PMCORE-1225 The sentences DESCRIBE, EXPLAIN, SHOW, and BEGIN, now are supported. The EXEC and EXECUTE cannot be used within the black list and are removed from the documentation.

2021-05-07 13:17:28 -04:00
parent f651b949ea
commit 41230e7d54
1 changed files with 7 additions and 0 deletions
--- a/workflow/engine/src/ProcessMaker/Validation/SqlBlacklist.php
+++ b/workflow/engine/src/ProcessMaker/Validation/SqlBlacklist.php
@@ -100,6 +100,10 @@ class SqlBlacklist extends Parser
            $signed = get_class($statement);
            foreach (Parser::$STATEMENT_PARSERS as $key => $value) {
                if ($signed === $value && in_array(strtoupper($key), $config['statements'])) {
+                    //SHOW statement is a special case, it does not require a table name
+                    if (strtoupper($key) === 'SHOW') {
+                        throw new Exception(G::loadTranslation('ID_INVALID_QUERY'));
+                    }
                    $notExecuteQuery = true;
                    break;
                }
@@ -116,6 +120,9 @@ class SqlBlacklist extends Parser
                if ($key === 'table' && is_string($value)) {
                    $callback($value);
                }
+                if ($key === 'token' && is_string($value)) {
+                    $callback($value);
+                }
            }
        };