From 0e70b926751810117743a6ee4fa88da9c3dec021 Mon Sep 17 00:00:00 2001
From: Sven Nierlein <sven@consol.de>
Date: Thu, 7 Nov 2024 11:06:36 +0100
Subject: [PATCH] check for nasty characters in sort columns

---
 Changes                         | 1 +
 lib/Thruk/Controller/rest_v1.pm | 7 +++++--
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/Changes b/Changes
index 85a93e7b2..65702e495 100644
--- a/Changes
+++ b/Changes
@@ -15,6 +15,7 @@ next:
             - add new endpoint /system/cmd/log
             - add more availability endpoint ex. /hostgroup/.../availability
             - add support for simple calculations in columns
+            - check for nasty characters in sort columns
             - fix unknown columns when using icinga2 without lmd
           - Business Process:
             - fix saving empty file in case of full filesystem
diff --git a/lib/Thruk/Controller/rest_v1.pm b/lib/Thruk/Controller/rest_v1.pm
index 73b6969da..fc47a2f24 100644
--- a/lib/Thruk/Controller/rest_v1.pm
+++ b/lib/Thruk/Controller/rest_v1.pm
@@ -1183,6 +1183,9 @@ sub _apply_sort {
 
         $key = $alias_columns->{$key} if defined $alias_columns->{$key};
 
+        # check for nasty chars
+        die("sort key contains invalid characters") if($key =~ m/[`\$\(>]/mx);
+
         # sort numeric
         if( defined $data->[0]->{$key} and Thruk::Backend::Manager::looks_like_number($data->[0]->{$key}) ) {
             if($order eq 'asc') {
@@ -1195,9 +1198,9 @@ sub _apply_sort {
         # sort alphanumeric
         else {
             if($order eq 'asc') {
-                push @compares, '$a->{"'.$key.'"} cmp $b->{"'.$key.'"}';
+                push @compares, '$a->{\''.$key.'\'} cmp $b->{\''.$key.'\'}';
             } else {
-                push @compares, '$b->{"'.$key.'"} cmp $a->{"'.$key.'"}';
+                push @compares, '$b->{\''.$key.'\'} cmp $a->{\''.$key.'\'}';
             }
         }
     }