Skip to content

SQL queries constructed with string concatenation [security] #15040

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 26, 2025
Merged

SQL queries constructed with string concatenation [security] #15040

merged 1 commit into from
May 26, 2025

Conversation

levente999
Copy link
Contributor

Q A
Bug fix? (use the a.b branch) ✔️
New feature/enhancement? (use the a.x branch)
Deprecations?
BC breaks? (use the c.x branch)
Automated tests included?

Description

Some SQL query strings are built using potentially unsafe string concatenation rather than parameter binding.

In \Mautic\CampaignBundle\Entity\LeadEventLogRepository::getChartQuery(), several query conditions are built using direct string concatenation and manual quoting, both of which are potentially unsafe. For example:

$query->andwhere("e.channel = '".$options['channel']."'");
This has the potential for problems if the value in $options['channel'] contains single quotes or other metacharacters. It is difficult to work backwards reliably from such a condition string to form a query constraint; It's much safer to give Doctrine the parameter separately, allowing it to escape, quote, and bind the value safely, so this would become:

$query->andWhere('e.channel = :channel')
->setParameter('channel', $options['channel']) |
This pattern appears in several other places.

We did not investigate whether it's possible to exploit this, and these specific cases may be sanitised or made safe somewhere upstream of this method call, but this string concatenation approach is something that should be avoided in general.

Impact

Some submitted values could open the way to SQL injection or unexpected errors.

@codecov Codecov
Copy link

codecov bot commented May 23, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 75.71429% with 17 lines in your changes missing coverage. Please review.

Project coverage is 63.68%. Comparing base (7ed210c) to head (44ad72b).
Report is 262 commits behind head on 5.2.

Files with missing lines Patch % Lines
...s/CampaignBundle/Entity/LeadEventLogRepository.php 50.00% 7 Missing ⚠️
...p/bundles/CoreBundle/Entity/AuditLogRepository.php 0.00% 6 Missing ⚠️
app/bundles/PageBundle/Entity/HitRepository.php 55.55% 4 Missing ⚠️
Additional details and impacted files

Impacted file tree graph

@@             Coverage Diff              @@
##                5.2   #15040      +/-   ##
============================================
+ Coverage     63.45%   63.68%   +0.23%     
- Complexity    34635    34676      +41     
============================================
  Files          2273     2274       +1     
  Lines        103603   103754     +151     
============================================
+ Hits          65739    66079     +340     
+ Misses        37864    37675     -189
Files with missing lines Coverage Δ
.../bundles/AssetBundle/Entity/DownloadRepository.php 25.96% <100.00%> (+1.45%) ⬆️
...es/ChannelBundle/Entity/MessageQueueRepository.php 73.68% <100.00%> (+26.41%) ⬆️
...les/DynamicContentBundle/Entity/StatRepository.php 29.50% <100.00%> (+1.17%) ⬆️
app/bundles/EmailBundle/Entity/StatRepository.php 46.92% <100.00%> (+3.96%) ⬆️
app/bundles/FormBundle/Entity/FormRepository.php 70.00% <100.00%> (+0.27%) ⬆️
...bundles/FormBundle/Entity/SubmissionRepository.php 59.84% <100.00%> (+0.30%) ⬆️
...es/LeadBundle/Entity/PointsChangeLogRepository.php 66.66% <100.00%> (+2.38%) ⬆️
...es/LeadBundle/Entity/StagesChangeLogRepository.php 46.42% <100.00%> (+4.12%) ⬆️
...p/bundles/PageBundle/Entity/VideoHitRepository.php 41.46% <100.00%> (+1.46%) ⬆️
app/bundles/SmsBundle/Entity/StatRepository.php 34.61% <100.00%> (+0.84%) ⬆️
... and 3 more

... and 58 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@levente999 levente999 requested a review from escopecz May 23, 2025 11:45
@levente999 levente999 changed the title refactor SQL query SQL queries constructed with string concatenation [security] May 23, 2025
escopecz
escopecz approved these changes May 23, 2025
View reviewed changes
Copy link
Member

@escopecz escopecz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't see any issues in the code 👍

@escopecz escopecz added bug Issues or PR's relating to bugs pending-test-confirmation PR's that require one test before they can be merged code-review-passed PRs which have passed code review labels May 23, 2025
@escopecz escopecz added this to the 5.2.6 milestone May 23, 2025
matbcvo
matbcvo approved these changes May 26, 2025
View reviewed changes
Copy link
Contributor

@matbcvo matbcvo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've tested the PR and found no issues.

@matbcvo matbcvo added user-testing-passed PRs which have been successfully tested by the required number of people. ready-to-commit PR's with 2 successful tests, 1 approval, automated tests and docs and is ready to be merged and removed pending-test-confirmation PR's that require one test before they can be merged labels May 26, 2025
nick-vanpraet
nick-vanpraet approved these changes May 26, 2025
View reviewed changes
Copy link
Contributor

@nick-vanpraet nick-vanpraet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Checked the code, seems good. There are a few ->expr()->literal calls that were added that should be further transformed into full parameters but it's already better than it was before

@nick-vanpraet nick-vanpraet merged commit bcf114f into mautic:5.2 May 26, 2025
17 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@matbcvo matbcvo matbcvo approved these changes

@escopecz escopecz escopecz approved these changes

@nick-vanpraet nick-vanpraet nick-vanpraet approved these changes

Assignees
No one assigned
Labels
bug Issues or PR's relating to bugs code-review-passed PRs which have passed code review ready-to-commit PR's with 2 successful tests, 1 approval, automated tests and docs and is ready to be merged user-testing-passed PRs which have been successfully tested by the required number of people.
Projects
None yet
Milestone
5.2.6
Development

Successfully merging this pull request may close these issues.
4 participants
@levente999 @matbcvo @escopecz @nick-vanpraet