Vulnerability-Lookup

GHSA-2XMM-G482-4439

Vulnerability from github – Published: 2022-03-15 19:09 – Updated: 2022-03-15 19:09

Summary

DQL injection through sorting parameters blocked

Details

Impact

Values added at the end of query sorting were passed directly to the DB. We don't know, if it could lead to direct SQL injections, however, we should not allow for easy injection of values there anyway.

Patches

The issue is fixed in version 1.10.1 and in 1.11-rc.1

Workarounds

You have to overwrite your Sylius\Component\Grid\Sorting\Sorter.php class:

<?php

// src/App/Sorting/Sorter.php

declare(strict_types=1);

namespace App\Sorting;

use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
use Sylius\Component\Grid\Data\DataSourceInterface;
use Sylius\Component\Grid\Definition\Grid;
use Sylius\Component\Grid\Parameters;
use Sylius\Component\Grid\Sorting\SorterInterface;

final class Sorter implements SorterInterface
{
    public function sort(DataSourceInterface $dataSource, Grid $grid, Parameters $parameters): void
    {
        $enabledFields = $grid->getFields();
        $expressionBuilder = $dataSource->getExpressionBuilder();

        $sorting = $parameters->get('sorting', $grid->getSorting());
        $this->validateSortingParams($sorting, $enabledFields);

        foreach ($sorting as $field => $order) {
            $this->validateFieldNames($field, $enabledFields);

            $gridField = $grid->getField($field);
            $property = $gridField->getSortable();

            if (null !== $property) {
                $expressionBuilder->addOrderBy($property, $order);
            }
        }
    }

    private function validateSortingParams(array $sorting, array $enabledFields): void
    {
        foreach (array_keys($enabledFields) as $key) {
            if (array_key_exists($key, $sorting) && !in_array($sorting[$key], ['asc', 'desc'])) {
                throw new BadRequestHttpException(sprintf('%s is not valid, use asc or desc instead.', $sorting[$key]));
            }
        }
    }

    private function validateFieldNames(string $fieldName, array $enabledFields): void
    {
        $enabledFieldsNames = array_keys($enabledFields);

        if (!in_array($fieldName, $enabledFieldsNames, true)) {
            throw new BadRequestHttpException(sprintf('%s is not valid field, did you mean one of these: %s?', $fieldName, implode(', ', $enabledFieldsNames)));
        }
    }
}

and register it in your container:

# config/services.yaml
services:
    # ...
    sylius.grid.sorter:
        class: App\Sorting\Sorter

For more information

If you have any questions or comments about this advisory: * Open an issue in Sylius issues * Email us at security@sylius.com

Severity ?

