From 78a4c109e4108bdf88c15900c3c8e5cbb16ef40f Mon Sep 17 00:00:00 2001
From: Michael Kaufmann <d00p@froxlor.org>
Date: Fri, 1 Apr 2022 09:37:07 +0200
Subject: [PATCH] validate sql_search and sql_orderby API parameters, fix
 unit-tests as of new default skin is 'Froxlor'

Signed-off-by: Michael Kaufmann <d00p@froxlor.org>
---
 lib/Froxlor/Api/ApiCommand.php    | 20 ++++++++++++++++++++
 tests/Admins/AdminsTest.php       |  2 +-
 tests/Customers/CustomersTest.php |  2 +-
 3 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/lib/Froxlor/Api/ApiCommand.php b/lib/Froxlor/Api/ApiCommand.php
index 62f502ee..6635ddd1 100644
--- a/lib/Froxlor/Api/ApiCommand.php
+++ b/lib/Froxlor/Api/ApiCommand.php
@@ -290,6 +290,10 @@ abstract class ApiCommand extends ApiParameter
 			foreach ($search as $field => $valoper) {
 				if ($field == '_plainsql') {
 					if (isset($valoper['sql']) && isset($valoper['values']) && is_array($valoper['values'])) {
+						if (preg_match('/^([a-z0-9\-\.,=\+_`\(\)\:\'\"\!\<\>\ ]+)$/i', $valoper['sql']) == false) {
+							// skip
+							continue;
+						}
 						$condition .= $valoper['sql'];
 						foreach ($valoper['values'] as $var => $value) {
 							$query_fields[':' . $var] = $value;
@@ -308,6 +312,10 @@ abstract class ApiCommand extends ApiParameter
 						$sortfield[$id] = $sfield;
 					}
 					$field = implode('.', $sortfield);
+					if (preg_match('/^([a-z0-9\-\._`]+)$/i', $field) == false) {
+						// skip
+						continue;
+					}
 					if (!$first) {
 						$condition .= ' AND ';
 					}
@@ -324,6 +332,14 @@ abstract class ApiCommand extends ApiParameter
 					} elseif (strtolower($valoper['op']) == 'in' && is_array($valoper['value']) && count($valoper['value']) > 0) {
 						$condition .= $field . ' ' . $valoper['op'] . ' (';
 						foreach ($valoper['value'] as $incnt => $invalue) {
+							if (!is_numeric($incnt)) {
+								// skip
+								continue;
+							}
+							if (!empty($invalue) && preg_match('/^([a-z0-9\-\._`]+)$/i', $invalue) == false) {
+								// skip
+								continue;
+							}
 							$condition .= ":" . $cleanfield . $incnt . ", ";
 							$query_fields[':' . $cleanfield . $incnt] = $invalue ?? '';
 						}
@@ -410,6 +426,10 @@ abstract class ApiCommand extends ApiParameter
 					$sortfield[$id] = $sfield;
 				}
 				$field = implode('.', $sortfield);
+				if (preg_match('/^([a-z0-9\-\._`]+)$/i', $field) == false) {
+					// skip
+					continue;
+				}
 				$by = strtoupper($by);
 				if (!in_array($by, [
 					'ASC',
diff --git a/tests/Admins/AdminsTest.php b/tests/Admins/AdminsTest.php
index 52d5b6a9..6c2a8492 100644
--- a/tests/Admins/AdminsTest.php
+++ b/tests/Admins/AdminsTest.php
@@ -320,7 +320,7 @@ class AdminsTest extends TestCase
 			'def_language' => 'English'
 		))->update();
 		$result = json_decode($json_result, true)['data'];
-		$this->assertEquals('Sparkle', $result['theme']);
+		$this->assertEquals('Froxlor', $result['theme']);
 		$this->assertEquals('English', $result['def_language']);
 	}
 
diff --git a/tests/Customers/CustomersTest.php b/tests/Customers/CustomersTest.php
index 3b76bb6a..401049c5 100644
--- a/tests/Customers/CustomersTest.php
+++ b/tests/Customers/CustomersTest.php
@@ -195,7 +195,7 @@ class CustomersTest extends TestCase
 		$this->assertEquals('team@froxlor.org', $result['email']);
 		$this->assertEquals(1337, $result['customernumber']);
 		$this->assertEquals(15, $result['subdomains']);
-		$this->assertEquals('Sparkle', $result['theme']);
+		$this->assertEquals('Froxlor', $result['theme']);
 		$this->assertEquals('', $result['custom_notes']);
 	}