Recently the folks from Spatie released a security update for their laravel-query-builder
package. Turns out it was vulnerable to SQL Injection.
At the core of the vulnerability is the fact that Laravel offers a shorthand for querying only certain fields of JSON data, but that these do not get escaped when converted to a json_extract
function.
Brent has a detailed writeup on this:
Instead of manually writing
json_extract
, we can use the simplified->
syntax, which Laravel will convert to the correct SQL statement.Blog::query() ->addSelect('title->en');
SELECT json_extract(`title`, '$."en"') FROM blogs;
Be careful though: Laravel won’t do any escaping during this conversion.
If you were to change title->en
– which could come from a URL or user input – to title->en'#
, you’re in …
Thankfully by now a fix authored by Brent has landed in Laravel 5.8.11 🙂
Unsafe SQL functions in Laravel →
An important security release for laravel-query-builder
→