Properly fix input sanitation for order parameters

curry684 · curry684 · commit d7c31a0b84ba · 2025-07-23T23:10:23.000+02:00
Refs #388
diff --git a/src/DataTable.php b/src/DataTable.php
@@ -60,6 +60,7 @@ class DataTable
     public const DEFAULT_TEMPLATE = '@DataTables/datatable_html.html.twig';
     public const SORT_ASCENDING = 'asc';
     public const SORT_DESCENDING = 'desc';
+    public const SORT_OPTIONS = [self::SORT_ASCENDING, self::SORT_DESCENDING];
 
     protected ?AdapterInterface $adapter = null;
 
@@ -174,10 +175,11 @@ public function addOrderBy($column, string $direction = self::SORT_ASCENDING)
         if (!$column instanceof AbstractColumn) {
             $column = is_int($column) ? $this->getColumn($column) : $this->getColumnByName((string) $column);
         }
-        if (false !== $this->getOption('ordering')) {
-            $direction = self::SORT_ASCENDING === mb_strtolower($direction) ? self::SORT_ASCENDING : self::SORT_DESCENDING;
-            $this->options['order'][] = [$column->getIndex(), $direction];
+        $direction = mb_strtolower($direction);
+        if (!in_array($direction, self::SORT_OPTIONS, true)) {
+            throw new \InvalidArgumentException(sprintf('Sort direction must be one of %s', implode(', ', self::SORT_OPTIONS)));
         }
+        $this->options['order'][] = [$column->getIndex(), $direction];
 
         return $this;
     }
diff --git a/src/DataTableState.php b/src/DataTableState.php
@@ -181,10 +181,11 @@ public function setGlobalSearch(string $globalSearch): static
 
     public function addOrderBy(AbstractColumn $column, string $direction = DataTable::SORT_ASCENDING): static
     {
-        if (false !== $this->dataTable->getOption('ordering')) {
-            $direction = DataTable::SORT_ASCENDING === mb_strtolower($direction) ? DataTable::SORT_ASCENDING : DataTable::SORT_DESCENDING;
-            $this->orderBy[] = [$column, $direction];
+        $direction = mb_strtolower($direction);
+        if (!in_array($direction, DataTable::SORT_OPTIONS, true)) {
+            throw new \InvalidArgumentException(sprintf('Sort direction must be one of %s', implode(', ', DataTable::SORT_OPTIONS)));
         }
+        $this->orderBy[] = [$column, $direction];
 
         return $this;
     }
diff --git a/tests/Unit/DataTableTest.php b/tests/Unit/DataTableTest.php
@@ -96,7 +96,7 @@ public function testDataTableState(): void
         $state->setGlobalSearch('foo');
         $state->setOrderBy([
             [$datatable->getColumn(0), 'asc'],
-            [$datatable->getColumn(1), 'desc0"XOR(if(now()=sysdate(),sleep(15),0))XOR"Z'], // intentional sql-injection test
+            [$datatable->getColumn(1), 'desc'],
         ]);
         $state->setColumnSearch($datatable->getColumn(0), 'bar');
 
