From d6ad402b31547c95280a6d8320f8f87a8f609074 Mon Sep 17 00:00:00 2001
From: Luciano Righetti <luciano.righetti@gmail.com>
Date: Mon, 11 Sep 2023 12:35:30 +0200
Subject: [PATCH] fix: fixed invalid ordering errors

---
 app/Model/AppModel.php | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/app/Model/AppModel.php b/app/Model/AppModel.php
index d14b0717e..974c97828 100644
--- a/app/Model/AppModel.php
+++ b/app/Model/AppModel.php
@@ -3989,4 +3989,32 @@ class AppModel extends Model
         }
         return $_SERVER['REMOTE_ADDR'] ?? null;
     }
+
+    public function find($type = 'first', $query = array()) {
+        if (!empty($query['order']) && $this->validOrderClause($query['order']) === false) {
+            throw new InvalidArgumentException('Invalid order clause');
+        }
+
+        return parent::find($type, $query);
+    }
+
+    private function validOrderClause($order){
+        $pattern = '/^[\w\_\-\.\(\) ]+$/';
+        if(is_string($order) && preg_match($pattern, $order)){
+            return true;
+        }
+
+        if (is_array($order)) {
+            foreach ($order as $key => $value) {
+                if (is_string($key) && is_string($value) && preg_match($pattern, $key) && in_array(strtolower($value), ['asc', 'desc'])) {
+                    return true;
+                }
+                if(is_numeric($key) && is_string($value) && preg_match($pattern, $value)){
+                    return true;
+                }
+            }
+        }
+
+        return false;
+    }
 }