Recently the folks from Spatie released a security update for their laravel-query-builder package. Turns out it was vulnerable to SQL Injection.
At the core of the vulnerability is the fact that Laravel offers a shorthand for querying only certain fields of JSON data, but that these do not get escaped when converted to a json_extract function.
Brent has a detailed writeup on this:
Instead of manually writing
json_extract, we can use the simplified->syntax, which Laravel will convert to the correct SQL statement.Blog::query() ->addSelect('title->en');SELECT json_extract(`title`, '$."en"') FROM blogs;Be careful though: Laravel won’t do any escaping during this conversion.
If you were to change title->en – which could come from a URL or user input – to title->en'#, you’re in …
Thankfully by now a fix authored by Brent has landed in Laravel 5.8.11 🙂
Unsafe SQL functions in Laravel →
An important security release for laravel-query-builder →