HYPERFLEET-1259 - fix: SQL injection protection and allowlist for orderBy

ma-hill · ma-hill · commit 56369d72b501 · 2026-06-25T12:32:12.000-04:00
diff --git a/pkg/db/sql_helpers.go b/pkg/db/sql_helpers.go
@@ -553,49 +553,74 @@ func IdentWalk(n *tsl.Node, check func(string) (string, error)) (*tsl.Node, erro
 	}
 }
 
-// cleanOrderBy takes the orderBy arg and cleans it.
-func cleanOrderBy(userArg string, disallowedFields map[string]string) (orderBy string, err *errors.ServiceError) {
-	var orderField string
+// orderByAllowedFields defines the whitelist of fields that are allowed to be ordered.
+// This prevents SQL injection and restricts invalid orderBy queries.
+var orderByAllowedFields = map[string]bool{
+	"id":           true,
+	"name":         true,
+	"created_time": true,
+	"updated_time": true,
+	"deleted_time": true,
+	"kind":         true,
+	"created_by":   true,
+	"updated_by":   true,
+	"deleted_by":   true,
+	"generation":   true,
+	"href":         true,
+}
 
-	trimedName := strings.Trim(userArg, " ")
+// orderByPattern matches valid orderBy syntax: field name (letters, digits, underscore) followed by optional asc/desc.
+// This regex rejects SQL injection attempts (semicolons, parentheses, dashes, comments, etc).
+var orderByPattern = regexp.MustCompile(`^[a-z_][a-z_]*(\s+(asc|desc))?$`)
+
+// ArgsToOrderBy validates and cleans orderBy arguments against the allowed fields whitelist.
+// Returns a cleaned list of orderBy clauses in the format ["field direction", ...]
+// Empty or whitespace-only strings are silently skipped.
+func ArgsToOrderBy(args []string) (cleanedOrderByList []string, err *errors.ServiceError) {
+	for _, val := range args {
+		// Accept args with trailing and leading spaces
+		trimVal := strings.TrimSpace(val)
+
+		// Skip empty strings silently
+		if trimVal == "" {
+			continue
+		}
 
-	order := strings.Split(trimedName, " ")
-	direction := "none valid"
+		// Check for SQL injection attempts before parsing
+		if !orderByPattern.MatchString(trimVal) {
+			return nil, errors.BadRequest("invalid orderBy format '%s': expected 'field' or 'field asc|desc'", val)
+		}
 
-	if len(order) == 1 {
-		orderField, err = getField(order[0], disallowedFields)
-		direction = "asc"
-	} else if len(order) == 2 {
-		orderField, err = getField(order[0], disallowedFields)
-		direction = order[1]
-	}
-	if err != nil || (direction != "asc" && direction != "desc") {
-		err = errors.BadRequest("bad order value '%s'", userArg)
-		return
-	}
+		// Each OrderBy can be "<field-name>" or "<field-name> asc|desc"
+		splitVal := strings.Fields(trimVal)
+		lenVal := len(splitVal)
 
-	orderBy = fmt.Sprintf("%s %s", orderField, direction)
-	return
-}
+		var field, direction string
 
-// ArgsToOrderBy returns cleaned orderBy list.
-func ArgsToOrderBy(
-	orderByArgs []string,
-	disallowedFields map[string]string,
-) (orderBy []string, err *errors.ServiceError) {
-	var order string
-	if len(orderByArgs) != 0 {
-		orderBy = []string{}
-		for _, o := range orderByArgs {
-			order, err = cleanOrderBy(o, disallowedFields)
-			if err != nil {
-				return
+		switch lenVal {
+		case 2:
+			field = splitVal[0]
+			direction = splitVal[1]
+			if direction != "asc" && direction != "desc" {
+				return nil, errors.BadRequest("invalid sort direction '%s': must be 'asc' or 'desc'", direction)
 			}
+		case 1:
+			field = splitVal[0]
+			direction = "asc"
+		default:
+			return nil, errors.BadRequest("invalid orderBy format '%s': expected 'field' or 'field asc|desc'", val)
+		}
 
