CVE-2020-15143

In SyliusResourceBundle before versions 1.3.14, 1.4.7, 1.5.2 and 1.6.4, rrequest parameters injected inside an expression evaluated by `symfony/expression-language` package haven't been sanitized properly. This allows the attacker to access any public service by manipulating that request parameter, allowing for Remote Code Execution. This issue has been patched for versions 1.3.14, 1.4.7, 1.5.2 and 1.6.4. Versions prior to 1.3 were not patched.

In SyliusResourceBundle before versions 1.3.14, 1.4.7, 1.5.2 and 1.6.4, rrequest parameters injected inside an expression evaluated by `symfony/expression-language` package haven't been sanitized properly. This allows the attacker to access any public service by manipulating that request parameter, allowing for Remote Code Execution. This issue has been patched for versions 1.3.14, 1.4.7, 1.5.2 and 1.6.4. Versions prior to 1.3 were not patched.

### Impact Request parameters injected inside an expression evaluated by `symfony/expression-language` package haven't been sanitized properly. This allows the attacker to access any public service by manipulating that request parameter, allowing for Remote Code Execution. The vulnerable versions include: `<=1.3.13 || >=1.4.0 <=1.4.6 || >=1.5.0 <=1.5.1 || >=1.6.0 <=1.6.3`. ### Example ```yaml foo: path: /foo/{id} defaults: _sylius: repository: method: findSome arguments: entity: "expr:service('repository').find($id)" ``` In this case, `$id` can be prepared in a way that calls other services. If you visit `/foo/"~service('doctrine').getManager().getConnection().executeQuery("DELETE * FROM TABLE")~"`, it will result in a following expression `expr:service('repository').find(""~service('doctrine').getManager().getConnection().executeQuery("DELETE * FROM TABLE")~"")`, which will execute a query on the currently connected database. To find a vulnerability in your application, look for any routing definition that uses request parameters inside expression language. ### Patches This issue has been patched for versions 1.3.14, 1.4.7, 1.5.2 and 1.6.4. Versions prior to 1.3 were not patched. ### Workarounds The fix requires adding `addslashes` in `ParametersParser::parseRequestValueExpression` to sanitize user input before evaluating it using the expression language. ```php - return is_string($variable) ? sprintf('"%s"', $variable) : $variable; + return is_string($variable) ? sprintf('"%s"', addslashes($variable)) : $variable; ``` ### Acknowledgements This security issue has been reported by Craig Blanchette (@isometriks), thanks a lot! ### For more information If you have any questions or comments about this advisory: * Email us at [security@sylius.com](mailto:security@sylius.com)

### Impact Request parameters injected inside an expression evaluated by `symfony/expression-language` package haven't been sanitized properly. This allows the attacker to access any public service by manipulating that request parameter, allowing for Remote Code Execution. The vulnerable versions include: `<=1.3.13 || >=1.4.0 <=1.4.6 || >=1.5.0 <=1.5.1 || >=1.6.0 <=1.6.3`. ### Example ```yaml foo: path: /foo/{id} defaults: _sylius: repository: method: findSome arguments: entity: "expr:service('repository').find($id)" ``` In this case, `$id` can be prepared in a way that calls other services. If you visit `/foo/"~service('doctrine').getManager().getConnection().executeQuery("DELETE * FROM TABLE")~"`, it will result in a following expression `expr:service('repository').find(""~service('doctrine').getManager().getConnection().executeQuery("DELETE * FROM TABLE")~"")`, which will execute a query on the currently connected database. To find a vulnerability in your application, look for any routing definition that uses request parameters inside expression language. ### Patches This issue has been patched for versions 1.3.14, 1.4.7, 1.5.2 and 1.6.4. Versions prior to 1.3 were not patched. ### Workarounds The fix requires adding `addslashes` in `ParametersParser::parseRequestValueExpression` to sanitize user input before evaluating it using the expression language. ```php - return is_string($variable) ? sprintf('"%s"', $variable) : $variable; + return is_string($variable) ? sprintf('"%s"', addslashes($variable)) : $variable; ``` ### Acknowledgements This security issue has been reported by Craig Blanchette (@isometriks), thanks a lot! ### For more information If you have any questions or comments about this advisory: * Email us at [security@sylius.com](mailto:security@sylius.com)

En SyliusResourceBundle anterior a las versiones 1.3.14, 1.4.7, 1.5.2 y 1.6.4, los parámetros de petición inyectados dentro de una expresión evaluada por el paquete "symfony/expression-language" no se han saneado correctamente. Esto permite al atacante acceder a cualquier servicio público manipulando ese parámetro de petición, lo que permite una ejecución de código remota. Este problema se ha corregido para las versiones 1.3.14, 1.4.7, 1.5.2 y 1.6.4. Las versiones anteriores a la 1.3 no fueron parcheadas.