Laravel Security Advisory - January 13 2021
Kane Cohen • January 13, 2021
laravel securityAffected versions
All versions below 6.20.12, 7.30.3, 8.22.1
The issue has been fixed in versions listed 6.20.12, 7.30.3, 8.22.1 and higher.
Description
Laravel database query builder as part of its where
and similar methods accepts two parameters - name
of a column and a value
which provided column should contain. Issue comes from the value
parameter which accepts an array as possible input. When an array is added - laravel query builder takes all items from it and uses them in a given order as database binding parameters. Finally, when constructed query is executed it takes all provided binding parameters as is which leads to a possibility where items from an array value will be used as values for other parts of the query thus leaking of unintended data.
Example of a problematic query:
// HTTP Request Query: https://laravel.com/users?id[]=1&id[]=1
$id = Request::input('id');
User::where('id', $id)->where('is_admin', 0)->first();
// This could lead to a query where "is_admin" column is set to 1.
Resolution
All where
-like queries will use only the first item if an array is used as a value parameter.