Merged in cmdeguzman/cdgz-processmaker/HOR-280 (pull request #3788)

HOR-280

workflow/engine/methods/cases/proxyProcessList.php

@@ -44,6 +44,37 @@ try {
     if (isset( $start )) {
         $Criteria->setOffset( $start );
     }
+    
+
+    // The $sort field is arbitrary
+    // This can result in ORDER BY 
+    // SQL injection 
+    
+    // This ensures that ORDER BY will ONLY 
+    // use a known good sort field.
+    // There is a matching list on the javascript side at
+    // workflow/engine/templates/processes/main.js
+
+    $allowedSortField = array( 
+        "PRO_TITLE",
+        "PROJECT_TYPE",
+        "PRO_CATEGORY_LABEL",
+        "PRO_STATUS_LABEL",
+        "PRO_CREATE_USER_LABEL",
+        "PRO_CREATE_DATE",
+        "CASES_COUNT_TO_DO",
+        "CASES_COUNT_DRAFT",
+        "CASES_COUNT_COMPLETED",
+        "CASES_COUNT_CANCELLED",
+        "CASES_COUNT",
+        "PRO_DEBUG_LABEL",
+        "PRO_TYPE_PROCESS",
+        "PRO_UPDATE_DATE",
+    );
+    
+    if(!in_array($sort, $allowedSortField)) { 
+        $sort = '';
+    }
 
     if ($sort != '') {
         if ($dir == 'DESC') {

workflow/engine/templates/processes/main.js

@@ -280,6 +280,15 @@ Ext.onReady(function(){
       },
       columns: [
         expander,
+        
+        // There is a list of allowed columns to sort: 
+        // workflow/engine/methods/cases/proxyProcessList.php
+        // This is to prevent ORDER BY injection attacks
+
+        // It is identical to this list.
+        // If you need to add a new column that is sortable, please
+        // make sure it is added there or sorting will not work.
+
         {id:'PRO_UID', dataIndex: 'PRO_UID', hidden:true, hideable:false},
         {header: "", dataIndex: 'PRO_STATUS', width: 50, hidden:true, hideable:false},
         {header: _('ID_PRO_DESCRIPTION'), dataIndex: 'PRO_DESCRIPTION',hidden:true, hideable:false},