Skip to content
This repository was archived by the owner on May 29, 2026. It is now read-only.

Commit 442eca2

Browse files
committed
fix(security): DSAR — escape LIKE wildcards in subject parameter
`matchEntities()` interpolated raw user-supplied `$subject` into the `%`-anchored ILIKE comparator. Bind-parameterised so no classic SQLi, but `%` and `_` inside `$subject` were not escaped — `subject=%@%` matched every email, `subject=_` matched every value. Combined with the downstream `eraseObjectsForSubject()` chain (admin-gated `vergetelheid`), this is a one-call wildcard PII erase well beyond legitimate DSAR semantics. The `mode === 'exact'` branch had the same bug. Pass `$subject` through `IDBConnection::escapeLikeParameter()` once before either branch builds its named parameter. Refs: #1419 review (blocker 5) — discussion_r3187494433
1 parent 45bbf86 commit 442eca2

1 file changed

Lines changed: 11 additions & 2 deletions

File tree

lib/Service/DsarService.php

Lines changed: 11 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -473,15 +473,24 @@ private function matchEntities(string $subject, ?string $type, string $mode): ar
473473
$qb->expr()->isNotNull('r.object_id')
474474
);
475475

476+
// SECURITY: escape LIKE wildcards in user-supplied subject before
477+
// wrapping with `%`-anchors. Without this, an admin (the
478+
// `vergetelheid` endpoint is admin-gated) could pass
479+
// `subject=%@%` or `subject=_` to match every PII row in
480+
// `openregister_entities.value` — combined with the downstream
481+
// `eraseObjectsForSubject()` chain, that's a one-call wildcard
482+
// erase well beyond legitimate DSAR semantics.
483+
$escapedSubject = $this->db->escapeLikeParameter($subject);
484+
476485
if ($mode === 'ilike') {
477486
$qb->andWhere(
478-
$qb->expr()->iLike('e.value', $qb->createNamedParameter('%'.$subject.'%'))
487+
$qb->expr()->iLike('e.value', $qb->createNamedParameter('%'.$escapedSubject.'%'))
479488
);
480489
}
481490

482491
if ($mode !== 'ilike') {
483492
$qb->andWhere(
484-
$qb->expr()->iLike('e.value', $qb->createNamedParameter($subject))
493+
$qb->expr()->iLike('e.value', $qb->createNamedParameter($escapedSubject))
485494
);
486495
}
487496

0 commit comments

Comments
 (0)