White list sortexpression for sql injection

programcsharp · programcsharp · commit 1abc1de74b08 · 2020-06-02T10:28:13.000-07:00
# Conflicts:
#	Build/CommonAssemblyInfo.cs
diff --git a/Build/CommonAssemblyInfo.cs b/Build/CommonAssemblyInfo.cs
@@ -15,6 +15,6 @@
 //
 // You can specify all the values or you can default the Revision and Build Numbers
 // by using the '*' as shown below:
-[assembly: AssemblyVersion("3.3.1")]
-[assembly: AssemblyFileVersion("3.3.1")]
+[assembly: AssemblyVersion("3.3.2")]
+[assembly: AssemblyFileVersion("3.3.2")]
 //[assembly: AssemblyInformationalVersion("2.5-filters")]
diff --git a/Griddly.Mvc/GriddlyResult.cs b/Griddly.Mvc/GriddlyResult.cs
@@ -68,12 +68,18 @@ public override void ExecuteResult(ControllerContext context)
             }
 
             var griddlyContext = context.Controller.GetOrCreateGriddlyContext();
-            GriddlySettings settings = null;
+            GriddlySettings settings = GriddlySettingsResult.GetSettings(context, ViewName);
 
-            if (context.IsChildAction)
+            if (griddlyContext.SortFields?.Length > 0)
             {
-                settings = GriddlySettingsResult.GetSettings(context, ViewName);
+                // white list for sql injection
+                griddlyContext.SortFields = griddlyContext.SortFields
+                    .Where(x => settings.Columns.Any(y => y.ExpressionString == x.Field))
+                    .ToArray();
+            }
 
+            if (context.IsChildAction)
+            {
                 GriddlySettings.OnGriddlyResultExecuting?.Invoke(settings, context);
 
                 // TODO: should we always pull sort fields?
@@ -101,7 +107,6 @@ public override void ExecuteResult(ControllerContext context)
                     Total = GetCount(),
                     PageSize = griddlyContext.PageSize,
                     SortFields = griddlyContext.SortFields,
-                    Settings = settings,
                     PopulateSummaryValues = PopulateSummaryValues
                 };
 
@@ -127,8 +132,6 @@ public override void ExecuteResult(ControllerContext context)
             }
             else
             {
-                settings = GriddlySettingsResult.GetSettings(context, ViewName);
-
                 settings.Columns.RemoveAll(x => x is GriddlySelectColumn);
 
                 ActionResult result;
diff --git a/Griddly.Mvc/GriddlyResultPage.cs b/Griddly.Mvc/GriddlyResultPage.cs
@@ -16,8 +16,6 @@ public class GriddlyResultPage
 
         public int PageSize { get; set; }
 
-        public GriddlySettings Settings { get; set; }
-
         public Action<GriddlySettings> PopulateSummaryValues { get; set; }
     }
 

Original file line number	Diff line number	Diff line change
`@@ -16,8 +16,6 @@ public class GriddlyResultPage`
`16`	`16`
`17`	`17`	`public int PageSize { get; set; }`
`18`	`18`
`19`		`- public GriddlySettings Settings { get; set; }`
`20`		`-`
`21`	`19`	`public Action<GriddlySettings> PopulateSummaryValues { get; set; }`
`22`	`20`	`}`
`23`	`21`