Merge branch rel-10.5 with rel-10.4#25621
Merged
Merged
Conversation
hooks System.Linq.Dynamic.Core's QueryOptimizer so OrderBy / ThenBy selectors derived from ISortedResultRequest.Sorting are constrained to plain property or field access; anything else throws AbpValidationException
cover ThenBy, compound, chained method calls, args parameterization, concurrent install, inheritance, empty / null sorting, culture and case-sensitivity edges
…guard-10.4 fix(ddd): restrict dynamic sorting selectors to property/field access
voloagent
approved these changes
Jun 11, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
This PR backports a security hardening change into Volo.Abp.Ddd.Application by installing a Dynamic LINQ query optimizer hook that validates dynamic OrderBy/ThenBy selectors and rejects unsafe sorting expressions, along with a dedicated test project covering the guard behavior.
Changes:
- Add
AbpDynamicSortingGuardthat inspects Dynamic.Core-generatedOrderBy/ThenByexpression trees and throwsAbpValidationExceptionfor disallowed selector shapes. - Install the guard during
AbpDddApplicationModule.PreConfigureServices. - Add a new
Volo.Abp.Ddd.Application.Testsproject with comprehensive unit tests for accepted/rejected sorting expressions and installation behavior.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| framework/src/Volo.Abp.Ddd.Application/Volo/Abp/Application/Services/AbpDynamicSortingGuard.cs | Introduces the query optimizer hook and expression visitors that enforce sorting selector validation. |
| framework/src/Volo.Abp.Ddd.Application/Volo/Abp/Application/AbpDddApplicationModule.cs | Installs the guard during module pre-configuration so it is active by default. |
| framework/test/Volo.Abp.Ddd.Application.Tests/Volo/Abp/Application/Services/AbpDynamicSortingGuard_Tests.cs | Adds tests validating allowed property sorting, blocked method/binary expressions, and install/reset behavior. |
| framework/test/Volo.Abp.Ddd.Application.Tests/Volo/Abp/Application/AbpDddApplicationTestModule.cs | Defines the test module dependencies for integrated testing. |
| framework/test/Volo.Abp.Ddd.Application.Tests/Volo/Abp/Application/AbpDddApplicationTestBase.cs | Adds an integrated test base configuring Autofac for the new test project. |
| framework/test/Volo.Abp.Ddd.Application.Tests/Volo.Abp.Ddd.Application.Tests.csproj | Adds the new test project configuration and references. |
| framework/test/Volo.Abp.Ddd.Application.Tests/Volo.Abp.Ddd.Application.Tests.abppkg | Declares the project package role as a test library. |
Comment on lines
+12
to
+17
| /// <summary> | ||
| /// Framework infrastructure. Hooks <see cref="ExtensibilityPoint.QueryOptimizer"/> so | ||
| /// every OrderBy / ThenBy expression built from a user-supplied sorting string is | ||
| /// constrained to plain property or field access. Methods, comparisons, ternaries | ||
| /// and constants in the sort key are rejected with <see cref="AbpValidationException"/>. | ||
| /// </summary> |
| [InlineData("(Age + 10) desc")] // binary arithmetic | ||
| [InlineData("(Age * Age) desc")] // binary arithmetic | ||
| [InlineData("(-Age) desc")] // unary negation wraps something; only Negate is allowed via base.VisitUnary, but the operand is a plain member so this passes — keep as accept check | ||
| public void Should_Reject_Compound_Or_Arithmetic_Expressions(string sorting) |
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## rel-10.5 #25621 +/- ##
============================================
- Coverage 49.38% 49.35% -0.04%
============================================
Files 3685 3686 +1
Lines 124308 124358 +50
Branches 9494 9499 +5
============================================
- Hits 61392 61377 -15
- Misses 61077 61156 +79
+ Partials 1839 1825 -14 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR generated automatically to merge rel-10.5 with rel-10.4. Please review the changed files before merging to prevent any errors that may occur.