Laravel Security Advisory - January 13 2021 cover image

Laravel Security Advisory - January 13 2021

Kane Cohen • January 13, 2021

laravel security

Affected versions

All versions below 6.20.12, 7.30.3, 8.22.1

The issue has been fixed in versions listed 6.20.12, 7.30.3, 8.22.1 and higher.

Description

Laravel database query builder as part of its where and similar methods accepts two parameters - name of a column and a value which provided column should contain. Issue comes from the value parameter which accepts an array as possible input. When an array is added - laravel query builder takes all items from it and uses them in a given order as database binding parameters. Finally, when constructed query is executed it takes all provided binding parameters as is which leads to a possibility where items from an array value will be used as values for other parts of the query thus leaking of unintended data.

Example of a problematic query:

// HTTP Request Query: https://laravel.com/users?id[]=1&id[]=1
$id = Request::input('id');
User::where('id', $id)->where('is_admin', 0)->first();
// This could lead to a query where "is_admin" column is set to 1.

Resolution

All where-like queries will use only the first item if an array is used as a value parameter.