This repository was archived by the owner on May 29, 2026. It is now read-only.
Commit 442eca2
committed
fix(security): DSAR — escape LIKE wildcards in subject parameter
`matchEntities()` interpolated raw user-supplied `$subject` into the
`%`-anchored ILIKE comparator. Bind-parameterised so no classic SQLi,
but `%` and `_` inside `$subject` were not escaped — `subject=%@%`
matched every email, `subject=_` matched every value. Combined with
the downstream `eraseObjectsForSubject()` chain (admin-gated
`vergetelheid`), this is a one-call wildcard PII erase well beyond
legitimate DSAR semantics. The `mode === 'exact'` branch had the same
bug.
Pass `$subject` through `IDBConnection::escapeLikeParameter()` once
before either branch builds its named parameter.
Refs: #1419 review (blocker 5) — discussion_r31874944331 parent 45bbf86 commit 442eca2
1 file changed
Lines changed: 11 additions & 2 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
473 | 473 | | |
474 | 474 | | |
475 | 475 | | |
| 476 | + | |
| 477 | + | |
| 478 | + | |
| 479 | + | |
| 480 | + | |
| 481 | + | |
| 482 | + | |
| 483 | + | |
| 484 | + | |
476 | 485 | | |
477 | 486 | | |
478 | | - | |
| 487 | + | |
479 | 488 | | |
480 | 489 | | |
481 | 490 | | |
482 | 491 | | |
483 | 492 | | |
484 | | - | |
| 493 | + | |
485 | 494 | | |
486 | 495 | | |
487 | 496 | | |
| |||
0 commit comments