-			orderBy = append(orderBy, order)
+		// Validate field against allowedFields
+		if !orderByAllowedFields[field] {
+			return nil, errors.BadRequest("field '%s' is not allowed for ordering", field)
 		}
+
+		cleanedValue := fmt.Sprintf("%s %s", field, direction)
+		cleanedOrderByList = append(cleanedOrderByList, cleanedValue)
 	}
-	return
+
+	return cleanedOrderByList, nil
 }
 
 func GetTableName(g2 *gorm.DB) string {
diff --git a/pkg/db/sql_helpers_test.go b/pkg/db/sql_helpers_test.go
@@ -834,3 +834,167 @@ func TestConditionStatusValidation(t *testing.T) {
 		})
 	}
 }
+
+func TestArgsToOrderBy(t *testing.T) {
+	t.Parallel()
+	tests := []struct {
+		name          string
+		errorContains string
+		input         []string
+		expected      []string
+		expectError   bool
+	}{
+		{
+			name:     "single field with asc",
+			input:    []string{"name asc"},
+			expected: []string{"name asc"},
+		},
+		{
+			name:     "single field with desc",
+			input:    []string{"created_time desc"},
+			expected: []string{"created_time desc"},
+		},
+		{
+			name:     "single field without direction defaults to asc",
+			input:    []string{"created_time"},
+			expected: []string{"created_time asc"},
+		},
+		{
+			name:     "multiple fields",
+			input:    []string{"name asc", "created_time desc"},
+			expected: []string{"name asc", "created_time desc"},
+		},
+		{
+			name:     "field with extra spaces",
+			input:    []string{"  name   asc  "},
+			expected: []string{"name asc"},
+		},
+		{
+			name:     "field with tabs and spaces",
+			input:    []string{"name  \t  desc"},
+			expected: []string{"name desc"},
+		},
+		{
+			name:     "all allowed fields",
+			input:    []string{"id", "name", "created_time", "updated_time", "kind"},
+			expected: []string{"id asc", "name asc", "created_time asc", "updated_time asc", "kind asc"},
+		},
+		{
+			name:          "invalid direction",
+			input:         []string{"name ascending"},
+			expectError:   true,
+			errorContains: "invalid orderBy format",
+		},
+		{
+			name:          "SQL injection attempt - semicolon",
+			input:         []string{"name; DROP TABLE resources"},
+			expectError:   true,
+			errorContains: "invalid orderBy format",
+		},
+		{
+			name:          "SQL injection attempt - comment",
+			input:         []string{"name-- asc"},
+			expectError:   true,
+			errorContains: "invalid orderBy format",
+		},
+		{
+			name:     "empty string in array is skipped",
+			input:    []string{""},
+			expected: nil,
+		},
+		{
+			name:     "empty string in array with field at end",
+			input:    []string{"", "", "", "", "", "kind asc", "href desc"},
+			expected: []string{"kind asc", "href desc"},
+		},
+		{
+			name:     "whitespace only string is skipped",
+			input:    []string{"   "},
+			expected: nil,
+		},
+		{
+			name:     "mixed valid and empty strings and tabs",
+			input:    []string{"name asc", "", "created_time desc", "   ", "\t"},
+			expected: []string{"name asc", "created_time desc"},
+		},
+		{
+			name:          "mixed valid and invalid field",
+			input:         []string{"created_time desc", "name", "wrong_field"},
+			expectError:   true,
+			errorContains: "not allowed for ordering",
+		},
+		{
+			name:          "field not in whitelist",
+			input:         []string{"custom_field asc"},
+			expectError:   true,
+			errorContains: "not allowed for ordering",
+		},
+		{
+			name:     "deleted_time field",
+			input:    []string{"deleted_time desc"},
+			expected: []string{"deleted_time desc"},
+		},
+		{
+			name:     "generation field",
+			input:    []string{"generation asc"},
+			expected: []string{"generation asc"},
+		},
+		{
+			name:          "too many parts",
+			input:         []string{"name asc extra"},
+			expectError:   true,
+			errorContains: "invalid orderBy format",
+		},
+		{
+			name:     "empty array",
+			input:    []string{},
+			expected: nil,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			RegisterTestingT(t)
+
+			result, err := ArgsToOrderBy(tt.input)
+
+			if tt.expectError {
+				Expect(err).ToNot(BeNil(), "expected error but got nil")
+				if tt.errorContains != "" {
+					Expect(err.Reason).To(ContainSubstring(tt.errorContains))
+				}
+			} else {
+				Expect(err).To(BeNil(), "unexpected error: %v", err)
+				Expect(result).To(Equal(tt.expected))
+			}
+		})
+	}
+}
+
+func TestArgsToOrderBy_SecurityValidation(t *testing.T) {
+	t.Parallel()
+	RegisterTestingT(t)
+
+	// SQL injection attempts that should all fail
+	injectionAttempts := []struct {
+		name  string
+		input string
+	}{
+		{"union injection", "name UNION SELECT password FROM users"},
+		{"comment injection", "name--"},
+		{"semicolon terminator", "name; DROP TABLE resources;"},
+		{"quote escape", "name' OR '1'='1"},
+		{"parentheses", "name) OR (1=1"},
+		{"wildcard", "name*"},
+		{"backtick", "name`"},
+	}
+
+	for _, tt := range injectionAttempts {
+		t.Run(tt.name, func(t *testing.T) {
+			RegisterTestingT(t)
+
+			_, err := ArgsToOrderBy([]string{tt.input})
+			Expect(err).ToNot(BeNil(), "injection attempt '%s' should be rejected", tt.input)
+		})
+	}
+}
diff --git a/pkg/services/generic.go b/pkg/services/generic.go
@@ -142,11 +142,11 @@ func (s *sqlGenericService) buildPreload(listCtx *listContext, d *dao.GenericDao
 
