Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use psalm literal-string type, to address Injection Vulnerabilities #8933

Open
craigfrancis opened this issue Aug 22, 2021 · 1 comment
Open

Use psalm literal-string type, to address Injection Vulnerabilities #8933

craigfrancis opened this issue Aug 22, 2021 · 1 comment

Comments

@craigfrancis
Copy link
Contributor

craigfrancis commented Aug 22, 2021
edited
Loading

Feature Request

Q A
New Feature yes
RFC yes
BC Break maybe

Summary

Psalm 4.8 introduced a new literal-string type, which addresses the main source of Injection Vulnerabilities - developers incorrectly including user-input in sensitive strings, before they are provided to Doctrine, e.g.

    $result = $qb
      ->select('u')
      ->from('User', 'u')
      ->where('u.id = ' . $_GET['id']); // INSECURE

literal-string works by distinguishing strings from a trusted developer, from strings that may be attacker controlled.

Considering QueryBuilder::add() already uses string|object|array for $dqlPart, the same could be used for where() $predicates.

However, by using literal-string|object|array for where($predicates), the literal-string type will check the developer wrote that string, and gets them to use setParameter() for user-input (as they should).

The literal-string type could be used in a few other locations as well (especially with the Injection risks that come with DQL); but I'd like to start the discussion with where().

The only issue I can see is Connection::quoteIdentifier(), for those rare times when user-input is used for table/field/etc names. Because it can return a non literal-string value, it cannot be concatenated into $predicates; so maybe there should be a QueryBuilder::setIdentifier() to ensure these values are always quoted correctly, something like:

    $result = $qb
      ->select('u')
      ->from('User', 'u')
      ->where('{my_field} = :my_value')
      ->setIdentifier('my_field', $_GET['field'])
      ->setParameter('my_value', $_GET['id']);
@craigfrancis craigfrancis changed the title Use psalm literal-string type Use psalm literal-string type, to address Injection Vulnerabilities Aug 22, 2021
@craigfrancis
Copy link
Contributor Author

The literal-string is also available in PHPStan 0.12.97

craigfrancis added a commit to craigfrancis/orm that referenced this issue Sep 29, 2021
@craigfrancis
Start implementing $qb->setIdentifier()
eee4a4d 
Just adding the public methods to set/get Identifiers, to start the discussion on Issue doctrine#8933.
@craigfrancis craigfrancis mentioned this issue Sep 29, 2021
Closed
@craigfrancis craigfrancis mentioned this issue Nov 15, 2021
Closed
@craigfrancis craigfrancis mentioned this issue Jan 21, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@craigfrancis