Security context
MediumGHSA-rj3w-99gc-8j58 CWE-20Published May 15, 2024

Laravel Risk of mass-assignment vulnerabilities

Research this vulnerability

Research is free — Hunters explains how the bug works, the root-cause code pattern, how the fix addresses it, and how to test whether a target is affected, in chat. Investigate & write exploit is a paid run — the engine reads the advisory and fix commits, then builds and validates a working proof-of-concept exploit with reproduction steps.

Affected versions

4.0.0 → fixed in 4.1.29

Details

Laravel 4.1.29 improves the column quoting for all database drivers. This protects your application from some mass assignment vulnerabilities when not using the fillable property on models. If you are using the fillable property on your models to protect against mass assignment, your application is not vulnerable. However, if you are using guarded and are passing a user controlled array into an "update" or "save" type function, you should upgrade to 4.1.29 immediately as your application may be at risk of mass assignment.

The fix

Make column quoting more robust for greater security when

Taylor Otwell· May 20, 2014, 01:21 PM+4250c942a1bc30
src/Illuminate/Database/Grammar.php+3 1
@@ -83,7 +83,9 @@ public function wrap($value)
*/
protected function wrapValue($value)
{
- return $value !== '*' ? sprintf($this->wrapper, $value) : $value;
+ if ($value === '*') return $value;
+
+ return '"'.str_replace('"', '""', $value).'"';
}
/**
src/Illuminate/Database/Query/Grammars/Grammar.php+0 7
@@ -5,13 +5,6 @@
class Grammar extends BaseGrammar {
- /**
- * The keyword identifier wrapper format.
- *
- * @var string
- */
- protected $wrapper = '"%s"';
-
/**
* The components that make up a select clause.
*
src/Illuminate/Database/Query/Grammars/MySqlGrammar.php+13 7
@@ -4,13 +4,6 @@
class MySqlGrammar extends Grammar {
- /**
- * The keyword identifier wrapper format.
- *
- * @var string
- */
- protected $wrapper = '`%s`';
-
/**
* The components that make up a select clause.
*
@@ -99,4 +92,17 @@ public function compileUpdate(Builder $query, $values)
return rtrim($sql);
}
+ /**
+ * Wrap a single string in keyword identifiers.
+ *
+ * @param string $value
+ * @return string
+ */
+ protected function wrapValue($value)
+ {
+ if ($value === '*') return $value;
+
+ return '`'.str_replace('`', '``', $value).'`';
+ }
+
}
src/Illuminate/Database/Query/Grammars/SqlServerGrammar.php+13 7
@@ -15,13 +15,6 @@ class SqlServerGrammar extends Grammar {
'&', '&=', '|', '|=', '^', '^=',
);
- /**
- * The keyword identifier wrapper format.
- *
- * @var string
- */
- protected $wrapper = '[%s]';
-
/**
* Compile a select query into SQL.
*
@@ -217,4 +210,17 @@ public function getDateFormat()
return 'Y-m-d H:i:s.000';
}
+ /**
+ * Wrap a single string in keyword identifiers.
+ *
+ * @param string $value
+ * @return string
+ */
+ protected function wrapValue($value)
+ {
+ if ($value === '*') return $value;
+
+ return '['.str_replace(']', ']]', $value).']';
+ }
+
}
src/Illuminate/Database/Schema/Grammars/MySqlGrammar.php+13 7
@@ -6,13 +6,6 @@
class MySqlGrammar extends Grammar {
- /**
- * The keyword identifier wrapper format.
- *
- * @var string
- */
- protected $wrapper = '`%s`';
-
/**
* The possible column modifiers.
*
@@ -574,4 +567,17 @@ protected function modifyAfter(Blueprint $blueprint, Fluent $column)
}
}
+ /**
+ * Wrap a single string in keyword identifiers.
+ *
+ * @param string $value
+ * @return string
+ */
+ protected function wrapValue($value)
+ {
+ if ($value === '*') return $value;
+
+ return '`'.str_replace('`', '``', $value).'`';
+ }
+
}
src/Illuminate/Database/Schema/Grammars/PostgresGrammar.php+0 7
@@ -5,13 +5,6 @@
class PostgresGrammar extends Grammar {
- /**
- * The keyword identifier wrapper format.
- *
- * @var string
- */
- protected $wrapper = '"%s"';
-
/**
* The possible column modifiers.
*
src/Illuminate/Database/Schema/Grammars/SQLiteGrammar.php+0 7
@@ -6,13 +6,6 @@
class SQLiteGrammar extends Grammar {
- /**
- * The keyword identifier wrapper format.
- *
- * @var string
- */
- protected $wrapper = '"%s"';
-
/**
* The possible column modifiers.
*
src/Illuminate/Database/Schema/Grammars/SqlServerGrammar.php+0 7
@@ -5,13 +5,6 @@
class SqlServerGrammar extends Grammar {
- /**
- * The keyword identifier wrapper format.
- *
- * @var string
- */
- protected $wrapper = '"%s"';
-
/**
* The possible column modifiers.
*
More files changed — see the full commit.

References