[5.x] Harden OrderBys (#14421)

jasonvarga · web-flow · commit 5dda35eba414 · 2026-04-01T16:47:32.000-04:00
diff --git a/src/Fieldtypes/Entries.php b/src/Fieldtypes/Entries.php
@@ -19,6 +19,7 @@
 use Statamic\Facades\User;
 use Statamic\Http\Resources\CP\Entries\EntriesFieldtypeEntries;
 use Statamic\Http\Resources\CP\Entries\EntriesFieldtypeEntry as EntryResource;
+use Statamic\Query\OrderBy;
 use Statamic\Query\OrderedQueryBuilder;
 use Statamic\Query\Scopes\Filter;
 use Statamic\Query\Scopes\Filters\Concerns\QueriesFilters;
@@ -215,7 +216,7 @@ protected function getFirstCollectionFromRequest($request)
 
     public function getSortColumn($request)
     {
-        $column = $request->sort ?? 'title';
+        $column = OrderBy::column($request->sort, 'title');
 
         if (! $request->sort && ! $request->search && count($this->getConfiguredCollections()) < 2) {
             $column = $this->getFirstCollectionFromRequest($request)->sortField();
diff --git a/src/Fieldtypes/Relationship.php b/src/Fieldtypes/Relationship.php
@@ -8,6 +8,7 @@
 use Statamic\CP\Column;
 use Statamic\Facades\Scope;
 use Statamic\Fields\Fieldtype;
+use Statamic\Query\OrderBy;
 
 abstract class Relationship extends Fieldtype
 {
@@ -307,7 +308,7 @@ public function filterExcludedItems($items, $exclusions)
 
     public function getSortColumn($request)
     {
-        return $request->get('sort');
+        return OrderBy::column($request->get('sort'));
     }
 
     public function getSortDirection($request)
diff --git a/src/Fieldtypes/Terms.php b/src/Fieldtypes/Terms.php
@@ -21,6 +21,7 @@
 use Statamic\Facades\User;
 use Statamic\GraphQL\Types\TermInterface;
 use Statamic\Http\Resources\CP\Taxonomies\TermsFieldtypeTerms as TermsResource;
+use Statamic\Query\OrderBy;
 use Statamic\Query\OrderedQueryBuilder;
 use Statamic\Query\Scopes\Filter;
 use Statamic\Query\Scopes\Filters\Fields\Terms as TermsFilter;
@@ -311,7 +312,7 @@ protected function getFirstTaxonomyFromRequest($request)
 
     public function getSortColumn($request)
     {
-        $column = $request->get('sort');
+        $column = OrderBy::column($request->get('sort'));
 
         if (! $column && ! $request->search) {
             $column = 'title'; // todo: get from taxonomy or config
diff --git a/src/Http/Controllers/API/ApiController.php b/src/Http/Controllers/API/ApiController.php
@@ -8,6 +8,7 @@
 use Statamic\Facades\Scope;
 use Statamic\Facades\Site;
 use Statamic\Http\Controllers\Controller;
+use Statamic\Query\OrderBy;
 use Statamic\Support\Arr;
 use Statamic\Support\Str;
 use Statamic\Tags\Concerns\QueriesConditions;
@@ -259,7 +260,9 @@ protected function sort($query)
                     $order = 'desc';
                 }
 
-                $query->orderBy($sort, $order);
+                if ($sort = OrderBy::column($sort)) {
+                    $query->orderBy($sort, $order);
+                }
             });
 
         return $this;
diff --git a/src/Http/Controllers/CP/Collections/EntriesController.php b/src/Http/Controllers/CP/Collections/EntriesController.php
@@ -19,6 +19,7 @@
 use Statamic\Http\Requests\FilteredRequest;
 use Statamic\Http\Resources\CP\Entries\Entries;
 use Statamic\Http\Resources\CP\Entries\Entry as EntryResource;
+use Statamic\Query\OrderBy;
 use Statamic\Query\Scopes\Filters\Concerns\QueriesFilters;
 use Statamic\Support\Arr;
 use Statamic\Support\Str;
@@ -39,7 +40,7 @@ public function index(FilteredRequest $request, $collection)
             'blueprints' => $collection->entryBlueprints()->map->handle(),
         ]);
 