 func (s *sqlGenericService) buildOrderBy(listCtx *listContext, d *dao.GenericDao) (bool, *errors.ServiceError) {
 	if len(listCtx.args.OrderBy) != 0 {
-		orderByArgs, serviceErr := db.ArgsToOrderBy(listCtx.args.OrderBy, *listCtx.disallowedFields)
+		cleanedOrderByList, serviceErr := db.ArgsToOrderBy(listCtx.args.OrderBy)
 		if serviceErr != nil {
 			return false, serviceErr
 		}
-		for _, orderByArg := range orderByArgs {
+		for _, orderByArg := range cleanedOrderByList {
 			(*d).OrderBy(orderByArg)
 		}
 	}
diff --git a/test/integration/order_field_mapping_test.go b/test/integration/order_field_mapping_test.go

Original file line number	Diff line number	Diff line change
`@@ -142,11 +142,11 @@ func (s sqlGenericService) buildPreload(listCtx listContext, d *dao.GenericDao`
`142`	`142`
`143`	`143`	`func (s sqlGenericService) buildOrderBy(listCtx listContext, d dao.GenericDao) (bool, errors.ServiceError) {`
`144`	`144`	`if len(listCtx.args.OrderBy) != 0 {`
`145`		`- orderByArgs, serviceErr := db.ArgsToOrderBy(listCtx.args.OrderBy, *listCtx.disallowedFields)`
	`145`	`+ cleanedOrderByList, serviceErr := db.ArgsToOrderBy(listCtx.args.OrderBy)`
`146`	`146`	`if serviceErr != nil {`
`147`	`147`	`return false, serviceErr`
`148`	`148`	`}`
`149`		`- for _, orderByArg := range orderByArgs {`
	`149`	`+ for _, orderByArg := range cleanedOrderByList {`
`150`	`150`	`(*d).OrderBy(orderByArg)`
`151`	`151`	`}`
`152`	`152`	`}`