@@ -105,7 +105,6 @@ public function testDataTableState(): void
         $this->assertSame('foo', $state->getGlobalSearch());
         $this->assertCount(2, $state->getOrderBy());
         foreach ($state->getOrderBy() as $order) {
-            // ensure sql-injection failed
             $this->assertContains($order[1], [DataTable::SORT_ASCENDING, DataTable::SORT_DESCENDING]);
         }
         $this->assertSame('bar', $state->getSearchColumns(onlySearchable: false)['foo']['search']);
@@ -146,19 +145,23 @@ public function testDataTableStateSearchColumns(): void
     /**
      * If ordering is false, ensure columns are not ordered.
      */
-    public function testDataTablesStateOrdering(): void
+    public function testSortDirectionValidation(): void
     {
+        $this->expectException(\InvalidArgumentException::class);
+        $this->expectExceptionMessage('direction must be one of');
+
         $datatable = $this
-            ->createMockDataTable(['ordering' => false])
+            ->createMockDataTable()
             ->add('foo', TextColumn::class, ['searchable' => true])
-            ->add('bar', TextColumn::class, ['searchable' => false])
-            ->setMethod(Request::METHOD_GET)
         ;
-        $datatable->handleRequest(Request::create('/?_dt=' . $datatable->getName()));
-
-        $state = $datatable->getState();
-        $state->addOrderBy($datatable->getColumn(0), DataTable::SORT_DESCENDING);
-        $this->assertEmpty($state->getOrderBy());
+        $datatable->handleRequest(Request::create('/foo', Request::METHOD_POST, [
+            '_dt' => $datatable->getName(),
+            'draw' => 684,
+            'order' => [[
+                'column' => 0,
+                'dir' => 'foo',
+            ]],
+        ]));
     }
 
     public function testPostMethod(): void

Original file line number	Diff line number	Diff line change
`@@ -60,6 +60,7 @@ class DataTable`
`60`	`60`	`public const DEFAULT_TEMPLATE = '@DataTables/datatable_html.html.twig';`
`61`	`61`	`public const SORT_ASCENDING = 'asc';`
`62`	`62`	`public const SORT_DESCENDING = 'desc';`
	`63`	`+ public const SORT_OPTIONS = [self::SORT_ASCENDING, self::SORT_DESCENDING];`
`63`	`64`
`64`	`65`	`protected ?AdapterInterface $adapter = null;`
`65`	`66`
`@@ -174,10 +175,11 @@ public function addOrderBy($column, string $direction = self::SORT_ASCENDING)`
`174`	`175`	`if (!$column instanceof AbstractColumn) {`
`175`	`176`	`$column = is_int($column) ? $this->getColumn($column) : $this->getColumnByName((string) $column);`
`176`	`177`	`}`
`177`		`- if (false !== $this->getOption('ordering')) {`
`178`		`- $direction = self::SORT_ASCENDING === mb_strtolower($direction) ? self::SORT_ASCENDING : self::SORT_DESCENDING;`
`179`		`- $this->options['order'][] = [$column->getIndex(), $direction];`
	`178`	`+ $direction = mb_strtolower($direction);`
	`179`	`+ if (!in_array($direction, self::SORT_OPTIONS, true)) {`
	`180`	`+ throw new \InvalidArgumentException(sprintf('Sort direction must be one of %s', implode(', ', self::SORT_OPTIONS)));`
`180`	`181`	`}`
	`182`	`+ $this->options['order'][] = [$column->getIndex(), $direction];`
`181`	`183`
`182`	`184`	`return $this;`
`183`	`185`	`}`
Original file line number	Diff line number	Diff line change
`@@ -181,10 +181,11 @@ public function setGlobalSearch(string $globalSearch): static`
`181`	`181`
`182`	`182`	`public function addOrderBy(AbstractColumn $column, string $direction = DataTable::SORT_ASCENDING): static`
`183`	`183`	`{`
`184`		`- if (false !== $this->dataTable->getOption('ordering')) {`
`185`		`- $direction = DataTable::SORT_ASCENDING === mb_strtolower($direction) ? DataTable::SORT_ASCENDING : DataTable::SORT_DESCENDING;`
`186`		`- $this->orderBy[] = [$column, $direction];`
	`184`	`+ $direction = mb_strtolower($direction);`
	`185`	`+ if (!in_array($direction, DataTable::SORT_OPTIONS, true)) {`
	`186`	`+ throw new \InvalidArgumentException(sprintf('Sort direction must be one of %s', implode(', ', DataTable::SORT_OPTIONS)));`
`187`	`187`	`}`
	`188`	`+ $this->orderBy[] = [$column, $direction];`
`188`	`189`
`189`	`190`	`return $this;`
`190`	`191`	`}`