Release Yii 2.0.15 and database extensions with fixed vulnerabilities

Today we are releasing Yii updates for several recent versions 2.0.x and official extensions of support for non-relational databases to fix found vulnerabilities. The patches fix the problem in the ActiveRecord layer methods: findOne() and findAll() , which can allow SQL injection if the incoming data is not properly prepared.

We view this as a vulnerability in Yii because the documentation for these methods did not explicitly warn that in some cases the transmission of unfiltered user data can be dangerous. We thank Analitic1983 ( Habr , GitHub ) for detecting this vulnerability.

The problem is more related not to the framework itself, but to the documentation on the use of these methods in the application. We updated the documentation and additionally provided code examples that could be dangerous. However, updating the documentation will not fix applications where developers already use the findOne() and findAll() methods are not safe. To avoid the worst scenario - SQL injection, we also changed the behavior of these methods and added forced filtering of incoming data, which limits the list of possible column names to the list of ActiveRecord model properties.

The fix, although it removes the overwhelming majority of problems, does not fix them all, therefore, later in the article we will take a closer look at which code is vulnerable and what needs to be done to protect itself.

List of vulnerable classes, methods and packages

• The yii\db\ActiveRecord::findOne() and yii\db\ActiveRecord::findAll() yiisoft/yii2 in the yiisoft/yii2 , which is assigned the vulnerability number CVE-2018-7269. Methods allow SQL injection , if the input data is not sufficiently filtered. An attacker can execute an arbitrary SQL query or bypass filtering conditions set at the level of the query being executed.
• The yii\redis\ActiveRecord::findOne() and yii\redis\ActiveRecord::findAll() yiisoft/yii2-redis in the yiisoft/yii2-redis , which will be assigned the vulnerability number CVE-2018-8073. The methods allow remote code execution on the Redis server in the form of LUA scripts. The attacker can execute arbitrary LUA code and change the data on the server side.
• The yii\elasticsearch\ActiveRecord::findOne() and yii\elasticsearch\ActiveRecord::findAll() yiisoft/yii2-elasticsearch in the yiisoft/yii2-elasticsearch methods, which will be assigned the vulnerability number CVE-2018-8074. The methods allow for the introduction of search conditions that are not provided by the developer.

Is my application vulnerable?

The vulnerability applies to all releases of Yii2 and is fixed in version 2.0.15. For versions prior to 2.0.15, we will release two patch updates: 2.0.13.2 and 2.0.12.1, which apply the fix to 2.0.13.1 and 2.0.12, respectively. Users of version 2.0.14 can upgrade to version 2.0.15, as there are no other changes in the release.

Invulnerable code

The findOne() and findAll() methods take one argument, which can be a scalar or an array. If the code that calls this method ensures that the passed value is scalar, or that the structure of the transmitted array cannot be changed from the outside, your application is Vulnerable. The following code samples are NOT affected by this vulnerability. Examples of a call to findOne() also valid for the findAll() method.

 // yii\web\Controller ,  $id –   public function actionView($id) { $model = Post::findOne($id); // ... } 

  //    (int)   (string) ,         (        ) $model = Post::findOne((int) Yii::$app->request->get('id')); 

 //               $model = Post::findOne(['id' => Yii::$app->request->get('id')]); 

Vulnerable code

However, the following code is VULNERABLE, and an attacker can create a query that allows you to perform a search about a random column, or even SQL injection:

 $model = Post::findOne(Yii::$app->request->get('id')); 

This update corrects the possibility of introducing SQL injection, but the attacker can still perform a search on columns other than the primary key, which may violate the business logic of the application.

How to get an update?

We are releasing a security update for the three latest releases of Yii2: 2.0.14, 2.0.13 and 2.0.12. If you are using an older version of the framework, you need to upgrade Yii to at least the nearest version, in which the problem is fixed.

If you are using Yii 2.0.14:

 composer require "yiisoft/yii2":"~2.0.15.0" 

If you are using Yii 2.0.13:

 composer require "yiisoft/yii2":"~2.0.13.2" 

If you are using Yii 2.0.12:

 composer require "yiisoft/yii2":"~2.0.12.1" 

If you are using the yii2-redis :

 composer require "yiisoft/yii2-redis":"~2.0.8" 

If you are using the yii2-elasticsearch extension:

 composer require "yiisoft/yii2-elasticsearch":"~2.0.5" 

In addition to the Yii update, we also recommend that you check the code in your application that uses the findOne() and findAll() methods to search for an arbitrary column. We also remind you that the where() and filterWhere() methods never escape column names, so if you need to use a variable obtained from the user in the form of a column name, make sure that you do it safely.

UPD: update broke ActiveRecord::refresh() ( github ), because patches were additionally released: 2.0.15.1 , 2.0.13.3 , 2.0.12.2