Welcome Guest, Not a member yet? Register   Sign In
Model::update() is dangerous
#1

The current Model::update() is very dangerous.

I created a sample vulnerable app.
https://github.com/kenjis/ci4-model-update-danger

PHP Code:
    public function update()
    {
        $id $this->request->getPost('id');

        if ($this->request->getMethod() === 'post' && $this->validate([
            'title' => 'required|min_length[3]|max_length[255]',
            'body'  => 'required',
        ])) {
            $title $this->request->getPost('title');
            $slug  url_title($title'-'true);

            $data = [
                'title' => $title,
                'slug'  => $slug,
                'body'  => $this->request->getPost('body'),
            ];
            $this->model->update($id$data);

            return $this->response->redirect(site_url('news/' $slug));
        }

        return $this->edit($id);
    

The above code has vulnerability. Do you know what's wrong?
Reply
#2

No valid ID? If empty id update all rows?
Simple CI 4 project for beginners codeigniter-expenses ( topic )
Reply
#3

There is no vulnerability here.
This is an application design error. All input data must be validated.
Reply
#4

(This post was last modified: 11-15-2022, 07:53 AM by ikesela.)

maybe can fix by making model update not allow null input as id. seen this complain on fb group ( id == null, will update all rows)
Reply
#5

haha, I just got this bug a couple of days ago. Gone to fix my model wrappers by checking id
Simple CI 4 project for beginners codeigniter-expenses ( topic )
Reply
#6

(11-15-2022, 06:21 AM)iRedds Wrote: There is no vulnerability here.
This is an application design error. All input data must be validated.

I mean vulnerability is a bug or unintended behavior that an attacker can abuse.
Reply
#7

And what solution do you propose?
Reply
#8

Okay, I wrote another controller. You cannot set $id to null. But it is still vulnerable.

https://github.com/kenjis/ci4-model-upda...#L103-L123
PHP Code:
public function postUpdate($id false)
{
    if ($this->validate([
        'title' => 'required|min_length[3]|max_length[255]',
        'body'  => 'required',
    ])) {
        $title $this->request->getVar('title');
        $slug  url_title($title'-'true);

        $data = [
            'title' => $title,
            'slug'  => $slug,
            'body'  => $this->request->getVar('body'),
        ];
        $this->model->update($id$data);

        return $this->response->redirect(site_url('news2/view/' $slug));
    }

    return $this->getEdit($id);

Reply
#9

Your passing the body into the database just using required so it will pass as long as something is in it.
What did you Try? What did you Get? What did you Expect?

Joined CodeIgniter Community 2009.  ( Skype: insitfx )
Reply
#10

(11-15-2022, 11:02 PM)InsiteFX Wrote: Your passing the body into the database just using required so it will pass as long as something is in it.

Okay, I added max and min length validation rules.
https://github.com/kenjis/ci4-model-upda...hp#L16-L19
PHP Code:
    private array $rules = [
        'title' => 'required|min_length[3]|max_length[255]',
        'body'  => 'required|min_length[10]|max_length[5000]',
    ]; 
Reply




Theme © iAndrew 2016 - Forum software by © MyBB