PT-2022-2055 · Symfony+1 · Symfony+1

Dbalabka

+1

·

Published

2022-02-10

·

Updated

2022-03-25

·

CVE-2022-24752

CVSS v2.0

10

Critical

VectorAV:N/AC:L/Au:N/C:C/I:C/A:C
Name of the Vulnerable Software and Affected Versions SyliusGridBundle versions prior to 1.10.1 and 1.11-rc2
Description The issue is related to the SyliusGridBundle package for Symfony applications, where values added at the end of query sorting were passed directly to the database. This could potentially lead to SQL injections, although the maintainers are unsure if it could result in direct SQL injections. The vulnerability allows a remote attacker to execute arbitrary SQL queries.
Recommendations For versions prior to 1.10.1 and 1.11-rc2, overwrite the SyliusComponentGridSortingSorter.php class and register it in the container as a temporary workaround. The updated class should include input validation to prevent potential SQL injections.
To implement the workaround, create a new Sorter.php class in the src/App/Sorting directory with the following content:
php
<?php

// src/App/Sorting/Sorter.php

declare(strict types=1);

namespace AppSorting;

use SymfonyComponentHttpKernelExceptionBadRequestHttpException;
use SyliusComponentGridDataDataSourceInterface;
use SyliusComponentGridDefinitionGrid;
use SyliusComponentGridParameters;
use SyliusComponentGridSortingSorterInterface;

final class Sorter implements SorterInterface
{
  public function sort(DataSourceInterface $dataSource, Grid $grid, Parameters $parameters): void
  {
    $enabledFields = $grid->getFields();
    $expressionBuilder = $dataSource->getExpressionBuilder();

    $sorting = $parameters->get('sorting', $grid->getSorting());
    $this->validateSortingParams($sorting, $enabledFields);

    foreach ($sorting as $field => $order) {
      $this->validateFieldNames($field, $enabledFields);

      $gridField = $grid->getField($field);
      $property = $gridField->getSortable();

      if (null !== $property) {
        $expressionBuilder->addOrderBy($property, $order);
      }
    }
  }

  private function validateSortingParams(array $sorting, array $enabledFields): void
  {
    foreach (array keys($enabledFields) as $key) {
      if (array key exists($key, $sorting) && !in array($sorting[$key],['asc','desc'])) {
        throw new BadRequestHttpException(sprintf('%s is not valid, use asc or desc instead.', $sorting[$key]));
      }
    }
  }

  private function validateFieldNames(string $fieldName, array $enabledFields): void
  {
    $enabledFieldsNames = array keys($enabledFields);

    if (!in array($fieldName, $enabledFieldsNames, true)) {
      throw new BadRequestHttpException(sprintf('%s is not valid field, did you mean one of these: %s?', $fieldName, implode(',', $enabledFieldsNames)));
    }
  }
}
Then, register the new Sorter class in the config/services.yaml file:
yaml
# config/services.yaml
services:
  # ...
  sylius.grid.sorter:
    class: AppSortingSorter

Exploit

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

BDU:2022-01714
CVE-2022-24752
GHSA-2XMM-G482-4439

Affected Products

Syliusgridbundle
Symfony