-        $sortField = request('sort');
+        $sortField = OrderBy::column(request('sort'));
         $sortDirection = request('order', 'asc');
 
         if (! $sortField && ! request('search')) {
diff --git a/src/Http/Controllers/CP/Forms/FormSubmissionsController.php b/src/Http/Controllers/CP/Forms/FormSubmissionsController.php
@@ -6,6 +6,7 @@
 use Statamic\Http\Controllers\CP\CpController;
 use Statamic\Http\Requests\FilteredRequest;
 use Statamic\Http\Resources\CP\Submissions\Submissions;
+use Statamic\Query\OrderBy;
 use Statamic\Query\Scopes\Filters\Concerns\QueriesFilters;
 
 class FormSubmissionsController extends CpController
@@ -26,7 +27,7 @@ public function index(FilteredRequest $request, $form)
             'form' => $form->handle(),
         ]);
 
-        $sortField = request('sort', 'date');
+        $sortField = OrderBy::column(request('sort'), 'date');
         $sortDirection = request('order', $sortField === 'date' ? 'desc' : 'asc');
 
         if ($sortField) {
diff --git a/src/Http/Controllers/CP/Taxonomies/TermsController.php b/src/Http/Controllers/CP/Taxonomies/TermsController.php
@@ -14,6 +14,7 @@
 use Statamic\Http\Requests\FilteredRequest;
 use Statamic\Http\Resources\CP\Taxonomies\Term as TermResource;
 use Statamic\Http\Resources\CP\Taxonomies\Terms;
+use Statamic\Query\OrderBy;
 use Statamic\Query\Scopes\Filters\Concerns\QueriesFilters;
 use Statamic\Rules\Slug;
 use Statamic\Rules\UniqueTermValue;
@@ -34,7 +35,7 @@ public function index(FilteredRequest $request, $taxonomy)
             'blueprints' => $taxonomy->termBlueprints()->map->handle(),
         ]);
 
-        $sortField = request('sort');
+        $sortField = OrderBy::column(request('sort'));
         $sortDirection = request('order', 'asc');
 
         if (! $sortField && ! request('search')) {
diff --git a/src/Http/Controllers/CP/Users/UsersController.php b/src/Http/Controllers/CP/Users/UsersController.php
@@ -16,6 +16,7 @@
 use Statamic\Http\Requests\FilteredRequest;
 use Statamic\Http\Resources\CP\Users\Users;
 use Statamic\Notifications\ActivateAccount;
+use Statamic\Query\OrderBy;
 use Statamic\Query\Scopes\Filters\Concerns\QueriesFilters;
 use Statamic\Rules\UniqueUserValue;
 use Statamic\Search\Result;
@@ -71,7 +72,7 @@ protected function json($request)
             'blueprints' => ['user'],
         ]);
 
-        $sortField = request('sort');
+        $sortField = OrderBy::column(request('sort'));
         $sortDirection = request('order', 'asc');
 
         if (! $sortField && ! request('search')) {
diff --git a/src/Query/OrderBy.php b/src/Query/OrderBy.php
@@ -22,6 +22,15 @@ public function __construct(string $sort, string $direction)
         $this->direction = $direction;
     }
 
+    public static function column(?string $value, ?string $default = null): ?string
+    {
+        if ($value && preg_match('/^[\w]+((\->|[.])[\w]+)*$/', $value)) {
+            return $value;
+        }
+
+        return $default;
+    }
+
     /**
      * Instantiate order by object.
      *
diff --git a/src/Tags/Concerns/QueriesOrderBys.php b/src/Tags/Concerns/QueriesOrderBys.php
@@ -32,7 +32,7 @@ protected function parseOrderBys()
 
         return collect(explode('|', $piped ?? ''))->filter()->map(function ($orderBy) {
             return OrderBy::parse($orderBy);
-        });
+        })->filter(fn ($orderBy) => OrderBy::column($orderBy->sort));
     }
 
