fix: [security] blind SQL injection in searchAll

- As reported by Zigrin Security
pull/151/head
Sami Mokaddem 2023-03-25 09:23:45 +01:00
parent 7df0169ecf
commit 5f1c99cd53
No known key found for this signature in database
GPG Key ID: 164C473F627A06FA
2 changed files with 2 additions and 1 deletions

View File

@ -38,6 +38,7 @@ class InstanceController extends AppController
$searchValue = $this->request->getQuery('search'); $searchValue = $this->request->getQuery('search');
$model = $this->request->getQuery('model', null); $model = $this->request->getQuery('model', null);
$limit = $this->request->getQuery('limit', 5); $limit = $this->request->getQuery('limit', 5);
$limit = is_numeric($limit) ? $limit : 5;
if (!empty($this->request->getQuery('show_all', false))) { if (!empty($this->request->getQuery('show_all', false))) {
$limit = null; $limit = null;
} }

View File

@ -81,7 +81,7 @@ class InstanceTable extends AppTable
return $statistics; return $statistics;
} }
public function searchAll($value, $user, $limit=5, $model=null) public function searchAll($value, $user, int $limit=5, $model=null)
{ {
$results = []; $results = [];
$models = $this->seachAllTables; $models = $this->seachAllTables;