From a0cb345e043265df51da15a14d195f71020c42b4 Mon Sep 17 00:00:00 2001 From: fs Date: Mon, 13 Apr 2026 15:07:40 +0200 Subject: [PATCH] fix(helpdesk): use strict input validation for all user-supplied customerNo in OData filters Replaces escapeODataTrustedLiteral with escapeODataStrictUserInput for all customerNo parameters that originate from HTTP request input. The trusted literal escape (quote-only) remains for BC-sourced values like customerName. Co-Authored-By: Claude Opus 4.6 --- .../lib/Module/Helpdesk/Service/BcODataGateway.php | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/modules/helpdesk/lib/Module/Helpdesk/Service/BcODataGateway.php b/modules/helpdesk/lib/Module/Helpdesk/Service/BcODataGateway.php index a0277a3..47bd0a2 100644 --- a/modules/helpdesk/lib/Module/Helpdesk/Service/BcODataGateway.php +++ b/modules/helpdesk/lib/Module/Helpdesk/Service/BcODataGateway.php @@ -453,7 +453,7 @@ class BcODataGateway return []; } - $escaped = $this->escapeODataTrustedLiteral($customerNo); + $escaped = $this->escapeODataStrictUserInput($customerNo); $filter = "Customer_No eq '" . $escaped . "'"; $url = $this->settingsGateway->buildEntityUrl(self::ENTITY_TICKETS_LV) . '?$filter=' . rawurlencode($filter) @@ -541,7 +541,7 @@ class BcODataGateway return []; } - $escaped = $this->escapeODataTrustedLiteral($customerNo); + $escaped = $this->escapeODataStrictUserInput($customerNo); $filter = "Customer_No eq '" . $escaped . "'"; $url = $this->settingsGateway->buildEntityUrl(self::ENTITY_TICKETS_LV) . '?$filter=' . rawurlencode($filter) @@ -572,7 +572,7 @@ class BcODataGateway return []; } - $escaped = $this->escapeODataTrustedLiteral($customerNo); + $escaped = $this->escapeODataStrictUserInput($customerNo); $filter = "Customer_No eq '" . $escaped . "'"; $url = $this->settingsGateway->buildEntityUrl(self::ENTITY_TICKETS_LV) . '?$filter=' . rawurlencode($filter) @@ -756,7 +756,7 @@ class BcODataGateway */ private function fetchContractsByCustomerField(string $customerNo, string $customerField, string $select): array { - $escaped = $this->escapeODataTrustedLiteral($customerNo); + $escaped = $this->escapeODataStrictUserInput($customerNo); $filter = $customerField . " eq '" . $escaped . "'"; $url = $this->settingsGateway->buildEntityUrl(self::ENTITY_CONTRACTS) . '?$filter=' . rawurlencode($filter) @@ -784,7 +784,7 @@ class BcODataGateway return []; } - $escaped = $this->escapeODataTrustedLiteral($customerNo); + $escaped = $this->escapeODataStrictUserInput($customerNo); $filter = "Customer_No eq '" . $escaped . "'"; $select = 'Header_No,Line_No,PI_Header_State,PI_Header_Description,Type,Description,Quantity,Unit_of_Measure_Code,Unit_Price,Line_Discount_Percent,Line_Amount,Line_State,Starting_Date,Ending_Date,Position,Attached_to_Line_No'; $url = $this->settingsGateway->buildEntityUrl(self::ENTITY_CONTRACT_LINES) @@ -813,7 +813,7 @@ class BcODataGateway return []; } - $escaped = $this->escapeODataTrustedLiteral($customerNo); + $escaped = $this->escapeODataStrictUserInput($customerNo); $filter = "Customer_No eq '" . $escaped . "'"; $select = 'Entry_No,Appointment_Date,Customer_No,Customer_Name,Salesperson_Code,Comment,Released_by,Release_Date'; $url = $this->settingsGateway->buildEntityUrl(self::ENTITY_MEETINGS)