From cedc6c4230e7b2e6ebafa4858cf58609a333c7f1 Mon Sep 17 00:00:00 2001 From: Harald Eilertsen Date: Sun, 4 Jan 2026 14:55:03 +0100 Subject: [PATCH] Escape args in xchan_fetch --- include/xchan.php | 2 +- tests/unit/includes/XchanTest.php | 34 +++++++++++++++++++++++++++++++ 2 files changed, 35 insertions(+), 1 deletion(-) create mode 100644 tests/unit/includes/XchanTest.php diff --git a/include/xchan.php b/include/xchan.php index f2fe92f20..d0c4a049d 100644 --- a/include/xchan.php +++ b/include/xchan.php @@ -166,7 +166,7 @@ function xchan_fetch($arr) { if(! $key) return false; - $r = q("select * from xchan where $key = '$v' limit 1"); + $r = q("select * from xchan where $key = '%s' limit 1", dbesc($v)); if(! $r) return false; diff --git a/tests/unit/includes/XchanTest.php b/tests/unit/includes/XchanTest.php new file mode 100644 index 000000000..2d7261c5b --- /dev/null +++ b/tests/unit/includes/XchanTest.php @@ -0,0 +1,34 @@ + + * + * SPDX-License-Identifier: MIT + */ + +namespace Zotlabs\Tests\Unit; + +use Zotlabs\Lib\Libzot; + +class XChanTest extends UnitTestCase { + + public function testXChanFetchShouldRejectInvalidArgs(): void { + $addr = 'example'; + $guid = Libzot::new_uid($addr); + $hash = Libzot::make_xchan_hash($guid, 'dummy-public-key'); + + xchan_store_lowlevel([ + 'xchan_hash' => $hash, + 'xchan_guid' => $guid, + 'xchan_addr' => $addr, + ]); + + // Trivial SQL Injection + $this->assertFalse(xchan_fetch(['hash' => "{$hash}' or 1=1; -- "])); + $this->assertFalse(xchan_fetch(['guid' => "{$guid}' or 1=1; -- "])); + $this->assertFalse(xchan_fetch(['address' => "{$addr}' or 1=1; -- "])); + + // Not a valid key + $this->assertFalse(xchan_fetch(['wrongkey' => $hash])); + } +}