-
Notifications
You must be signed in to change notification settings - Fork 6
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Improve validation of field names associated with SQL identifiers (CO…
…-1767)
- Loading branch information
Benn Oshrin
committed
Sep 10, 2019
1 parent
7dcb3d4
commit 09d26bf
Showing
4 changed files
with
112 additions
and
8 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,98 @@ | ||
| <?php | ||
| /** | ||
| * COmanage Validation Trait, shared between Match and Registry | ||
| * | ||
| * Portions licensed to the University Corporation for Advanced Internet | ||
| * Development, Inc. ("UCAID") under one or more contributor license agreements. | ||
| * See the NOTICE file distributed with this work for additional information | ||
| * regarding copyright ownership. | ||
| * | ||
| * UCAID licenses this file to you under the Apache License, Version 2.0 | ||
| * (the "License"); you may not use this file except in compliance with the | ||
| * License. You may obtain a copy of the License at: | ||
| * | ||
| * http://www.apache.org/licenses/LICENSE-2.0 | ||
| * | ||
| * Unless required by applicable law or agreed to in writing, software | ||
| * distributed under the License is distributed on an "AS IS" BASIS, | ||
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| * See the License for the specific language governing permissions and | ||
| * limitations under the License. | ||
| * | ||
| * @link http://www.internet2.edu/comanage COmanage Project | ||
| * @package common | ||
| * @since COmanage Common v1.0.0 | ||
| * @license Apache License, Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0) | ||
| */ | ||
|
|
||
| /** | ||
| * THIS FILE IS MASTERED IN THE COMMON REPOSITORY. | ||
| */ | ||
|
|
||
| declare(strict_types = 1); | ||
|
|
||
| namespace App\Lib\Traits; | ||
|
|
||
| trait ValidationTrait { | ||
| /** | ||
| * Determine if a string submitted from a form is valid input. | ||
| * | ||
| * @since COmanage Common v1.0.0 | ||
| * @param string $value Value to validate | ||
| * @param array $context Validation context | ||
| * @return mixed True if $value validates, or an error string otherwise | ||
| */ | ||
|
|
||
| public function validateInput($value, array $context) { | ||
| // By default, we'll accept anything except < and >. Arguably, we should accept | ||
| // anything at all for input (and filter only on output), but this was agreed to | ||
| // as an extra "line of defense" against unsanitized HTML output, since there are | ||
| // currently no known cases where user-entered input should permit angle brackets. | ||
|
|
||
| // XXX we previously supported 'filter'. 'flags', and 'invalidchars' as arguments, do we still need to? | ||
| // What component are we? | ||
| $COmponent = __('product.code'); | ||
|
|
||
| // Perform a basic string search. | ||
|
|
||
| $invalid = "<>"; | ||
|
|
||
| if(strlen($value) != strcspn($value, $invalid)) { | ||
| // Mismatch, implying bad input | ||
| return __($COmponent.'.er.input.invalid'); | ||
| } | ||
|
|
||
| // We require at least one non-whitespace character (CO-1551) | ||
| if(!preg_match('/\S/', $value)) { | ||
| return __($COmponent.'.er.input.blank'); | ||
| } | ||
|
|
||
| return true; | ||
| } | ||
|
|
||
| /** | ||
| * Determine if a string submitted from a form is valid SQL identifier. | ||
| * | ||
| * @since COmanage Common v1.0.0 | ||
| * @param string $value Value to validate | ||
| * @param array $context Validation context | ||
| * @return mixed True if $value validates, or an error string otherwise | ||
| */ | ||
|
|
||
| public function validateSqlIdentifier($value, array $context) { | ||
| // What component are we? | ||
| $COmponent = __('product.code'); | ||
|
|
||
| // Valid (portable) SQL identifiers begin with a letter or underscore, and | ||
| // subsequent characters can also include digits. We'll be a little stricter | ||
| // than we need to be for now by only accepting A-Z, when in fact certain | ||
| // additional characters (like á) are also acceptable. | ||
|
|
||
| if(!preg_match('/^[a-zA-Z_][a-zA-Z0-9_]*$/', $value)) { | ||
| return __($COmponent.'.er.input.invalid'); | ||
| } | ||
|
|
||
| return true; | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters