Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Eloquents attach association doesn't prevent sql injection #31607

Closed
SengPhirum opened this issue Feb 27, 2020 · 9 comments
Closed

Eloquents attach association doesn't prevent sql injection #31607

SengPhirum opened this issue Feb 27, 2020 · 9 comments

Comments

@SengPhirum
Copy link

When

// inject single quote in array
$partIds = ["1'", "2'"];

$model->cars()->attach($partIds);

Query will crash, so vulnerabilities will able to attack by sql injection
@mantas-done
Copy link

mantas-done commented Feb 27, 2020
edited
Loading

image

Seems fine. Your example doesn't show sql vulnerability.

@SengPhirum
Copy link
Author

@mantas-done Can you test by pass role ids in request role_ids[]=1%27&role_ids[]=2%27
Then use like this
$user->roles()->attach($request->get('role_ids'))

Thanks for checking

@mantas-done
Copy link

image

No crash or sql injection.

@SengPhirum
Copy link
Author

@mantas-done , are you test on Laravel Framework or Lumen? what laravel version you test?

I'm using : "laravel/lumen-framework": "5.8.*",

@mantas-done
Copy link

Laravel 5.8 isn't supported anymore (from yesterday). https://laravel.com/docs/master/releases

@SengPhirum
Copy link
Author

@mantas-done , okay, I got it thanks

@rs-sliske
Copy link

When you say it crashed, what error did it give?

@SengPhirum
Copy link
Author

SengPhirum commented Feb 27, 2020
edited
Loading

@rs-sliske
[2020-02-27 08:59:29] local.ERROR: PDOException: SQLSTATE[01000]: Warning: 1265 Data truncated for column 'category_id' at row 1 in /var/www/html/service_source/vendor/doctrine/dbal/lib/Doctrine/DBAL/Driver/PDOStatement.php:117 Stack trace: #0 /var/www/html/service_source/vendor/doctrine/dbal/lib/Doctrine/DBAL/Driver/PDOStatement.php(117): PDOStatement->execute(NULL) #1 /var/www/html/service_source/vendor/illuminate/database/Connection.php(458): Doctrine\DBAL\Driver\PDOStatement->execute() #2 /var/www/html/service_source/vendor/illuminate/database/Connection.php(657): Illuminate\Database\Connection->Illuminate\Database\{closure}('insert into an...', Array)
#3 /var/www/html/service_source/vendor/illuminate/database/Connection.php(624): Illuminate\Database\Connection->runQueryCallback('insert into an...', Array, Object(Closure)) #4 /var/www/html/service_source/vendor/illuminate/database/Connection.php(459): Illuminate\Database\Connection->run('insert into an...', Array, Object(Closure))
#5 /var/www/html/service_source/vendor/illuminate/database/Connection.php(411): Illuminate\Database\Connection->statement('insert into an...', Array) #6 /var/www/html/service_source/vendor/illuminate/database/Query/Builder.php(2646): Illuminate\Database\Connection->insert('insert into an...', Array)
#7 /var/www/html/service_source/vendor/illuminate/database/Eloquent/Relations/Concerns/InteractsWithPivotTable.php(259): Illuminate\Database\Query\Builder->insert(Array)
#8 /var/www/html/service_source/app/Repositories/AnnouncementRepository.php(67): Illuminate\Database\Eloquent\Relations\BelongsToMany->attach(Array)
#9 /var/www/html/service_source/app/Http/Controllers/V1/AnnouncementController.php(83): App\Repositories\AnnouncementRepository->create(Array)
#10 [internal function]: App\Http\Controllers\V1\AnnouncementController->store(Object(Laravel\Lumen\Http\Request))`

@rs-sliske
Copy link

that error doesnt indicate sql injection, it is just that you dont have any validation to ensure that the values are correct type/size

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rs-sliske @SengPhirum @mantas-done