Skip to content

Fix SQL injection via unguarded orderby parameter in REST API helpers#585

Closed
iftakharul-islam with Copilot wants to merge 4 commits into
developfrom
copilot/fix-sqli-vulnerability
Closed

Fix SQL injection via unguarded orderby parameter in REST API helpers#585
iftakharul-islam with Copilot wants to merge 4 commits into
developfrom
copilot/fix-sqli-vulnerability

Conversation

Copilot AI commented Mar 2, 2026

Copy link
Copy Markdown
Contributor

Authenticated users could inject arbitrary SQL through the orderby query parameter on multiple REST endpoints (e.g. /pm/v2/activities). The PoC: orderby=id/**/AND/**/(SELECT/**/1/**/FROM/**/(SELECT(SLEEP(5)))a) exploited the lack of input validation before the value was interpolated into the ORDER BY clause.

Changes

  • Empty $order guard — all 8 affected helper files unconditionally set $this->orderby = "ORDER BY " . implode(', ', $order) even when every input was rejected by the whitelist, producing syntactically invalid SQL (ORDER BY with no columns). Wrapped the assignment in if ( !empty( $order ) ) so $this->orderby is left unset (resolved to '' at query time) when no valid columns survive validation.

The core injection defenses were already in place across all helpers:

  • Column names validated against a per-helper whitelist using strict in_array()
  • Sort direction restricted to 'asc' / 'desc'
  • esc_sql() applied to both column and direction before interpolation

Affected files

Activity, File, Milestone, Comment, Discussion_Board, Task, Task_List, User helpers under src/*/Helper/. Project helper already handled the empty case and was left unchanged.

// Before — invalid SQL when all inputs are rejected by whitelist
$this->orderby = "ORDER BY " . implode( ', ', $order );

// After
if ( !empty( $order ) ) {
    $this->orderby = "ORDER BY " . implode( ', ', $order );
}

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

Copilot AI changed the title [WIP] Fix authenticated SQL Injection vulnerability in Project Manager plugin Fix SQL injection via unguarded orderby parameter in REST API helpers Mar 2, 2026
@sapayth sapayth force-pushed the copilot/fix-sqli-vulnerability branch from 470f26e to 8c39fff Compare May 4, 2026 20:23
@sapayth sapayth force-pushed the copilot/fix-sqli-vulnerability branch from fe9bb00 to 35c7323 Compare May 17, 2026 18:56
@arifulhoque7 arifulhoque7 force-pushed the copilot/fix-sqli-vulnerability branch from 6ced1bd to 1e2aaaf Compare May 18, 2026 10:32
@arifulhoque7 arifulhoque7 force-pushed the copilot/fix-sqli-vulnerability branch from 1e2aaaf to fa63845 Compare May 28, 2026 17:34
@arifulhoque7 arifulhoque7 force-pushed the copilot/fix-sqli-vulnerability branch from fa63845 to 72aac42 Compare May 28, 2026 17:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants