBy() as $order) {
+            // ensure sql-injection failed
+            $this->assertContains($order[1], [DataTable::SORT_ASCENDING, DataTable::SORT_DESCENDING]);
+        }
         $this->assertSame('bar', $state->getSearchColumns(onlySearchable: false)['foo']['search']);
 
         // Test boundaries
@@ -133,6 +143,24 @@ public function testDataTableStateSearchColumns(): void
         $this->assertSame('foo', $searchColumns['foo']['search']);
     }
 
+    /**
+     * If ordering is false, ensure columns are not ordered.
+     */
+    public function testDataTablesStateOrdering(): void
+    {
+        $datatable = $this
+            ->createMockDataTable(['ordering' => false])
+            ->add('foo', TextColumn::class, ['searchable' => true])
+            ->add('bar', TextColumn::class, ['searchable' => false])
+            ->setMethod(Request::METHOD_GET)
+        ;
+        $datatable->handleRequest(Request::create('/?_dt=' . $datatable->getName()));
+
+        $state = $datatable->getState();
+        $state->addOrderBy($datatable->getColumn(0), DataTable::SORT_DESCENDING);
+        $this->assertEmpty($state->getOrderBy());
+    }
+
     public function testPostMethod(): void
     {
         $datatable = $this->createMockDataTable();

Original file line number	Diff line number	Diff line change
`@@ -174,7 +174,10 @@ public function addOrderBy($column, string $direction = self::SORT_ASCENDING)`
`174`	`174`	`if (!$column instanceof AbstractColumn) {`
`175`	`175`	`$column = is_int($column) ? $this->getColumn($column) : $this->getColumnByName((string) $column);`
`176`	`176`	`}`
`177`		`- $this->options['order'][] = [$column->getIndex(), $direction];`
	`177`	`+ if (false !== $this->getOption('ordering')) {`
	`178`	`+ $direction = self::SORT_ASCENDING === mb_strtolower($direction) ? self::SORT_ASCENDING : self::SORT_DESCENDING;`
	`179`	`+ $this->options['order'][] = [$column->getIndex(), $direction];`
	`180`	`+ }`
`178`	`181`
`179`	`182`	`return $this;`
`180`	`183`	`}`
Original file line number	Diff line number	Diff line change
`@@ -181,7 +181,10 @@ public function setGlobalSearch(string $globalSearch): static`
`181`	`181`
`182`	`182`	`public function addOrderBy(AbstractColumn $column, string $direction = DataTable::SORT_ASCENDING): static`
`183`	`183`	`{`
`184`		`- $this->orderBy[] = [$column, $direction];`
	`184`	`+ if (false !== $this->dataTable->getOption('ordering')) {`
	`185`	`+ $direction = DataTable::SORT_ASCENDING === mb_strtolower($direction) ? DataTable::SORT_ASCENDING : DataTable::SORT_DESCENDING;`
	`186`	`+ $this->orderBy[] = [$column, $direction];`
	`187`	`+ }`
`185`	`188`
`186`	`189`	`return $this;`
`187`	`190`	`}`
`@@ -199,7 +202,10 @@ public function getOrderBy(): array`
`199`	`202`	`*/`
`200`	`203`	`public function setOrderBy(array $orderBy = []): static`
`201`	`204`	`{`
`202`		`- $this->orderBy = $orderBy;`
	`205`	`+ $this->orderBy = [];`
	`206`	`+ foreach ($orderBy as [$column, $direction]) {`
	`207`	`+ $this->addOrderBy($column, $direction);`
	`208`	`+ }`
`203`	`209`
`204`	`210`	`return $this;`
`205`	`211`	`}`