     protected function preParsedOrderBys()
diff --git a/tests/Query/OrderByTest.php b/tests/Query/OrderByTest.php
@@ -5,10 +5,14 @@
 use PHPUnit\Framework\Attributes\DataProvider;
 use PHPUnit\Framework\Attributes\Test;
 use Statamic\Query\OrderBy;
+use Statamic\Tags\Concerns\QueriesOrderBys;
 use Tests\TestCase;
 
 class OrderByTest extends TestCase
 {
+    protected $shouldFakeVersion = false;
+    protected $shouldPreventNavBeingBuilt = false;
+
     #[Test]
     #[DataProvider('parseProvider')]
     public function it_parses_string($string, $sort, $dir)
@@ -35,4 +39,52 @@ public static function parseProvider()
             ['foo:bar:baz:desc', 'foo->bar->baz', 'desc'],
         ];
     }
+
+    #[Test]
+    #[DataProvider('columnProvider')]
+    public function it_validates_columns($column, $expected)
+    {
+        $this->assertEquals($expected, OrderBy::column($column));
+        $this->assertEquals($expected ?? 'fallback', OrderBy::column($column, 'fallback'));
+    }
+
+    public static function columnProvider()
+    {
+        return [
+            'simple' => ['title', 'title'],
+            'with_underscores' => ['first_name', 'first_name'],
+            'with_numbers' => ['field1', 'field1'],
+            'json_arrow' => ['data->title', 'data->title'],
+            'nested_json_arrow' => ['data->nested->field', 'data->nested->field'],
+            'dotted' => ['table.column', 'table.column'],
+            'single_quote' => ["title'", null],
+            'double_quote' => ['title"', null],
+            'semicolon' => ['title;', null],
+            'space' => ['title foo', null],
+            'parentheses' => ['title()', null],
+            'sql_injection' => ["title'; DROP TABLE entries;--", null],
+            'backtick' => ['title`', null],
+            'comma' => ['title,foo', null],
+            'empty_string' => ['', null],
+            'null' => [null, null],
+        ];
+    }
+
+    #[Test]
+    public function it_filters_unsafe_columns_from_order_bys()
+    {
+        $tag = new class
+        {
+            use QueriesOrderBys;
+
+            public $params = [];
+        };
+
+        $tag->params = ['sort' => "title|foo'; DROP TABLE entries;--|date"];
+
+        $method = new \ReflectionMethod($tag, 'parseOrderBys');
+        $orderBys = $method->invoke($tag);
+
+        $this->assertEquals(['title', 'date'], $orderBys->map->sort->values()->all());
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -8,6 +8,7 @@`
`8`	`8`	`use Statamic\CP\Column;`
`9`	`9`	`use Statamic\Facades\Scope;`
`10`	`10`	`use Statamic\Fields\Fieldtype;`
	`11`	`+use Statamic\Query\OrderBy;`
`11`	`12`
`12`	`13`	`abstract class Relationship extends Fieldtype`
`13`	`14`	`{`
`@@ -307,7 +308,7 @@ public function filterExcludedItems($items, $exclusions)`
`307`	`308`
`308`	`309`	`public function getSortColumn($request)`
`309`	`310`	`{`
`310`		`- return $request->get('sort');`
	`311`	`+ return OrderBy::column($request->get('sort'));`
`311`	`312`	`}`
`312`	`313`
`313`	`314`	`public function getSortDirection($request)`
Original file line number	Diff line number	Diff line change
`@@ -32,7 +32,7 @@ protected function parseOrderBys()`
`32`	`32`
`33`	`33`	`return collect(explode('\|', $piped ?? ''))->filter()->map(function ($orderBy) {`
`34`	`34`	`return OrderBy::parse($orderBy);`
`35`		`- });`
	`35`	`+ })->filter(fn ($orderBy) => OrderBy::column($orderBy->sort));`
`36`	`36`	`}`
`37`	`37`
`38`	`38`	`protected function preParsedOrderBys()`