The popular package: Laravel-query-builder has released a new security update fixing a serious SQL-Injection vulnerability.
laravel-query-builder allows developers to filter, sort and include eloquent (Laravel ORM) relations based on a request. The
QueryBuilder used in this package extends Laravel’s default Eloquent builder.
- Attack Risk: Critical / Remote
- Vulnerability: SQL Injection
- Vendor: Spatie/laravel-query-builder
- Language: PHP
- Patched version: 1.16.1 / 1.17.1
Due to the way Laravel builder parse the string to query, the hacker can leverage this to attack the application with SQL Injection attack (more about sql-injection attack here), See the official advisory here
The package is parsing the urls to add some filters to queries.
For example you want to sort the articles by title:
and you may use a code like below to auto sort by the package
use Spatie\QueryBuilder\QueryBuilder; $articles = QueryBuilder::for(Article::class)->get();
This will be translated into:
And the underlined SQL query will be:
select * from `articles` order by `title` asc
Till now nothing wrong , but the hacker can take advantage of this transformation to preform SQL Injection attack on your database.
The hacker will change the url to this:
Guess what! because Laravel supports queries in JSON fields, it can guess that you want to query json “title->” so it replaces -> with JSON MySQL functions and here the hacker closes the functions brackets “))” and add his injected sql.
Here is the final SQL query will look like
select * from articles order by json_unquote(json_extract(title, '$.""'))#injectedSQL"')) asc
And now, instead of injectedSQL comment, hacker can insert his SQL Injection payload!
- If you use Laravel 5.6, 5.7 or 5.8 upgrade Laravel-query-builder to v1.17.1.
- If you use Laravel 5.5 upgrade the package to v1.16.1.
Am I at Risk?
Shieldfy customers are already protected against SQL Injection attacks.
Regrading this specific issue, our dev team is currently working on fixing the auto detection this vulnerability.
If you are not a shieldfy user, give us a try “https://shieldfy.io” to prevent against future incident.