Soft fail on clientside data corruption

curry684 · curry684 · commit d64e7d5c7230 · 2025-07-24T21:50:46.000+02:00
Refs #388
diff --git a/.php-cs-fixer.php b/.php-cs-fixer.php
@@ -24,12 +24,10 @@
         'declare_strict_types' => true,
         'strict_param' => true,
         'strict_comparison' => true,
-        'array_syntax' => ['syntax' => 'short'],
         'concat_space' => ['spacing' => 'one'],
         'header_comment' => ['header' => $header, 'location' => 'after_open'],
 
         'mb_str_functions' => true,
-        //'ordered_class_elements' => true,
         'ordered_imports' => true,
         'phpdoc_align' => false,
         'phpdoc_separation' => false,
diff --git a/src/DataTableState.php b/src/DataTableState.php
@@ -92,8 +92,12 @@ private function handleOrderBy(ParameterBag $parameters): void
         if ($parameters->has('order')) {
             $this->orderBy = [];
             foreach ($parameters->all()['order'] ?? [] as $order) {
-                $column = $this->getDataTable()->getColumn((int) $order['column']);
-                $this->addOrderBy($column, $order['dir'] ?? DataTable::SORT_ASCENDING);
+                try {
+                    $column = $this->getDataTable()->getColumn((int) $order['column']);
+                    $this->addOrderBy($column, $order['dir'] ?? DataTable::SORT_ASCENDING);
+                } catch (\Throwable $t) {
+                    // Column index and direction can be corrupted by malicious clients, ignore any exceptions thus caused
+                }
             }
         }
     }
diff --git a/tests/Unit/DataTableTest.php b/tests/Unit/DataTableTest.php
@@ -144,6 +144,16 @@ public function testSortDirectionValidation(): void
         $this->expectException(\InvalidArgumentException::class);
         $this->expectExceptionMessage('direction must be one of');
 
+        $datatable = $this
+            ->createMockDataTable()
+            ->add('foo', TextColumn::class, ['searchable' => true])
+        ;
+        $datatable->handleRequest(Request::create('/foo', Request::METHOD_POST, ['_dt' => $datatable->getName(), 'draw' => 684]));
+        $datatable->getState()->addOrderBy($datatable->getColumn(0), 'foo');
+    }
+
+    public function testInvalidSortParametersAreIgnored(): void
+    {
         $datatable = $this
             ->createMockDataTable()
             ->add('foo', TextColumn::class, ['searchable' => true])
@@ -156,6 +166,7 @@ public function testSortDirectionValidation(): void
                 'dir' => 'foo',
             ]],
         ]));
+        $this->assertEmpty($datatable->getState()->getOrderBy());
     }
 
     public function testPostMethod(): void

Original file line number	Diff line number	Diff line change
`@@ -92,8 +92,12 @@ private function handleOrderBy(ParameterBag $parameters): void`
`92`	`92`	`if ($parameters->has('order')) {`
`93`	`93`	`$this->orderBy = [];`
`94`	`94`	`foreach ($parameters->all()['order'] ?? [] as $order) {`
`95`		`- $column = $this->getDataTable()->getColumn((int) $order['column']);`
`96`		`- $this->addOrderBy($column, $order['dir'] ?? DataTable::SORT_ASCENDING);`
	`95`	`+ try {`
	`96`	`+ $column = $this->getDataTable()->getColumn((int) $order['column']);`
	`97`	`+ $this->addOrderBy($column, $order['dir'] ?? DataTable::SORT_ASCENDING);`
	`98`	`+ } catch (\Throwable $t) {`
	`99`	`+ // Column index and direction can be corrupted by malicious clients, ignore any exceptions thus caused`
	`100`	`+ }`
`97`	`101`	`}`
`98`	`102`	`}`
`99`	`103`	`}`