Merge pull request #44 from bakaphp/hotfix-sort-injection

kaioken · web-flow · commit 38234455593f · 2021-06-14T21:12:14.000-04:00
diff --git a/src/QueryParserCustomFields.php b/src/QueryParserCustomFields.php
@@ -169,21 +169,60 @@ public function request() : array
         $sort = '';
         if (array_key_exists('sort', $this->request)) {
             $sort = $this->request['sort'];
+            $columnsData = $this->getTableColumns();
 
-            if (!empty($sort)) {
+            if (!empty($sort) && strpos($sort, '|') !== false) {
                 // Get the model, column and sort order from the sent parameter.
-                $modelColumn = $sort;
-                if (strpos($sort, '|') !== false) {
-                    list($modelColumn, $order) = explode('|', $sort);
-                }
+                list($modelColumn, $order) = explode('|', $sort);
                 $order = strtolower($order) === 'asc' ? 'ASC' : 'DESC';
 
                 $modelColumn = preg_replace("/[^a-zA-Z0-9_\s]/", '', $modelColumn);
-                $columnsData = $this->getTableColumns();
+                // Check to see whether this is a related sorting by looking for a
                 if (isset($columnsData[$modelColumn])) {
-                    $sort = " ORDER BY {$modelColumn} {$order}";
+                    if (strpos($modelColumn, '.') !== false) {
+                        // We are using a related sort.
+                        // Get the namespace for the models from the configuration.
+                        $modelNamespace = \Phalcon\Di::getDefault()->getConfig()->namespace->models;
+                        // Get the model name and the sort column from the sent parameter
+                        list($model, $column) = explode('.', $modelColumn);
+                        // Convert the model name into camel case.
+                        $modelName = str_replace(' ', '', ucwords(str_replace('_', ' ', $model)));
+                        // Create the model name with the appended namespace.
+                        $modelName = $modelNamespace . '\\' . $modelName;
+
+                        // Make sure the model exists.
+                        if (!class_exists($modelName)) {
+                            throw new \Exception('Related model does not exist.');
+                        }
+
+                        // Instance the model so we have access to the getSource() function.
+                        $modelObject = new $modelName();
+                        // Instance meta data memory to access the primary keys for the table.
+                        $metaData = new \Phalcon\Mvc\Model\MetaData\Memory();
+                        // Get the first matching primary key.
+                        // @TODO This will hurt on compound primary keys.
+                        $primaryKey = $metaData->getPrimaryKeyAttributes($modelObject)[0];
+                        if ($metaData->hasAttribute($modelObject, $column)) {
+                            // We need the table to exist in the query in order for the related sort to work.
+                            // Therefore we add it to comply with this by comparing the primary key to not being NULL.
+                            $this->relationSearchFields[$modelName][] = [
+                                $primaryKey, ':', '$$',
+                            ];
+
+                            $sort = " ORDER BY {$modelObject->getSource()}.{$column} {$order}";
+                        }
+                        unset($modelObject);
+                    } else {
+                        $sort = " ORDER BY {$modelColumn} {$order}";
+                    }
+                } else {
+                    $sort = null;
+                }
+            } else {
+                if (isset($columnsData[$sort])) {
+                    $sort = " ORDER BY {$sort} DESC";
                 } else {
-                    $sort = '';
+                    $sort = null;
                 }
             }
         }
