AG2014-01: Potential Database Injection Vector in DB-Connected REST Services
zf-apigility contains a class,
ZF\Apigility\DbConnectedResource, used by all DB-Connected REST services for
prototyping web services that write to a database table, or for simple CRUD-style web
This class was correctly pulling data from the composed input filter, if any, for
create() operations. However, it was not doing so for
patch() operations, leading to the potential for unfiltered data to
make its way to the database.
Note, however, that this is not a SQL injection vulnerability, as database updates were still using the underlying database abstraction layer. However, in cases where values are expected to be normalized, unfiltered versions could enter the database; additionally, if any data not matching existing database columns were provided, database errors could occur.
Each of the
ZF\Apigility\DbConnectedResource class were updated to always pull data from
the composed input filter when present.
The following releases contain the fixes:
- zf-apigility 1.0.2
- Apigility (zf-apigility-skeleton) 1.0.3
The Zend Framework team thanks the following for identifying the issues and working with us to help protect its users:
- Stefano Torresi (github.com/stefanotorresi) for reporting the issue.