9.8 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "sylius/grid-bundle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.10.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-24752"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-89"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-03-15T19:09:16Z",
    "nvd_published_at": "2022-03-15T15:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\nValues added at the end of query sorting were passed directly to the DB. We don\u0027t know, if it could lead to direct SQL injections, however, we should not allow for easy injection of values there anyway.\n\n### Patches\nThe issue is fixed in version 1.10.1 and in 1.11-rc.1\n\n### Workarounds\n\nYou have to overwrite your `Sylius\\Component\\Grid\\Sorting\\Sorter.php` class:\n\n```php\n\u003c?php\n\n// src/App/Sorting/Sorter.php\n\ndeclare(strict_types=1);\n\nnamespace App\\Sorting;\n\nuse Symfony\\Component\\HttpKernel\\Exception\\BadRequestHttpException;\nuse Sylius\\Component\\Grid\\Data\\DataSourceInterface;\nuse Sylius\\Component\\Grid\\Definition\\Grid;\nuse Sylius\\Component\\Grid\\Parameters;\nuse Sylius\\Component\\Grid\\Sorting\\SorterInterface;\n\nfinal class Sorter implements SorterInterface\n{\n    public function sort(DataSourceInterface $dataSource, Grid $grid, Parameters $parameters): void\n    {\n        $enabledFields = $grid-\u003egetFields();\n        $expressionBuilder = $dataSource-\u003egetExpressionBuilder();\n\n        $sorting = $parameters-\u003eget(\u0027sorting\u0027, $grid-\u003egetSorting());\n        $this-\u003evalidateSortingParams($sorting, $enabledFields);\n\n        foreach ($sorting as $field =\u003e $order) {\n            $this-\u003evalidateFieldNames($field, $enabledFields);\n\n            $gridField = $grid-\u003egetField($field);\n            $property = $gridField-\u003egetSortable();\n\n            if (null !== $property) {\n                $expressionBuilder-\u003eaddOrderBy($property, $order);\n            }\n        }\n    }\n\n    private function validateSortingParams(array $sorting, array $enabledFields): void\n    {\n        foreach (array_keys($enabledFields) as $key) {\n            if (array_key_exists($key, $sorting) \u0026\u0026 !in_array($sorting[$key], [\u0027asc\u0027, \u0027desc\u0027])) {\n                throw new BadRequestHttpException(sprintf(\u0027%s is not valid, use asc or desc instead.\u0027, $sorting[$key]));\n            }\n        }\n    }\n\n    private function validateFieldNames(string $fieldName, array $enabledFields): void\n    {\n        $enabledFieldsNames = array_keys($enabledFields);\n\n        if (!in_array($fieldName, $enabledFieldsNames, true)) {\n            throw new BadRequestHttpException(sprintf(\u0027%s is not valid field, did you mean one of these: %s?\u0027, $fieldName, implode(\u0027, \u0027, $enabledFieldsNames)));\n        }\n    }\n}\n```\nand register it in your container: \n\n```yaml\n# config/services.yaml\nservices:\n    # ...\n    sylius.grid.sorter:\n        class: App\\Sorting\\Sorter\n```\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [Sylius issues](https://github.com/Sylius/Sylius/issues)\n* Email us at [security@sylius.com](mailto:security@sylius.com)",
  "id": "GHSA-2xmm-g482-4439",
  "modified": "2022-03-15T19:09:16Z",
  "published": "2022-03-15T19:09:16Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Sylius/SyliusGridBundle/security/advisories/GHSA-2xmm-g482-4439"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24752"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Sylius/SyliusGridBundle/pull/222"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Sylius/SyliusGridBundle/commit/73d0791d0575f955e830a3da4c3345f420d2f784"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Sylius/SyliusGridBundle"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Sylius/SyliusGridBundle/releases/tag/v1.10.1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Sylius/SyliusGridBundle/releases/tag/v1.11.0-RC.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "DQL injection through sorting parameters blocked"
}

CVE-2022-24752 (GCVE-0-2022-24752)

Vulnerability from cvelistv5 – Published: 2022-03-15 14:40 – Updated: 2025-04-23 18:53

Title

SQL Injection through sorting parameters in SyliusGridBundle

Summary

SyliusGridBundle is a package of generic data grids for Symfony applications. Prior to versions 1.10.1 and 1.11-rc2, values added at the end of query sorting were passed directly to the database. The maintainers do not know if this could lead to direct SQL injections but took steps to remediate the vulnerability. The issue is fixed in versions 1.10.1 and 1.11-rc2. As a workaround, overwrite the`Sylius\Component\Grid\Sorting\Sorter.php` class and register it in the container. More information about this workaround is available in the GitHub Security Advisory.

Severity ?

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/Sylius/SyliusGridBundle/securi…	x_refsource_CONFIRM
	https://github.com/Sylius/SyliusGridBundle/pull/222	x_refsource_MISC
	https://github.com/Sylius/SyliusGridBundle/commit…	x_refsource_MISC
	https://github.com/Sylius/SyliusGridBundle/releas…	x_refsource_MISC
	https://github.com/Sylius/SyliusGridBundle/releas…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	Sylius	SyliusGridBundle	Affected: < 1.10.1 Affected: 1.11-alpha, <= 1.11-rc

Show details on NVD website