Security Hub

Bring your software development workflows to security

doctrine

Doctrine injection

Signals & Triggers

On Doctrine query execution
If user input alters DQL query structure

Actions

  • prevent ORM query execution prevent ORM query execution
  • block incoming http request block incoming http request
  • Send a slack notification Send a Slack notification
  • Send an email notification Send an email notification
  • POST to webhook
  • Log request stack trace

Details

Doctrine is the most popular PHP Object Relational Mapper (ORM). It comes with its own query language specification, called Doctrine Query Language (DQL).

In essence, DQL provides powerful querying capabilities over your object model. Imagine all your objects lying around in some storage (like an object database). When writing DQL queries, think about querying that storage to pick a certain subset of your objects.

At runtime, DQL is validated and converted to regular SQL. Injections can happen at the DQL level.

Let’s look at the following DQL query:

$query = $em->getRepository('AppBundle:User')->createQueryBuilder('p')
   ->where("p.username = '".$request->request->get('username')."'")
   ->where("p.password = '".$request->request->get('password')."'")
   ->getQuery();

The p.username and p.password fields are sourced from the user inputs. Looking at the DQL query at runtime, Sqreen can detect vulnerable HTTP requests without false positive by using the full context of the app.

Advanced details

When the application starts, the Sqreen PHP library hooks the main Doctrine query builder methods. It catches queries just about to be executed.

Next, on every database request, Sqreen parses the DQL query, just before it is executed. It checks for non-sanitized operators - OR, AND, UNION, … - coming from the user inputs, altering the original query structure and enabling an attacker to derive its original purpose.

No traffic redirection is performed, the analysis of the query happens locally only on your application, relying on Sqreen’s dynamic instrumentation of Doctrine.

By being in-app and running just before the query is converted to SQL we can guarantee a 100% non-false positive detection and protection for Doctrine injections.

Language support

  • PHP

Data collected by Sqreen

Signals

No sensitive data collected


On attack
  • DQL query
  • Request payload
  • Attacker IP
  • Attacker account (Sqreen SDK)
  • Stack trace

Built for developers and modern apps

Get up and running in minutes just by installing our lightweight library. Enable plugins in just a couple of clicks.

  • Node.js
  • Ruby
  • PHP
  • Python
  • Java
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9

$ npm install --save sqreen

$ echo '{ "token": "your token" }' > sqreen.json

 

// This should be the first line of your app

require('sqreen');

$ echo "gem 'sqreen'" >> Gemfile

$ bundle install

$ echo "token: your token" >> config/sqreen.yml

$ curl -s https://8dc0b36f0ea6f2f21b721765e10a7e02768cd1825b4551f4:@packagecloud.io/install/repositories/sqreen/sqreen/script.deb.sh | bash

$ apt-get install --no-install-recommends sqreen-agent sqreen-php-extension

$ /usr/lib/sqreen/sqreen-installer config {your token}

$ pip install sqreen

$ echo -e '[sqreen]\ntoken: your token' >> sqreen.ini

 

# Insert at the top of your app file (typically wsgi.py or app.py)

import sqreen

sqreen.start()

$ curl https://download.sqreen.io/java/sqreen-latest-all.jar -o sqreen-latest-all.jar

 

// Next, edit the JVM startup file:

-javaagent:/path/to/sqreen-agent.jar -Dsqreen.token={{your token}}

Build amazing products. Keep them safe.

3 min installation · Try all features for 7 days · No credit card required Get started Request demo