check for nasty characters in sort columns

Changes

@@ -15,6 +15,7 @@ next:
             - add new endpoint /system/cmd/log
             - add more availability endpoint ex. /hostgroup/.../availability
             - add support for simple calculations in columns
+            - check for nasty characters in sort columns
             - fix unknown columns when using icinga2 without lmd
           - Business Process:
             - fix saving empty file in case of full filesystem

lib/Thruk/Controller/rest_v1.pm

@@ -1183,6 +1183,9 @@ sub _apply_sort {
 
         $key = $alias_columns->{$key} if defined $alias_columns->{$key};
 
+        # check for nasty chars
+        die("sort key contains invalid characters") if($key =~ m/[`\$\(>]/mx);
+
         # sort numeric
         if( defined $data->[0]->{$key} and Thruk::Backend::Manager::looks_like_number($data->[0]->{$key}) ) {
             if($order eq 'asc') {
@@ -1195,9 +1198,9 @@ sub _apply_sort {
         # sort alphanumeric
         else {
             if($order eq 'asc') {
-                push @compares, '$a->{"'.$key.'"} cmp $b->{"'.$key.'"}';
+                push @compares, '$a->{\''.$key.'\'} cmp $b->{\''.$key.'\'}';
             } else {
-                push @compares, '$b->{"'.$key.'"} cmp $a->{"'.$key.'"}';
+                push @compares, '$b->{\''.$key.'\'} cmp $a->{\''.$key.'\'}';
             }
         }
     }