Laravel Security Advisory - January 13 2021
Kane Cohen • January 13, 2021laravel security
All versions below 6.20.12, 7.30.3, 8.22.1
The issue has been fixed in versions listed 6.20.12, 7.30.3, 8.22.1 and higher.
Laravel database query builder as part of its
where and similar methods accepts two parameters -
name of a column and a
value which provided column should contain. Issue comes from the
value parameter which accepts an array as possible input. When an array is added - laravel query builder takes all items from it and uses them in a given order as database binding parameters. Finally, when constructed query is executed it takes all provided binding parameters as is which leads to a possibility where items from an array value will be used as values for other parts of the query thus leaking of unintended data.
Example of a problematic query:
// HTTP Request Query: https://laravel.com/users?id=1&id=1 $id = Request::input('id'); User::where('id', $id)->where('is_admin', 0)->first(); // This could lead to a query where "is_admin" column is set to 1.
where-like queries will use only the first item if an array is used as a value parameter.