|
| 1 | +<?php |
| 2 | + |
| 3 | +use PowerComponents\LivewirePowerGrid\DataSource\Processors\Database\Pipelines\{ColumnRawQueries, Sorting}; |
| 4 | +use PowerComponents\LivewirePowerGrid\Tests\Concerns\Components\{DishesCustomSortTable, DishesNaturalSortTable}; |
| 5 | +use PowerComponents\LivewirePowerGrid\Tests\Concerns\Models\Dish; |
| 6 | + |
| 7 | +use function PowerComponents\LivewirePowerGrid\Tests\Plugins\livewire; |
| 8 | + |
| 9 | +/* |
| 10 | +| Regression tests for GHSA-7fgc-3h6c-698r — SQL injection through the public |
| 11 | +| sortDirection Livewire property. The direction reaches raw ORDER BY clauses |
| 12 | +| through two paths (naturalSort and sortUsing callbacks); both must be |
| 13 | +| restricted to an asc/desc allowlist. |
| 14 | +*/ |
| 15 | + |
| 16 | +$payload = 'asc, (SELECT SLEEP(3))'; |
| 17 | + |
| 18 | +it('neutralizes SQL injection through sortDirection on a naturalSort column', function () use ($payload) { |
| 19 | + $component = new DishesNaturalSortTable(); |
| 20 | + |
| 21 | + // The advisory bypass: an empty sortField skips the Sorting pipeline, but |
| 22 | + // ColumnRawQueries still applies the naturalSort orderByRaw unconditionally. |
| 23 | + $component->sortField = ''; |
| 24 | + $component->sortDirection = $payload; |
| 25 | + |
| 26 | + $query = Dish::query(); |
| 27 | + |
| 28 | + (new ColumnRawQueries($component))->handle($query, fn ($q) => $q); |
| 29 | + |
| 30 | + expect($query->toSql()) |
| 31 | + ->not->toContain('SLEEP') |
| 32 | + ->toContain(' asc'); |
| 33 | +}); |
| 34 | + |
| 35 | +it('neutralizes SQL injection through sortDirection in a custom sort callback', function () use ($payload) { |
| 36 | + $component = new DishesCustomSortTable(); |
| 37 | + |
| 38 | + // The "price" column uses sortUsing() with orderByRaw("... {$direction}"). |
| 39 | + $component->sortField = 'price'; |
| 40 | + $component->sortDirection = $payload; |
| 41 | + |
| 42 | + $query = Dish::query(); |
| 43 | + |
| 44 | + (new Sorting($component))->handle($query, fn ($q) => $q); |
| 45 | + |
| 46 | + expect($query->toSql())->not->toContain('SLEEP'); |
| 47 | +}); |
| 48 | + |
| 49 | +it('normalizes a tampered sortDirection to asc through the Livewire lifecycle', function () use ($payload) { |
| 50 | + // Reproduces the exact advisory request: sortField="" + a malicious |
| 51 | + // sortDirection sent via /livewire/update. The updatedSortDirection hook |
| 52 | + // must normalize it, and the render (which runs the naturalSort query) |
| 53 | + // must not fail with a SQL error. |
| 54 | + livewire(DishesNaturalSortTable::class) |
| 55 | + ->set('sortField', '') |
| 56 | + ->set('sortDirection', $payload) |
| 57 | + ->assertSet('sortDirection', 'asc'); |
| 58 | +}); |
0 commit comments