Fix SQL injection via unguarded orderby parameter in REST API helpers

[Copilot]

Authenticated users could inject arbitrary SQL through the orderby query parameter on multiple REST endpoints (e.g. /pm/v2/activities). The PoC: orderby=id/**/AND/**/(SELECT/**/1/**/FROM/**/(SELECT(SLEEP(5)))a) exploited the lack of input validation before the value was interpolated into the ORDER BY clause.

Changes

• Empty $order guard — all 8 affected helper files unconditionally set $this->orderby = "ORDER BY " . implode(', ', $order) even when every input was rejected by the whitelist, producing syntactically invalid SQL (ORDER BY with no columns). Wrapped the assignment in if ( !empty( $order ) ) so $this->orderby is left unset (resolved to '' at query time) when no valid columns survive validation.

The core injection defenses were already in place across all helpers:

• Column names validated against a per-helper whitelist using strict in_array()
• Sort direction restricted to 'asc' / 'desc'
• esc_sql() applied to both column and direction before interpolation

Affected files

Activity, File, Milestone, Comment, Discussion_Board, Task, Task_List, User helpers under src/*/Helper/. Project helper already handled the empty case and was left unchanged.

// Before — invalid SQL when all inputs are rejected by whitelist
$this->orderby = "ORDER BY " . implode( ', ', $order );

// After
if ( !empty( $order ) ) {
    $this->orderby = "ORDER BY " . implode( ', ', $order );
}

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.