Login

***kenjis*** · 11-15-2022, 12:36 AM

The current Model::update() is very dangerous.

I created a sample vulnerable app.
https://github.com/kenjis/ci4-model-update-danger

PHP Code:
    public function update()
    {
        $id = $this->request->getPost('id');

        if ($this->request->getMethod() === 'post' && $this->validate([
            'title' => 'required|min_length[3]|max_length[255]',
            'body'  => 'required',
        ])) {
            $title = $this->request->getPost('title');
            $slug  = url_title($title, '-', true);

            $data = [
                'title' => $title,
                'slug'  => $slug,
                'body'  => $this->request->getPost('body'),
            ];
            $this->model->update($id, $data);

            return $this->response->redirect(site_url('news/' . $slug));
        }

        return $this->edit($id);
    } 

The above code has vulnerability. Do you know what's wrong?

ci-phpunit-test | CodeIgniter Testing Guide | CodeIgniter 3 to 4 Upgrade Helper

**ozornick** · 11-15-2022, 01:46 AM

No valid ID? If empty id update all rows?

iRedds · 11-15-2022, 06:21 AM

There is no vulnerability here.
This is an application design error. All input data must be validated.

ikesela · 11-15-2022, 07:51 AM

maybe can fix by making model update not allow null input as id. seen this complain on fb group ( id == null, will update all rows)

**ozornick** · 11-15-2022, 08:07 AM

haha, I just got this bug a couple of days ago. Gone to fix my model wrappers by checking id

***kenjis*** · 11-15-2022, 04:45 PM

(11-15-2022, 06:21 AM)iRedds Wrote: There is no vulnerability here.
This is an application design error. All input data must be validated.

I mean vulnerability is a bug or unintended behavior that an attacker can abuse.

ci-phpunit-test | CodeIgniter Testing Guide | CodeIgniter 3 to 4 Upgrade Helper

iRedds · 11-15-2022, 09:12 PM

And what solution do you propose?

***kenjis*** · 11-15-2022, 10:45 PM

Okay, I wrote another controller. You cannot set $id to null. But it is still vulnerable.

https://github.com/kenjis/ci4-model-upda...#L103-L123

PHP Code:
public function postUpdate($id = false)
{
    if ($this->validate([
        'title' => 'required|min_length[3]|max_length[255]',
        'body'  => 'required',
    ])) {
        $title = $this->request->getVar('title');
        $slug  = url_title($title, '-', true);

        $data = [
            'title' => $title,
            'slug'  => $slug,
            'body'  => $this->request->getVar('body'),
        ];
        $this->model->update($id, $data);

        return $this->response->redirect(site_url('news2/view/' . $slug));
    }

    return $this->getEdit($id);
} 

ci-phpunit-test | CodeIgniter Testing Guide | CodeIgniter 3 to 4 Upgrade Helper

**InsiteFX** · 11-15-2022, 11:02 PM

Your passing the body into the database just using required so it will pass as long as something is in it.

What did you Try? What did you Get? What did you Expect?

Joined CodeIgniter Community 2009. ( Skype: insitfx )

***kenjis*** · 11-16-2022, 05:07 AM

(11-15-2022, 11:02 PM)InsiteFX Wrote: Your passing the body into the database just using required so it will pass as long as something is in it.

Okay, I added max and min length validation rules.
https://github.com/kenjis/ci4-model-upda...hp#L16-L19

PHP Code:
    private array $rules = [
        'title' => 'required|min_length[3]|max_length[255]',
        'body'  => 'required|min_length[10]|max_length[5000]',
    ]; 

ci-phpunit-test | CodeIgniter Testing Guide | CodeIgniter 3 to 4 Upgrade Helper