[6.x] Limit expected bindings #35865
Conversation
| // $builder = $this->getBuilder(); | ||
| // $builder->select('*')->from('users')->where('id', '<>', [12, 30]); | ||
| // $this->assertSame('select * from "users" where "id" <> ?', $builder->toSql()); | ||
| // $this->assertEquals([0 => 12, 1 => 30], $builder->getBindings()); |
There was a problem hiding this comment.
Was this intentional? (To clarify I'm talking about the ^^ above ^^ commented out tests)
There was a problem hiding this comment.
Yes. This test checks something that is a security vulnerability works.
There was a problem hiding this comment.
But it's commented out... 🤷🏻♂️
There was a problem hiding this comment.
@u01jmg3 As far as I can tell, the whereIn()-function should be used when querying if a value is in an array:
Since devs may encounter situations where they don't know if the argument is a string or an array, it is convenient to be able to use where() with an array.
But apparently this convenience function can cause unexpected behavior which can be exploited: https://blog.laravel.com/security-laravel-62011-7302-8221-released
There was a problem hiding this comment.
How exactly would such behaviour be exploitable? In the worst case, it should throw an error, shouldn't it?
There was a problem hiding this comment.
There was a problem hiding this comment.
@taylorotwell @driesvints @GrahamCampbell @KaneCohen @jaylinski @genesiscz
Do you really think that the following patch fixes the vulnerability? I don't think so.
$value = is_array($value) ? head($value) : $value;According to Laravel Security Advisory - January 13 2021 | Kane Cohen, the following exploitation should work.
// HTTP Request Query: https://laravel.com/users?id[]=1&id[]=1
$id = Request::input('id');
User::where('id', $id)->where('is_admin', 0)->first();
// This could lead to a query where "is_admin" column is set to 1.After the patch, attackers can also do like this:
// HTTP Request Query: https://laravel.com/users?id[0][]=1&id[0][]=1
$id = Request::input('id');
User::where('id', $id)->where('is_admin', 0)->first();
// This could lead to a query where "is_admin" column is set to 1.Since PHP input arrays can be nested multiple times, this is not a fundamental fix.
There was a problem hiding this comment.
This should be a validation this that you should do before, as it is a standard to always validate your data before using them , and Laravel Validation rules can validate values to check it is a string or array or boolean and can also do casts, but more importantly it can know when an array is inserted instead of a string for example. so this should be a valid Fix for this error.
Limit the bindings to the number of bindings we actually expect for the given query.