Bug Report #4497
Whitelist properties in ORM
| Status: | New | Start date: | 04/16/2012 | |
|---|---|---|---|---|
| Priority: | High | Due date: | ||
| Assignee: | - | % Done: | 0% |
|
| Category: | - | |||
| Target version: | Kohana v3.x - Unscheduled | |||
| Resolution: | Points: | 1 |
Description
After the attack on github recently showed the vulnerabilities associated with having models allow all-access to their properties, the Rails community decided to lock up their models by defaulting to a whitelist way of allowing access to properties.
We should do the same. Currently, I'm sure many users do the following:
// In controller action
$model = ORM::factory('model');
$model->values($this->request->post('model'))->save();
The problem here lies in the fact that a user may inject additional POST values in order to set values in the model that your application was not expecting. If you don't lock these down manually, you open yourself up to allowing a malicious user to modify SQL fields they shouldn't have access to.
A possible solution (similar to what was implemented in Rails) is to create a mandatory whitelist property where you specify the attributes of the model that can be changed using the mass setting methods (such as values)
Related issues
History
Updated by Isaiah DeRose-Wilson about 1 year ago
- Project changed from Kohana v3.x to ORM
- Category deleted (
Modules:ORM)
Updated by Isaiah DeRose-Wilson about 1 year ago
- Target version changed from v3.3.0 to Unscheduled
Updated by dp de about 1 year ago
Just use
// In controller action
$model = ORM::factory('model');
$model->values($this->request->post('model'), array('allowedfield1', 'allowedfield2', '...'))->save();
instead of
// In controller action
$model = ORM::factory('model');
$model->values($this->request->post('model'))->save();
I do not think there is a reason for this whitelist property. In my point of view its better to make the second parameter of the values method required.