🔒 (SQL injection) Fixed 2 SQL injection flaws in Filters

Teddy Roncin · Teddy Roncin · commit 312c5f79f0e7 · 2023-02-03T15:14:51.000+01:00
SearchInNamesFilter and UEFilter both contained a SQL injection flaw. It has been fixed
diff --git a/src/ApiPlatform/SearchInNamesFilter.php b/src/ApiPlatform/SearchInNamesFilter.php
@@ -27,9 +27,11 @@ protected function filterProperty(string $property, $value, QueryBuilder $queryB
         }
         $alias = $queryBuilder->getRootAliases()[0];
         $infoAlias = $queryNameGenerator->generateJoinAlias('info');
+        $valueParameter = $queryNameGenerator->generateParameterName('value');
         $queryBuilder
             ->innerJoin("{$alias}.infos", $infoAlias)
-            ->andWhere("({$alias}.firstName LIKE '%{$value}%' OR {$alias}.lastName LIKE '%{$value}%' OR {$infoAlias}.nickname LIKE '%{$value}%')")
+            ->andWhere("({$alias}.firstName LIKE :{$valueParameter} OR {$alias}.lastName LIKE :{$valueParameter} OR {$infoAlias}.nickname LIKE :{$valueParameter})")
+            ->setParameter($valueParameter, "%{$value}%")
         ;
     }
 }
diff --git a/src/ApiPlatform/UEFilter.php b/src/ApiPlatform/UEFilter.php
@@ -27,18 +27,21 @@ protected function filterProperty(string $property, $value, QueryBuilder $queryB
             return;
         }
         $alias = $queryBuilder->getRootAliases()[0];
+        $nowParameter = $queryNameGenerator->generateParameterName('now');
         foreach ($value as $ueCode) {
             $ueAlias = $queryNameGenerator->generateJoinAlias('UE');
             $ueSubscriptionAlias = $queryNameGenerator->generateJoinAlias('UEsSubscriptions');
             $semesterAlias = $queryNameGenerator->generateJoinAlias('Semester');
+            $ueParameter = $queryNameGenerator->generateParameterName('ue');
             $queryBuilder->innerJoin("{$alias}.UEsSubscriptions", $ueSubscriptionAlias)
                 ->innerJoin("{$ueSubscriptionAlias}.UE", $ueAlias)
                 ->innerJoin("{$ueSubscriptionAlias}.semester", $semesterAlias)
-                ->andWhere("{$ueAlias}.code = '{$ueCode}'")
-                ->andWhere("{$semesterAlias}.start <= :now")
-                ->andWhere("{$semesterAlias}.end >= :now")
+                ->andWhere("{$ueAlias}.code = :{$ueParameter}")
+                ->andWhere("{$semesterAlias}.start <= :{$nowParameter}")
+                ->andWhere("{$semesterAlias}.end >= :{$nowParameter}")
+                ->setParameter($ueParameter, $ueCode)
             ;
         }
-        $queryBuilder->setParameter('now', new \DateTime());
+        $queryBuilder->setParameter($nowParameter, new \DateTime());
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -27,9 +27,11 @@ protected function filterProperty(string $property, $value, QueryBuilder $queryB`
`27`	`27`	`}`
`28`	`28`	`$alias = $queryBuilder->getRootAliases()[0];`
`29`	`29`	`$infoAlias = $queryNameGenerator->generateJoinAlias('info');`
	`30`	`+ $valueParameter = $queryNameGenerator->generateParameterName('value');`
`30`	`31`	`$queryBuilder`
`31`	`32`	`->innerJoin("{$alias}.infos", $infoAlias)`
`32`		`- ->andWhere("({$alias}.firstName LIKE '%{$value}%' OR {$alias}.lastName LIKE '%{$value}%' OR {$infoAlias}.nickname LIKE '%{$value}%')")`
	`33`	`+ ->andWhere("({$alias}.firstName LIKE :{$valueParameter} OR {$alias}.lastName LIKE :{$valueParameter} OR {$infoAlias}.nickname LIKE :{$valueParameter})")`
	`34`	`+ ->setParameter($valueParameter, "%{$value}%")`
`33`	`35`	`;`
`34`	`36`	`}`
`35`	`37`	`}`
Original file line number	Diff line number	Diff line change
`@@ -27,18 +27,21 @@ protected function filterProperty(string $property, $value, QueryBuilder $queryB`
`27`	`27`	`return;`
`28`	`28`	`}`
`29`	`29`	`$alias = $queryBuilder->getRootAliases()[0];`
	`30`	`+ $nowParameter = $queryNameGenerator->generateParameterName('now');`
`30`	`31`	`foreach ($value as $ueCode) {`
`31`	`32`	`$ueAlias = $queryNameGenerator->generateJoinAlias('UE');`
`32`	`33`	`$ueSubscriptionAlias = $queryNameGenerator->generateJoinAlias('UEsSubscriptions');`
`33`	`34`	`$semesterAlias = $queryNameGenerator->generateJoinAlias('Semester');`
	`35`	`+ $ueParameter = $queryNameGenerator->generateParameterName('ue');`
`34`	`36`	`$queryBuilder->innerJoin("{$alias}.UEsSubscriptions", $ueSubscriptionAlias)`
`35`	`37`	`->innerJoin("{$ueSubscriptionAlias}.UE", $ueAlias)`
`36`	`38`	`->innerJoin("{$ueSubscriptionAlias}.semester", $semesterAlias)`
`37`		`- ->andWhere("{$ueAlias}.code = '{$ueCode}'")`
`38`		`- ->andWhere("{$semesterAlias}.start <= :now")`
`39`		`- ->andWhere("{$semesterAlias}.end >= :now")`
	`39`	`+ ->andWhere("{$ueAlias}.code = :{$ueParameter}")`
	`40`	`+ ->andWhere("{$semesterAlias}.start <= :{$nowParameter}")`
	`41`	`+ ->andWhere("{$semesterAlias}.end >= :{$nowParameter}")`
	`42`	`+ ->setParameter($ueParameter, $ueCode)`
`40`	`43`	`;`
`41`	`44`	`}`
`42`		`- $queryBuilder->setParameter('now', new \DateTime());`
	`45`	`+ $queryBuilder->setParameter($nowParameter, new \DateTime());`
`43`	`46`	`}`
`44`	`47`	`}`