[DDC-3045] Check that EntityRepository APIs prevent SQL injection through field names. Improve EntityManager#find() error handling when invalid identifier fields are passed.
This commit is contained in:
Benjamin Eberlei
parent
fdb9f90848
commit
c8836a008d
3 changed files with 65 additions and 0 deletions
|
|
@ -397,6 +397,11 @@ use Doctrine\Common\Util\ClassUtils;
|
|||
}
|
||||
|
||||
$sortedId[$identifier] = $id[$identifier];
|
||||
unset($id[$identifier]);
|
||||
}
|
||||
|
||||
if ($id) {
|
||||
throw ORMException::unrecognizedIdentifierFields($class->name, array_keys($id));
|
||||
}
|
||||
|
||||
$unitOfWork = $this->getUnitOfWork();
|
||||
|
|
|
|||
|
|
@ -283,6 +283,20 @@ class ORMException extends Exception
|
|||
return new self("The identifier $fieldName is missing for a query of " . $className);
|
||||
}
|
||||
|
||||
/**
|
||||
* @param string $className
|
||||
* @param string $fieldName
|
||||
*
|
||||
* @return ORMException
|
||||
*/
|
||||
public static function unrecognizedIdentifierFields($className, $fieldNames)
|
||||
{
|
||||
return new self(
|
||||
"Unrecognized identifier fields: '" . implode("', '", $fieldNames) . "' " .
|
||||
"are not present on class '" . $className . "'."
|
||||
);
|
||||
}
|
||||
|
||||
/**
|
||||
* @param string $functionName
|
||||
*
|
||||
|
|
|
|||
|
|
@ -882,5 +882,51 @@ class EntityRepositoryTest extends \Doctrine\Tests\OrmFunctionalTestCase
|
|||
$this->assertInstanceOf('Doctrine\ORM\Query\ResultSetMappingBuilder', $rsm);
|
||||
$this->assertEquals(array('u' => 'Doctrine\Tests\Models\CMS\CmsUser'), $rsm->aliasMap);
|
||||
}
|
||||
|
||||
/**
|
||||
* @group DDC-3045
|
||||
*/
|
||||
public function testFindByFieldInjectionPrevented()
|
||||
{
|
||||
$this->setExpectedException('Doctrine\ORM\ORMException', 'Unrecognized field: ');
|
||||
|
||||
$repository = $this->_em->getRepository('Doctrine\Tests\Models\CMS\CmsUser');
|
||||
$repository->findBy(array('username = ?; DELETE FROM cms_users; SELECT 1 WHERE 1' => 'test'));
|
||||
}
|
||||
|
||||
/**
|
||||
* @group DDC-3045
|
||||
*/
|
||||
public function testFindOneByFieldInjectionPrevented()
|
||||
{
|
||||
$this->setExpectedException('Doctrine\ORM\ORMException', 'Unrecognized field: ');
|
||||
|
||||
$repository = $this->_em->getRepository('Doctrine\Tests\Models\CMS\CmsUser');
|
||||
$repository->findOneBy(array('username = ?; DELETE FROM cms_users; SELECT 1 WHERE 1' => 'test'));
|
||||
}
|
||||
|
||||
/**
|
||||
* @group DDC-3045
|
||||
*/
|
||||
public function testMatchingInjectionPrevented()
|
||||
{
|
||||
$this->setExpectedException('Doctrine\ORM\ORMException', 'Unrecognized field: ');
|
||||
|
||||
$repository = $this->_em->getRepository('Doctrine\Tests\Models\CMS\CmsUser');
|
||||
$repository->matching(new Criteria(
|
||||
Criteria::expr()->eq('username = ?; DELETE FROM cms_users; SELECT 1 WHERE 1', 'beberlei')
|
||||
));
|
||||
}
|
||||
|
||||
/**
|
||||
* @group DDC-3045
|
||||
*/
|
||||
public function testFindInjectionPrevented()
|
||||
{
|
||||
$this->setExpectedException('Doctrine\ORM\ORMException', 'Unrecognized identifier fields: ');
|
||||
|
||||
$repository = $this->_em->getRepository('Doctrine\Tests\Models\CMS\CmsUser');
|
||||
$repository->find(array('username = ?; DELETE FROM cms_users; SELECT 1 WHERE 1' => 'test', 'id' => 1));
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue