refs #40947, add sort support for rest API

NETivism · Sep 6, 2024 · 1322202 · 1322202
1 parent 3681126
commit 1322202
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 3 deletions.
diff --git a/CRM/Utils/REST.php b/CRM/Utils/REST.php
@@ -116,7 +116,7 @@ public function authenticate($name, $pass) {
   }
 
   // Generates values needed for error messages
-  function error($message = 'Unknown Error') {
+  public static function error($message = 'Unknown Error') {
 
     $values = array(
       'error_message' => $message,
@@ -369,7 +369,11 @@ static function process(&$args, $params = array()) {
     if (isset($params['options'])) {
       $options =& $params['options'];
       // don't allow sort for query security concern
-      if (isset($options['sort'])) unset($options['sort']);
+      if (isset($options['sort'])) {
+        if (!self::validateSortParameter($options['sort'])) {
+          return self::error("sort in options is invalid. format: field_name DESC|ASC");
+        }
+      }
 
       if (isset($options['limit']) && !CRM_Utils_Rule::integer($options['limit'])) {
         return self::error('limit in options should be integer.');
@@ -626,5 +630,38 @@ static function ajax() {
 
     CRM_Utils_System::civiExit();
   }
+
+  /**
+   * validate sort parameter
+   *
+   * @param  $sort
+   * @return void
+   */
+  public static function validateSortParameter($sort) {
+    if (empty($sort) || !is_string($sort)) {
+      return FALSE;
+    }
+    $sort = trim($sort);
+    $sortFields = explode(',', $sort);
+
+    foreach ($sortFields as $field) {
+      $field = trim($field);
+
+      if (preg_match('/^(.*?)\s+(ASC|DESC)$/i', $field, $matches)) {
+        $fieldName = trim($matches[1]);
+      }
+      else {
+        $fieldName = $field;
+      }
+      if (!preg_match('/^[0-9A-Za-z_.]+$/', $fieldName)) {
+        return FALSE;
+      }
+      if ($fieldName === '') {
+        return FALSE;
+      }
+    }
+
+    return TRUE;
+  }
 }
 
diff --git a/packages/IDS/Monitor.php b/packages/IDS/Monitor.php
@@ -444,7 +444,7 @@ private function jsonDecodeValues($key, $value)
      */
     private function jsonConcatContents($value, $key)
     {
-        if (json_decode($value)) {
+        if (is_string($value) && json_decode($value)) {
             $this->jsonDecodeValues($key, $value);
         }
         elseif (is_string($key) && is_string($value)) {